IUA publishes cyber exclusion clauses

The International Underwriting Association (IUA) has published two new cyber exclusion clauses:

  1. Cyber Loss Absolute Exclusion Clause (IUA 09-081): provides a broad exclusion against losses arising from the use of a computer system, network or data (as defined), as well as an exclusion against losses arising from the hoax of such and any error, omission or accident in respect of a computer system, network or data (as defined);
  2. Cyber Loss Limited Exclusion Clause (IUA 09-082): provides an exclusion against losses directly caused by cyber events (i.e., not indirectly).

These clauses are in direct response to concerns raised by the PRA as to the potential harmful effects of non-affirmative cyber cover (i.e., ‘silent’ cover) whereby policies may inadvertently be providing coverage for undefined cyber risks (see PRA’s November 2016 consultation paper: ‘Cyber insurance underwriting risk‘, and policy statement PS15/17) .

The IUA acknowledged the broad drafting of the exclusions (particularly the ‘Absolute Exclusion’), which may ‘assist in respect of the PRA’s expectations’. However, the IUA also indicated that, by developing class-specific write backs, these clauses could be used by the market to carve out cyber coverage in non-standalone cyber policies. The IUA, in its commentary to the clauses, provides a suggested drafting approach for such write backs.

Emma Radmore