Lexis®Library update: The proposal is to add a clause into the MTCs that clearly sets out what is and what is not covered in the event of a firm being subject to a cyber-attack/event. The consultation runs until 25 May 2021.
The proposed change will clarify which loss(es) caused by a cyber-attack fall within scope of a claim for civil liability.
The proposed change aligns with the expectations of the Prudential Regulation Authority and Lloyd's of London. The objective is to provide clarity for law firms, insurers, and consumers without altering the scope of consumer protection provided by PI arrangements.
The SRA is aware that the International Underwriters Association (IUA) has published an affirmative cyber endorsement/clause specifically for PI policies. The SRA believes that this endorsement/clause, which some insurers and Lloyd's syndicates have accepted as a model clause, does not reflect the scope of cover for consumers as set out in their PI arrangements. The SRA believes the IUA clause reduces consumer protection, eg a loss of client money caused by a cyber-attack might not be covered. The IUA clause would not, therefore, be appropriate and the SRA is not proposing to adopt it. However, the SRA notes it has some helpful definitions, some of which it has adapted for its draft clause.
In the interim, the SRA states that insurers should not be altering the terms of their solicitor's PI policies, nor expect insurers to be using the proposals or any lack of specificity to imply that firms are not covered for claims in respect of civil liability, or other losses in scope of the MTCs, that arise because of a cyber-attack. The SRA notes that insurers can continue to offer standalone cyber insurance policies to law firms to provide first-party cover. This is a decision for the firm to consider having regard to its own risk profile.
The proposed draft changes to the MTCs are:
'6. Exclusions
The insurance must not exclude or limit the liability of the insurer except to the extent that any claim or related defence costs arise from the matters set out in this clause 6.
...
6.[ ] Cyber, infrastructure and Data Protection Law
The insurance may exclude, by way of an exclusion or endorsement, the liability of the insurer to indemnify any insured in respect of, or in any way in connection with:
...
- a cyber act
- a partial or total failure of any computer system
- the receipt or transmission of malware, malicious code or similar by the insured or any other party acting on behalf of the insured
- the failure or interruption of services relating to core infrastructure
- a breach of Data Protection Law
provided that any such exclusion or endorsement does not exclude or limit any liability of the insurer to indemnify any insured against:
i. civil liability referred to in clause 1.1 (including the obligation to remedy a breach of the SRA Accounts Rules as described in the definition of claim)
ii. defence costs referred to in clause 1.2
iii. any award by a regulatory authority referred to in clause 1.4
In addition, any such exclusion or endorsement should not exclude or limit any liability of the insurer to indemnify any insured against matters referred to at (i) (ii) and (iii) above in circumstances where automated technology has been utilised.
Additional Defined Terms to add to the glossary:
- Cyber Act means an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof, involving access to, processing of, use of or operation of any Computer System.
- Computer System means any computer, hardware, software, communications system, electronic device (including, but not limited to, smart phone, laptop, tablet, wearable device), server, cloud or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facility.
- Core infrastructure means any service provided to the insured or any other party acting on behalf of the insured provided by an internet services provider, telecommunications provider, or cloud provider.
- Data Protection Law means any applicable data protection and privacy legislation or regulations in any country, province, state, territory or jurisdiction which govern the use, confidentiality, integrity, security and protection of personal data or any guidance or codes of practice relating to personal data issued by any data protection regulator or authority from time to time (all as amended, updated or re-enacted from time to time).'
The consultation document is available here.
Responses to the consultation can be submitted online.
Source: Professional indemnity insurance (PII): affirmative cyber cover
This content was first published by LNB News / Lexis®Library, a LexisNexis® company, on 13 April 2021 and is published with permission. Further information can be found at: www.lexisnexis.co.uk.
