A step towards removing ‘silent cyber’ cover in marine?

On 30 January 2019, the PRA wrote to all insurers under the heading ‘Cyber Underwriting Risk: follow-up survey.’ This publication was intended to make it clear to customers, brokers and syndicates that all policies must be clear on the extent to which coverage is provided for losses caused by a cyber-event, by excluding or affirming coverage. The reason being that the maritime industry is particularly vulnerable to risks presented by ‘silent-cyber’ and the out-dated, one-size-fits-all cyber clause, The Institute Cyber Attack Exclusion Clause (CL380), was no longer fit for purpose, as discussed in our previous article.

Cyber risk wording requirement

As of 1 January 2020, all first party property damage risks must explicitly state whether coverage exists or is excluded in respect of losses caused by cyber risks. This means that cargo, marine hull and war, yacht and other lines of business must be prepared to incorporate at all times, a Marine Cyber Endorsement or a Marine Cyber Exclusion if they are to comply with the new requirement.

LMA model clauses

In response, the Lloyds Market Association have issued new model clauses, for which it has said provide illustrative guidance to its members in the property, energy and marine markets. These clauses are a starting point for insurers writing these lines of business who are free to amend and adapt the clauses to suit their client’s needs.

The first new model clause, “LMA5402 – Marine Cyber Exclusion” provides market participants with an option to exclude loss or damage caused by, contributed to or arising from a computer malfunction or the use or operation of a computer system.

Worthy of particular comment is that the Marine Cyber Exclusion ‘model clause’ released by the LMA clearly and explicitly states that the clause will override any policy wording that is conflicting, in circumstances where it relates to cyber loss and data. It is clear that the drafters have taken into consideration the threat caused by ‘silent cyber’ a term which has been used frequently to describe a cyber-related loss which has arisen from an insurance policy, which whilst not intended to cover the cyber risk, may have to pay for cyber-related losses.

The second model clause, “LMA5403 – Marine Cyber Endorsement” enables participants to exclude cyber-related risks in circumstances where the computer programme or system is used to inflict harm and only provides cover in circumstances where a programme or is NOT used to inflict harm. The clause goes on to confirm that where a policy is endorsed on policies covering risk or war, the exclusion at paragraph 1 does not apply to losses which might otherwise be covered for computer software which relates to the launch or firing of a weapon.

JCC Cyber Exclusion Clause

Insurers should also be aware of the recently introduced JCC Cyber Exclusion and write-back clause which provides a write-back of coverage in circumstances where an additional premium is paid to insurers and the insured suffers loss or damage caused by perils such as fire and explosion where such perils result from failure or otherwise of a computer system.

Comment

In circumstances where a policy is silent as to coverage for cyber risks, i.e. where no exclusion exists and there is no cyber endorsement, as of 1 January 2020, the policy will be viewed as non-affirmative. Lloyd’s has advised that in those circumstances action must be taken to ensure that policy holders have clarity.

It is also pertinent to note that for some risks, insurers may be minded to consider the approach taken by syndicates who are offering standalone cyber policies. With potentially large financial consequences for insurers writing cyber risk, it may be that a generic cyber clause will not provide the sufficient protection required. While the market continues to grapple with cyber risk, we anticipate seeing the release of more clauses attempting to address the issue in the coming weeks and months.

Read more items in Marine Brief - December 2019

Related article: 'Silent cyber' – have you heard it?