Skip to main content
main content, press tab to continue
Article

De-mystifying Insurance – Professional Indemnity (PI) and Cyber Insurance for Financial Institutions (FIs)

By Sarah Kadir | June 20, 2024

In our latest article of the De-mystifying Insurance series, we focus on PI and cyber insurance for FIs.
Captive and insurance management solutions||Financial, Executive and Professional Risks (FINEX)
N/A

Does the cover overlap?

As PI and cyber policies provide liability cover, there are elements of cover provided under a PI and cyber policy which overlap particularly in relation to third party claims. However, cyber policies also provide cover for first party losses (losses to the company itself, for example business interruption and incident response costs) which are not generally provided under PI policies.

It is worth noting that generally for UK companies, PI cover is often purchased as a ‘blended’ policy and as such, usually shares a policy limit of indemnity with crime insurance cover. Crime insurance provides cover for first party losses, so there are elements of crime and cyber cover which also overlap. You may want to read our second article in the series on crime and cyber to understand more.

Insurers have been under pressure from Lloyds of London for several years to clarify the extent of cyber cover within PI policies and other non-cyber policies. The inclusion of this cover (in non-cyber policies) is called ‘silent cyber’, and insurers have looked to address this through the addition of ‘silent cyber’ clauses. These clauses are designed to confirm the extent of the existence of any cyber cover, where covered by the terms and conditions of the policy wording.

In response to this, blended insurance products are being explored (i.e. blending cyber and crime into one combined product) so that insureds can benefit from an increased level of cyber cover under PI/crime policies.

What do the policies cover?

A PI policy provides coverage for compensatory damages arising from claims brought by third parties against the company relating to the provision of, or failure to provide, professional services. Cover can vary policy to policy, and by geography, particularly in relation to costs in responding to a regulatory investigation, and indeed mitigation costs.  In the US, mitigation costs are generally limited to ‘cost of correction’ cover, however, in the UK, this is generally much wider to allow for mitigating any ‘wrongful act’ (usually defined) which could give rise to a claim against the company.

As a high-level overview, the PI policy also covers:

  • Costs incurred in connection with those third-party claims, for example, defence costs;
  • Costs incurred in connection with regulatory investigations;
  • Mitigation costs to mitigate a claim from being made against the company and further costs incurred.

However, whilst a PI policy includes some cover for cyber related losses, there are some elements of cyber risks which are not possible to insure under a PI policy. A bespoke cyber policy provides additional coverage for data breaches and cyber risks. For example, cyber-incident response costs, ransomware payments, or business interruption losses.

Can both policies be engaged at the same time?

Both policies can be triggered by losses that are covered under both policies. Examples of this are:

  • Claims arising from unauthorised access to a company’s IT network and systems. If a company suffers a cyber-attack, it could also cause damage and financial loss to a third party through disclosing confidential information. This could be covered by a PI policy (subject to full terms and conditions) if the data breach gives rise to a cause of action for breach of duty and professional negligence. However, cover could also apply under a cyber policy given the third party is bringing a claim in relation to a breach of IT network and systems.
  • Losses caused by malicious alteration, destruction, damage or theft of data. A third party may bring a claim against a company that holds its data, if that data is altered, destructed or damaged as a result of a cyber-attack. However, as the claim relates to a cyber-attack, a cyber policy could also respond.
  • The transmission of a computer virus to a third party. Corruption of a third party’s network through the transmission of a computer virus could lead to a claim against the company who delivered the malware/virus. As this is a claim by a third party, a PI policy could potentially respond to this. However, similar to the other examples above, given the claim is in relation to a computer virus/malware, a cyber policy could also respond.

What is the best way to deal with this?

To address ambiguity, it is important to consider how the policy wordings are drafted, specifically the ‘other insurance’ clause. These clauses are designed to identify which policy responds first to a claim that could be covered by both a PI and cyber policy.

Typically, these clauses state that the first policy to respond will be the ‘more specific, valid and collectible’ policy in force at the time of the claim.

However, it is usual for FI insurers to want the cyber policy to respond first for cyber-related losses. For this reason, and to avoid confusion and a dispute in the event of a claim, ‘other insurance’ clauses within FI/PI policies tend to state that cyber policies will respond first for cyber-related losses.

Insureds should discuss any questions about notification with their insurance broker. It is important to note that in most policies, the definition of a claim, which is usually the trigger for making a notification, is often broader than the receipt of legal proceedings. It is therefore important to ensure notification is made to the appropriate policy (or in some cases policies) in a timely manner (and certainly before the policy expires) to avoid any issues around late notification.

It is also important to note that coverage for both PI and cyber policies can vary from geography to geography and can also vary on the type of FI, as well as the state of the FI and/or cyber insurance market. In order to understand the covers provided under each of your policies, a coverage gap analysis and claims scenario review may be conducted to gain a clear understanding of coverage under each policy.

Author

Associate Director
email Email

Contacts

Jordan Siegman
U.S. Head of FINEX Financial Institutions & Professional Services

Global Head of FINEX Financial Institutions
email Email

Contact us