PII – Changes to Cover in respect of cyber liability

are bespoke cyber insurance products available, it is fair to say that the take-up rate for standalone cyber policies has historically been quite low. Instead of purchasing an insurance policy to manage cyber risks, businesses have instead chosen to manage their exposures by investing in their IT systems to defend against cyber attacks, as well as focusing on the education and training of staff against cyber threats. Alongside this, businesses have relied on the expectation that their existing policies provided some element of cover for their cyber exposures. Recent regulatory changes It is important to note that Professional indemnity (‘PI’) insurance was designed long before cyber threats existed and it was never intended that PI policies should pick up some of these emerging cyber threats. However, due to widely drafted insuring clauses which ostensibly provide cover in respect of any legal liability, and with no specific cyber exclusions, cover was often provided under such policies unintentionally. This is referred to in the insurance market as ‘silent cyber’. However, the insurance market is having to reconsider its exposure to silent cyber cover, meaning PI policies are being redrafted to accurately describe what cyber cover (if any) they will provide. The regulatory background to this is that in January 2019, the PRA advised all UK insurers that they must have “action plans to reduce the unintended exposure that can be caused by non affirmative cyber cover”. Also in 2019, Lloyd’s advised that all policies must be clear on whether coverage is provided for losses caused by a cyber event. The intention is to eliminate silent cyber exposure and with it the doubt and uncertainty that is often created and either specifically exclude it, where appropriate, or affirmatively cover it. What this means As a Griffiths & Armour client, you may recall that in 2014, our Scheme PI policy wordings were updated to provide some limited cover in two specific areas in connection with cyber liability: • for any Claim arising from a Data Security Breach (defined in the policy wording as the destruction, alteration or misuse of, or any unauthorised access to, any personal data that is processed, managed, handled or stored in connection with the Business), and • a limited amount of cover for First Party Hacker Attack Cover. This was subject to the extension’s terms and conditions and an inner limit (generally £100,000 depending on the