The introduction of the General Data Protection Regulation in 2018 has seen cyber insurance stepping to the forefront with casualty insurers reviewing, restricting or excluding losses in respect of data protection breaches.
Cyber Risks Construction

The concern being that the fallout from a breach of personal data could result in considerable damages or rectification costs. As this was an unquantified exposure with little claims history to model on, insurers initially took the approach to exclude losses resulting from a cyber event, although providing a write back for any consequential losses which resulted in injury or damage to a third party. However, as time progresses, this stance is changing.

Loss Considerations

While it has become commonplace to mitigate against the data protection implications of a cyberattack on data storage, systems, and email communications, many businesses still do not consider how a cyber event could result in damage to property.

With the ever increasing connectivity of appliances, devices and mechanical and electrical (M&E) systems that play a key role in our buildings and professional lives, the potential for cyberattacks to have more of a meaningful impact on property cannot be underestimated.

As an example, let us take a hospital which is nearing construction completion. M&E, which is used to control the heating and cooling to ensure that medical samples are kept at a precise temperature, has just been commissioned and connected to a mains water supply.

Given its external connectivity to monitoring devices, this item of M&E is infiltrated by hackers via internet connection and the software that operates it is compromised. The hackers then proceed to alter the temperature settings, causing pipes containing water to freeze and subsequently crack, which causes unfrozen water to escape and flood the laboratory floor. Not only are elements of the M&E itself destroyed but so too is the flooring, cupboards and other lower lying electrical equipment. Given the need for a sterile environment, all water damaged items are required to be replaced. The quantum of the loss as a result becomes significant and imminent handover is now delayed by weeks.

The insured in this situation might assume that all damage as outlined in this example would be covered by the material damage policy in place, however this seems increasingly unlikely.

Market Approach

Cyber clauses which insurers have been mandating to Construction All Risks (CAR) policies over the last 12 months or so have varied, but are typically model clauses drafted by the Lloyd’s Market Association (LMA) and Non-Marine Association (NMA). The three such clauses are: LMA 5400; LMA 5401 and NMA 2915; now considering each in turn below with the effect summarised;

  • LMA 5400 – excludes any direct or indirect losses to Data and any losses directly resulting from a Cyber Act or Cyber Incident; with a write back for resulting fire or explosion damage from a Cyber Incident only (unless the Cyber Incident is related to a Cyber Act – upon which no write back is afforded).
  • LMA 5401 – excludes any direct or indirect losses to Data and any losses directly or indirectly caused by or resulting from a Cyber Act or Cyber Incident; with no write back.
  • NMA 2915 – excludes any direct losses to Electronic Data only from any cause whatsoever, including Computer Virus. As standard, this clause provides a write back for resulting fire and explosion only.

While the definitions of Data, Cyber Act, Cyber Incident, Electronic Data and Computer Virus are all meaningful, let us consider this at a high level.

Many insureds will expect that if damage occurs to the works on a contract site, the Construction All Risks policy would respond (subject to usual terms and conditions). However, what the above clauses and practical example illustrate is that this may not be the case.

While initially CAR underwriters were open to increasing the number of perils write backs offered (and in some cases still are) most are restricted to only offering fire and explosion, with some no perils at all.

Breach of Contract Considerations

Many standard forms of building contract will stipulate that the party arranging insurance for the works is to provide at a minimum, cover for a number of Specified Perils; unless the loss results from an Excepted Risk or allowed exclusion. By means of an example, the 2016 JCT standard form requires cover at a minimum for; fire, lightning, explosion, storm, flood, escape of water from any water tank, apparatus or pipe, earthquake, aircraft and other aerial devices or articles dropped therefrom, riot and civil commotion. The JCT does not state these perils must be the proximate cause; just that it must cover ‘loss or damage by Specified Perils’.

Reflecting on the write backs afforded under the above mentioned LMA/NMA clauses, you will note that only fire and explosion are accounted for. While some of the Specified Perils are quite difficult to envisage resulting from a cyber incident (i.e. lightning), if the cyber clause inserted does not contain a write back for all mentioned Specified Perils (or cyber risks is not noted as an Excepted Risk or allowed exclusion), it could be deemed that the party required to arrange the works insurance is in breach of contract.

Insurance Solution

With CAR underwriters reluctant or unwilling to provide this cover, the question is; is this risk able to be covered in the Cyber market?

The Cyber market has been historically focussed on protecting corporate entities from cyber exposures relating to the:

  • Collection and storage of personal information.
  • Reliance on systems/databases for the operation of the business.

The Cyber insurance market has been proven as an effective risk transfer solution through major public cyber incidents and increased major ransomware events (where attackers take over a corporate system with the ransom to be paid in cryptocurrency), with the market responding and supporting clients through these attacks.

With the increase in remote working throughout the COVID-19 pandemic this has further demonstrated how reliant companies are on their systems and databases for the operation of their businesses.

While over the last 2-3 years cyber exclusions have largely only been introduced on Casualty insurance programmes, the recent emergence of the affirmative cyber restrictions across all classes (given mandates by Lloyd’s) has seen gaps being established in construction all risks and other material damage insurances (as highlighted in our hospital example). In response to this, a number of specialist Lloyd’s syndicates have expanded their appetite to include carve back language which dovetails with such exclusions and coverage gaps being established in these policies.

While project specific policies are not available in the cyber market, clients do have the ability to endorse on coverage to an annual aggregate policy as projects go live throughout an insurance period.

While project specific policies are not available in the cyber market, clients do have the ability to endorse on coverage to an annual aggregate policy as projects go live throughout an insurance period.

Would you like to talk?

If you have any concerns about the cyber coverage for your business or current or upcoming project please speak with your Gallagher account executive or get in touch using the below details: