Cyber insurers must ‘take note’ of Covid mistakes
'Insurers and their lawyers knew they never intended on picking up Covid but their customers did not and this did not play well in court,' MGA's James Burns says
Making exclusions too complicated and too specific might not help insurers exclude unknown systemic risks, CFC’s head of cyber strategy warns
Cyber insurers need to “sit up and take note” of the mistakes made during the coronavirus pandemic when trying to exclude unknown systemic risks, an executive at managing general agent (MGA) CFC Underwriting said.
James Burns, head of cyber strategy at the firm, said cyber underwriters needed to avoid making exclusionary wording too complicated or too specific, pointing out that UK courts have largely found in favour of customers in disputes over Covid-related business interruption claims.
“Insurers and their lawyers knew they never intended on picking up Covid but their customers did not and this did not play well in court,” Burns said.
In trying to exclude systemic infectious disease-related business interruption claims, insurers made language “specific to the scenario they were envisioning… and not the scenario that ended up happening [meaning] Covid essentially slipped between the cracks in the policy wording,” Burns said.
He continued: “The cyber market, in my opinion, should sit up and take note because the list of complex systemic risk exclusions at the back of cyber policies is long and growing.
“They tend to be scenario-specific, which can create gaps. They use highly technical language, making them difficult to understand particularly for policyholders. Many brokers and underwriters, yet alone policyholders, can struggle to pinpoint where cover starts and stops.”
War exclusions were a prime example of this, according to Burns. While he stressed recent updates to such exclusion were generally positive, they were also now more detailed and specific, which “can be a dangerous development for insurers if Covid experience is anything to go by”.
As a solution, Burns announced the launch of the UK Cyber Monitoring Centre, which CFC is proposing as an independent cyber catastrophe rating agency.
CFC initially set out its plans for a cyber ratings agency, mirroring similar structures for categorising hurricanes in the US, in December last year.
The MGA had since formed the Cyber Monitoring Centre as a distinct legal entity separate from CFC and is targeting a go-live data of January 1, 2024, Burns said.