Lloyd's has issued a new market bulletin to update its requirements and expectations for the writing of cyber risks.
The bulletin, Y5433, acknowledges that the market has made considerable progress towards clarifying coverage in respect of state-backed cyber-attacks since August 2022, when bulletin Y5381 was issued. Y5381[1] generated controversy and some syndicates viewed the restrictions on syndicates as uncompetitive in a broader market where not all participants were subject to the same requirements.
Y5433 details an updated approach in light of the subsequent evolution of the market and the various clauses being adopted.
This should not be viewed as a relaxation in Lloyd's approach. It maintains the different Types of clauses initially applied to CY and CZ policies. These rank from 1 to 7 and were introduced in various phases commencing on 31 October 2023.
The bulletin applies to standalone cyber policies and also now extends to multi-line policies with a CY or CZ section.
It applies to all types of business via any distribution method, including existing facilities and other delegated arrangements.
Managing agents will continue to be required to complete the clause adoption attestation. From Q2 2024, these will only be required twice a year, beginning on 31 January 2025.
For market participants developing their own clauses, the Lloyd's Market Association (LMA) offers clause compliance and classification assessments. This service will continue to be offered to both members and non-members. Clauses can be found on the LMA's website and new clauses can be submitted for consideration.
Insurance risks (CY and CZ codes)
Managing agents must not use Type 7 clauses on any new or renewal business from 1 July 2024 as these clauses are considered not sufficiently clear or robust.
The bulletin also clarifies that limited dispensations previously granted to depart from Lloyd's requirements (Type 6 clauses) will now expire and not be renewed. Where syndicates wish to continue to use clauses that are not compliant with Lloyd's requirements under Y5831, they must develop affirmative coverage provisions.
Type 4 clauses, which comply with Lloyd's requirements but additionally provide cover for state-backed cyber-attacks carried out as part of a conventional war, are limited to syndicates approved as "advanced" and only on renewal business. From 1 January 2025, syndicates wishing to provide this cover must do so through a separate, affirmative product.
Types 1, 2, 3 and 5 clauses will continue to be monitored by Lloyd's through managing agent attestations.
Reinsurance risks (RY and RZ codes)
Lloyd's issued some clauses targeting reinsurers on 1 March 2024. These clauses continue to be suitable for use by syndicates[2].
Type 7 clauses must not be used from 1 January 2025 for reinsurance business, and the use of Type 4 clauses for policies incepted from 1 January 2025 will not be permitted for Lloyd's syndicates.
It is recognised that reinsurance business may require longer implementation periods, and there Lloyd's will allow for run-off coverage until the underlying coverage expires for reinsurance written on a losses occurring basis.
Conclusion
The bulletin reflects Lloyd's commitment to clarity and stability in cyber coverage, as well as managing the systemic risk exposure of the market.
Cyber insurers and reinsurers should review their policy wordings and clauses to ensure they comply with Lloyd's updated expectations. This will be relevant to company led business where the following market includes syndicates, or where their reinsurers include syndicates.
[1] Lloyd's Market Bulletin on 'State backed cyber-attack exclusions' dated 16 August 2022
[2] LMA publishes model state-backed cyber war exclusion clauses for cyber treaty reinsurance, DAC Beachcroft, 5 March 2023
