Cyber insurance has been receiving a lot of attention for several years now, and rightly so. Professional services firms are particularly exposed to cyber risk as they frequently hold large quantities of client money, personal data and commercially sensitive information. Cyber insurance provides protection against a broad range of risks. The benefits of such policies include cover that responds to cyber-attacks, system failure, human error and loss or compromise of data.
In the past few years a further issue has emerged. This concerns how war risks should be excluded from stand-alone commercial cyber policies. So why is this debate relevant to professional services firms?
Many firms will have been advised by their insurance brokers to consider purchasing cyber insurance protection. They will rightly have been warned that failure to do so could leave their business exposed. The protection in professional indemnity insurance will generally be limited to liability to third parties. A cyber policy, however, will add to this protection and go much further. In our view, it is not enough simply to buy cyber insurance. Purchasers need to pay close attention to the more critical provisions of these policies, including the war exclusion. This is because the war exclusions are expressed in very different terms which can materially extend or limit the protection being purchased.
The analysis of this topic starts in June 2017. A malware known as NotPetya was deployed, allegedly by Russia in an offensive against Ukraine, in an attempt to destabilise its financial system. NotPetya spread rapidly, extending to companies in at least 64 countries, including to at least three large companies in Russia itself. The businesses affected were part of a wide range of industry sectors, including professional services and at least one global law firm felt the effect of NotPetya. Such victims were unlikely ever to have been the intended targets of the malware. Instead, the impact on their business was more likely to have been collateral damage.
NotPetya triggered claims on a number of different insurance policies, including stand-alone cyber policies. Many of the policies responded to the losses, contributing to expenses incurred by insureds and to the business interruption losses they sustained. Some of the claims resulted in coverage disputes, mostly in respect of other types of policies, such as kidnap and ransom policies and property policies. The litigation involving insurers and the US pharmaceuticals giant Merck continues.
Merck sustained losses from the disruption to its business, reportedly in the region of $1.4billion. To date, Merck has prevailed but a further appeal by some of the insurers of Merck is now expected before the New Jersey Supreme Court, more than six years after the attack. The Merck litigation helps keep this issue in sharp focus, given the sums in issue and terms of the cover purchased, which had a traditional war and terrorism exclusion which did not refer to cyber operations.
As the magnitude of the losses from NotPetya were unprecedented, they garnered attention from regulators, including in the London market. Regulators had already harboured fears that cyber risk could amount to a systemic risk which could threaten the stability of insurers with large exposures to this line of business. The Prudential Regulatory Authority in the UK has long been urging insurers to ensure that such risks are properly managed by experienced specialists, repeatedly drawing attention to this risk in its "Dear CEO" letters sent to UK insurers. This has been closely heeded by Lloyd's and accordingly, in August 2022, Lloyd's issued a Bulletin requiring Syndicates to ensure that suitable exclusions for war and cyber operations are incorporated into stand-alone commercial cyber policies. While the Bulletin generated a degree of controversy, its purpose was clear and it has resulted in changes in the way that cyber insurance is now written. The Lloyd's Market Association has published on its website a list of approved clauses. These may be used by syndicates either with or without further requirements, depending upon the clauses adopted.
Approved exclusions for war and cyber operations vary in their treatment of collateral damage. In some clauses, no provision is made addressing collateral damage at all and an exclusion for a state-backed cyber operation will be wholly excluded. Other clauses will write back collateral damage where a computer system affected by a war is located outside of the countries engaged in the conflict. This is an important distinction in the cover, as this is the more likely exposure for professional services firms. Some insurers offer policies with or without a collateral damage write-back, offering flexibility in their terms, no doubt reflected in the premium they charge for the different policies.
Directly as a result of the war in Ukraine, we have witnessed no fewer than 26 UK law firms sever their ties with Russia and Ukraine. In some cases, the closure of these offices has marked the end of long standing relationships with those countries. In many cases, this is based on concerns about the reputational damage that could result if the firm retains a presence in a jurisdiction such as Russia. From an underwriting perspective, insurers may take the view that firms that have reduced their business activities in these jurisdictions have also reduced their exposure to cyber attacks arising from the ongoing conflict.
While history is no guide to the future in the fast evolving landscape of cyber risk, one of the main areas of exposure for professional firms in relation to war is collateral damage. In light of this, firms and their insurers should ensure that the question of whether this cover is written back and not excluded is fully discussed before the policy is incepted.
This article was first published in Insurance Day.