Consultation: changes to ICAEW's Minimum Approved Policy wording
The proposed changes address a regulatory requirement for insurers to clarify the extent of cover for cyber-related claims in policies of insurance. The changes are due to take effect on 1 September 2021. Consultation was closed 21 May 2021.
Purpose of consultation
ICAEW is consulting on these proposed changes for transparency and to ensure that that are consistent with its duty to act in the public interest. Consulting also helps protect against any unforeseen or unintended consequences that may be brought about by the changes.
This consultation is likely to be of interest to ICAEW members and ICAEW member and regulated firms, participating insurers, insurance brokers, ICAEW’s oversight regulators and clients of ICAEW members and regulated firms.
The consultation will be open from 12 April until 21 May 2021.
Background
Professional Indemnity Insurance
Professional indemnity insurance (PII) is compulsory for all ICAEW members who have a practising certificate and engage in public practice. Compliance with the PII Regulations is also a requirement of the audit, insolvency and probate regulations and the Designated Professional Body (Investment Business) Handbook.
The PII Regulations set down the minimum insurance requirements for ICAEW members in public practice in the UK and Republic of Ireland, and firms and individuals carrying out regulated activity. The PII Regulations require that firms take reasonable steps to meet claims arising from public practice and that they put in place "qualifying insurance" with a participating insurer or insurers (ICAEW has a list of participating insurers which is updated every year and can be obtained from the ICAEW website. View the list). "Qualifying insurance" is PII which complies with the PII Regulations and minimum approved wording and provides 6 years retroactive cover (ie, cover for claims arising from work carried out during the last 6 years).
Further details regarding the requirements relating to Professional Indemnity Insurance can be found here:
- ICAEW’s PII Regulations effective from 1 January 2021 (Note: the regulations that apply currently for accredited probate firms are the PII Regulations dated 29 May 2020.)
- ICAEW’s Minimum Approved Wording effective 1 October 2018
Silent Cyber Exposures
During recent years, so-called "silent cyber" has been an area of increasing focus for both regulators and insurers. The term reflects a concern amongst regulators that insurers may not fully understand the extent of their cyber exposures under different lines of insurance and so may not be pricing policies appropriately to manage risk.
Both the Prudential Regulation Authority (PRA) and Lloyds of London (Lloyds) have directed that clarity be brought to the market and that policies be clear on whether losses caused, or partially caused, by a cyber-related event or trigger are covered. The PRA has said it expects all insurers to have action plans in place to reduce their silent cyber exposures and Lloyd’s have now mandated that all policies address cyber and either exclude or provide affirmative coverage for cyber risks.
In 2019/2020, the International Underwriting Association (IUA) undertook work to develop a model clause that could be applied by insurers to address the issue of "silent cyber". The IUA surveyed both PI and cyber insurers for their views on how risks should be allocated between the different policies, and then used this feedback to develop a model cyber clause. The IUA has said that the purpose of the clause is to ensure that traditional PI exposures remain covered, while claims more appropriately covered under a stand-alone cyber policy are excluded.
We have worked with the IUA, other professional regulators and insurers to develop amendments to the minimum wording to address "silent cyber". The changes are intended to ensure that any cyber endorsements that are placed on policies by participating insurers do not conflict with the minimum approved wording.
Proposed amendments
ICAEW’s PII Committee proposes that some limited exclusions be included in the minimum approved wording based on the IUA’s model clause. The changes apply the cyber exclusions within the IUA model clause to "Relevant First Party Loss" only, which is defined as cover for defence costs incurred in investigating, reducing, avoiding or settling a potential Claim or circumstance (see the paragraphs (c) and (d) of the definition of "Defence Costs" in the minimum approved wording). All existing cover for third party claims, Ombudsman awards and Defence Costs in relation to claims under the minimum wording is preserved, even if a cyber-related event/trigger forms part of the cause/s of the losses claimed by the third party.
Impact analysis
ICAEW recognises that some change will be required to the minimum approved wording to address "silent cyber" given the new regulatory requirement on insurers to clarify the extent of cyber coverage in policy wordings. However, ICAEW also believes that it is vital for consumer protection that existing cover that is in place for third party cyber-related claims be retained. If cover for certain types of third party claims were to be excluded, this could lead to unnecessary complexity and confusion for insured firms and consumers. There is also a risk that some types of claim may no longer be covered as, although many ICAEW firms will hold separate cyber insurance, not all will as this is not currently a regulatory requirement. Further, even where cyber policies are in place, there can be no guarantee that such clams will be picked up under those polices as the scope and breadth of coverage under cyber policies can vary.
Currently, there is only a small portion of cover for first party losses under the minimum wording (ie, cover for losses incurred by the insured firm itself) as the primary purpose of the minimum approved wording is to provide cover for third party claims. The proposed changes to the minimum wording would mean that any Relevant First Party Loss (for example, costs incurred by the firm in investigating the cause of a cyber hack that may give rise to a potential third party claim) would be excluded from cover. Firms may be able to insure these types of costs under a separate, stand-alone cyber policy, but cover for the loss would not form part of the minimum, compulsory cover for ICAEW firms.
The aim of the consultation is to understand if there are any unintended consequences which arise from these proposed changes and we invite you to respond to the consultation with your views.
Results of the consultation
As the minimum approved wording is shared with the Institute of Chartered Accountants of Scotland (ICAS) and the Institute of Chartered Accountants in Ireland (CAI) any amendments to the minimum wording will require the approval of the boards of those institutes as well as the ICAEW Regulatory Board.
The consultation closed on 21 May 2021.
Further assistance
If you need any guidance to assist you in providing a response please contact the Sarah-Jane Owen, PII & Regulatory Manager at Sarah-Jane.Owen@icaew.com
If you have any queries or complaints about ICAEW’s consultation process, please contact Claire Phillips, PII Committee Secretary at Claire.Phillips@icaew.com