Underwriting a policy in accordance with Lloyd’s licences and authorisations can be a challenge for underwriters when, for example, a multinational organisation domiciled in the UK needs its overseas offices/sites covered under a single global policy. In such instances, irrespective of class of business, Lloyd’s advises the market to consider the definition of a local risk in each relevant territory in order to determine where risk locations arise. Doing so will identify which territories’ regulations, laws and taxes apply which is of paramount importance if a compliant risk is to be underwritten.

In many instances, this exercise presents a number of risk locations in territories where Lloyd’s is not licensed or authorised to write particular risks on a direct basis. Failure to understand the application and implication of risk location rules can, therefore, lead to legal, financial and reputational consequences for all parties involved. Applying this to cyber insurance, any such issues may be compounded when one considers that the cyber world is one which is often seen to operate beyond jurisdictions and physical locations.

Following recent high-profile cyber-attacks such as WannaCry, demand for cyber insurance is expected to multiply in order for businesses to be able to mitigate the potentially enormous resulting losses. Lloyd’s has recently reported that cyber-crime is estimated to cost businesses USD 400bn per year and a single serious cyber-attack could, in a worst case scenario, cost the global economy more than USD 120bn. Further, a recent Lloyd’s survey of more than 350 senior decision-makers across European business revealed that 92% of businesses had experienced some form of cyber breach in the past five years. From its current level of USD 3-4bn in premiums per year, Allianz expects the cyber insurance market to reach USD 20bn by 2025.

As a result, cyber insurance coverage is expected to become a prevalent fact of commerce for businesses of various sizes; and with ubiquity follows regulation. This effect may be seen outside the context of financial services by looking at attempts in Europe to regulate the now-ubiquitous Uber. Regulations have been applied to Uber which were designed for the traditional transport company model, rather than being adapted to regulate Uber as an ‘Information Society service’. This means that, as with cyber insurance, it is not immediately evident how certain elements of the traditional regulations should be applied.

Eventually, clarity will prevail in terms of both cyber insurance and Uber as bespoke regulation is shaped by regulators around the world to fit these novel fields. For now, it is important for us to take a pragmatic approach to applying traditional risk location concepts to the developing field of cyber insurance, whilst reflecting the need to adapt to the idiosyncrasies of this class on an ongoing basis. Consequently, the information below applies the well-understood models of property and liability insurance to cyber cover and views the result through the lens of regulatory risk location.

Liability and property exposures

The distinction between cyber liability and cyber property coverage was formally recognised by Lloyd’s in the risk code scheme when the new CZ risk code was introduced in 2015. CZ specifically represents cyber policies where property damage is covered under the policy. CY, which was previously the only cyber risk code, is now used to represent the liability-only portion. The definitions are as follows:

CY – Cyber security data and privacy breach: Coverage in respect of first or third party costs, expenses or damages due to a breach (or threatened breach) of cyber security and/or privacy of data, that does not include damage to physical property.

CZ – Cyber security property damage: Coverage in respect of first or third party costs, expenses or damages due to a breach of cyber security that includes damage to physical property.

(Further information on cyber risk codes is available in Lloyd’s Risk Code Guidance Notes and Market Bulletin Y4842).

The current market paradigm is that cyber policies tend to cover first and third party liabilities whilst excluding damage to tangible property, as well as other typical exclusions (e.g. war and terrorism). However, coverage for physical property can also be included.

The risk location for liability policies is (generally speaking) the territory in which the insured is resident or its business is established. If more than one insured residence or business establishment is covered, each may individually create a risk location depending on the definition of risk location in local laws. The location of the insured contingency or event will not necessarily give rise in and of itself to a risk location unless the territory’s risk location definition specifically states that this is the case (though this is rare).

The risk location for fixed property is (again, generally speaking) determined by the territory in which the property is situated. However, in some territories the location of the insured can create an additional risk location, irrespective of the physical location of the insured property.

The respective approach (liability or property) may be applied in analogue to the cyber coverage in question to provide a risk location result which would generally be accurate. However, it is important to consult the specific risk location definitions of the territories in question to determine how those territories approach liability or property in their own regulations.

Where a policy includes both property and liability, a distinction should be drawn between them and the territories to which each relates should be highlighted. Once it is clear where each type of cover has potential risk locations, those territories’ risk location definitions should be applied to the type of cover in question in order to take a coherent approach to risk location globally.

Multiple risk locations and adopting a risk-weighted approach

Lloyd’s recognises that there are a number of challenges when writing global policies in various classes. In particular, the question that arises, and with which underwriters and brokers may struggle, is how to satisfy the requirements of various regulatory regimes in the event that multiple risk locations arise. In the absence of any specific clarity from regulators and law-makers, an objective answer to the question does not exist.

This challenge can loom larger for cyber as it is a relatively new product in the market. As such, Lloyd’s expects best endeavours to be used to ensure that a rational method is used to determine the risk location for cyber policies and to adopt a risk-weighted approach where necessary. In doing so, market participants can be confident that any territory exerting regulatory jurisdiction over the risk in question has its rules respected. Cultivating compliance is a valuable quality for any market participant as it helps to avoid the particular perils associated with regulatory risk. Its worth is amplified in areas of emerging complexity, such as cyber insurance, where the lay of the land is not yet apparent. As such, diligence and a sound methodology are required in applying traditional risk location parameters to this evolving field.