In total, we received 13 responses via an online form and directly via email.
The respondents comprised:
- 9 insurers;
- 2 further respondents (who appear also to be insurers);
- The International Underwriting Association (IUA);
- One ICAEW-regulated firm.
We were grateful for these responses which we considered carefully prior to finalising the draft changes to the minimum approved wording.
Summary of responses
In consulting on the proposed changes, we asked:
Do you think that ICAEW’s strategy in applying the IUA’s exclusions to ‘Relevant First Party Loss’ only, and preserving existing cover for third party cyber-related claims, is the right one? Yes / No. If no, please tell us why you disagree with ICAEW’s strategy.
We also sought comments generally on the proposed amendments.
Of the 13 respondents, 3 replied stating that they agreed with our approach (2 insurers and the ICAEW regulated firm). Most respondents disagreed, citing the following views / concerns:
- Some insurers asserted that third party losses sit properly within standalone cyber policies, rather than under PI policies of qualifying insurance. They consider that the IUA exclusions should apply more broadly to third party claims and that the institutes’ approach to excluding first party claims only could lead to a withdrawal of insurers from the market and therefore higher premiums or a reduction in cover for ICAEW members/firms.
- One insurer highlighted specifically that draft clause E21 writes back exposures that are not due to any negligent act, error or omission of the Insured. The insurer expressed concern that, as drafted, the minimum wording provides cover for systemic cyber events, such as a mechanical or electrical failure, which may be problematic for insurers;
- Another insurer commented that insurers may be restricted in participating in the arrangements given their reinsurance arrangements on this approach. They highlighted, in particular, the need for insurers to manage cyber exposures due to requirements being placed on them by the PRA, particularly with respect to systemic losses and third party claims for data breaches, and that this could affect the premium for cover or insurers’ willingness to write accountants’ PII policies;
- One insurer stated that the extent of cyber coverage should be more explicit in the minimum wording.
Some respondents also make suggestions for drafting changes to the proposed amendments.
The IUA provided a detailed response to the consultation which it has agreed may be published.
Finalised amendments
Following the closure of the consultation, some minor, drafting changes were made to the amendments for the approval of ICAEW, ICAS and CAI (as the minimum approved wording is shared by the 3 institutes). However, no substantive changes were made to the draft proposals as many of the views arising from the consultation simply echoed those expressed by the leading participating insurers during one-on-one meetings with representatives of ICAEW and advisers, Marsh Ltd, earlier in the year. Despite the concerns raised by insurers, it is considered important for public protection reasons to maintain cover for third party claims where the cause of loss is a cyber event or otherwise has a cyber-related trigger. Therefore, there has been no change to the general approach of the institutes in applying the IUA cyber exclusions to Relevant First Party Loss only in the minimum wording.
The finalised version of the minimum wording is set out here; the changes to the minimum approved wording will take effect generally in respect of policies issued to ICAEW members/firms which commence or renew on or after 1 September 2021.
The changes will not affect policies of qualifying insurance held by ICAEW accredited probate firms until such time as they are approved by the Legal Services Board for the purposes of the Legal Services Act 2007.