The Tortoise, The Hare & The Chase of Silent Cyber
We all know the story of the tortoise and the hare – they agree to have a race, hare gets all cocky and arrogant, has a halftime siesta, realises he is way behind, chases like mad to catch up, fails and ultimately loses.
It seems, though, that some people just do not learn from this age-old tale. And so it would appear that Lloyd’s and the other UK insurance regulators are likely to be the latest entities to have to face up to someone saying, “We did warn you…”
The issue of silent cyber is one that has vexed insurance regulators for the last couple of years. In an attempt to at least be seen to be trying to do something and getting ahead of the problem, much like the hare, Lloyd’s have mandated that all first party property policies incepting on or after 1 January 2020 are required to ensure that they affirm or exclude cyber cover.
The issue, as Lloyd’s seems to see it, is that policies are not clear on whether claims resulting from cyber causes are covered, an issue that has seriously dogged the market since reporting on the Mondelez NotPetya court case in the US started earlier this year.
To my admittedly non-lawyer mind, the Mondelez policy is clear, given that it covered “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”. It would therefore appear that the reason that insurers are contesting this case is that it is a cyber claim being made under a property policy and this was not what underwriters intended. Which may be why insurers are using the war/terror exclusion to try and reject the claim, despite the cyber insurance market having paid a significant number of NotPetya claims without invoking the same exclusion[1].
However, if it was not the property underwriters’ intention to pay a cyber claim under the Mondelez policy, then, frankly, they ought to have a) read the policy and b) tried to understand how it applied in the context of modern business operations. My view is that this did not happen in the Mondelez case – whether this is due to laziness, a lack of awareness or commercial and time pressures is anyone’s guess. However, why on earth it needs the involvement of regulators to get underwriters to read and understand the implications of their own wordings is beyond me.
That said, a policy wording will reflect an underwriter’s current understanding of the risk and the claims that they consider should be paid. However, until claims actually start to occur and the wording is tested, nobody knows for sure that the policy will respond as originally expected. If the policy does not respond as expected, then the wording will subsequently be changed. While this is nothing more than Darwinian evolution, it is clearly a reactionary process, rather than a proactive one. This is particularly the case in the modern business world more than it was, say, 40 years ago, given the current pace of technological change.
If insurers are to accept, then, that their wordings are always behind the technological curve, then it follows that they need to be doing everything possible to ensure that the gap between wording and reality is minimised before contentious claims occur.
Is this occurring? Maybe, maybe not, but if regulators are only focusing on forcing underwriters just to read their own wordings, then everybody is looking at the wrong issue. And I can speak from personal medical experience that focusing on the wrong question means that it takes longer to properly diagnose the issue.
On that basis, if regulators think that with their current edict, their work is done, then, like the hare, they are much mistaken. Unless regulators start to focus on the proactive ways in which insurers can try to narrow the gap between policy wording and technological change, then the issue of silent cyber will never go away.
[1]And that’s a completely separate blog in its own right!
