Cyber-attacks in recent months have become increasingly prominent as threat actors have capitalised on the disruption of the Covid 19 pandemic on business operations. When a cyber- attack does take place, the actions of individual directors and senior managers will be under the spot light and scrutinised.
The term ‘Silent Cyber’ has been used by the insurance industry to describe insurers’ exposure to coverage for cyber-related losses stemming from insurance policies which were not specifically designed to cover cyber risk (but do not expressly exclude cyber risks either) meaning that insurers may be liable to pay for cyber losses under a policy never designed for that purpose. Since a typical D&O policy covers directors for Wrongful Acts relating to their conduct as directors, this may include the coverage of claims or regulatory investigations relating to directors’ involvement in a cyber-incident.
The insurance industry and its regulators have sought clarification to address the coverage uncertainty caused by silent cyber. In July 2019, Lloyd’s published Market Bulletin Y5258 where it expressed the opinion that it is in the best interests of customers, brokers and syndicates that policies are clear on whether coverage shall be provided for cyber related losses. The Bulletin mandated that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage. To support the market, Lloyd’s confirmed that this requirement would be implemented in stages. Lloyd’s confirmed in Bulletin Y5277 that any D&O policies would fall into the Phase 3, meaning that all polices incepting on or after 1 January 2021 must either exclude or affirm cyber coverage.
In Market Bulletin LMA21-035-PD dated 24 September 2021, the Lloyd’s Market Association clarified that the specific wording “wrongful act trigger” used in D&O policies, will not require express affirmation of cyber cover. If, however, insurers seek to exclude or limit cyber exposures under these D&O policies, the LMA confirmed that insurers must apply suitable exclusion wording. The LMA confirmed that for attestation returns, policies written in line with this approach can be recorded as complying with the Lloyd’s guidance in respect of Market Bulletins Y5258 and Y5277.
