LMA5468A, LMA5469A and LMA5470A: Amended Cyber and Data endorsements for Liability policies

Background

While LMA5469A was issued in October 2022, LMA5468A and LMA5470A were issued on 15 March 2023 (beware the Ides of March!). Since LMA5468A, LMA5469A and LMA5470A are similar to their LMA5468, LMA5469 and LMA5470 predecessors, I recommend reading the analysis of those endorsements separately since I have chosen not to reproduce it here.

In LMA Bulletin LMA22-034-SD, the LMA stated that the changes to LMA5469 made for LMA5469A were ‘to clarify that the limited write-back of cover to the exclusion is subject to all the terms, conditions and exclusions of the policy (and any attached endorsements)’. This statement, however, does not tell the full story since the changes amount to more than a ‘clarification’.

Changing how LMA5468A, LMA5469A and LMA5470A operate

For each of LMA5468A, LMA5469A and LMA5470A, the primacy clauses of their predecessors have been deleted:

‘This endorsement supersedes any other wording in the Policy or any endorsement thereto having a bearing on a Cyber Act, Cyber Incident or Data, and, if in conflict with such wording, replaces it’.

This change should be considered in conjunction with the change to the preamble for the exceptions in paragraph 2:

‘Subject to all the terms, conditions and exclusions contained in this Policy or any endorsement thereto…’

Taken together, these changes are significant because they mean that other exclusions in the policy or attached to the policy – including those relating to cyber or data risks – could operate alongside those of LMA5468A, LMA5469A or LMA5470A. And if any exclusion in the policy applies to an insured’s claim, the claim is excluded. As such, these changes increase the likelihood that an insured’s claim will be excluded.

Rather than ‘clarifying’ how the LMA5468A, LMA5469A or LMA5470A apply, it would be more accurate to say that the exceptions to the exclusions in the amended versions operate differently because they are also subject to the underlying policy’s other exclusions.

Other changes

Other changes introduced in LMA5468A, LMA5469A or LMA5470A are as follows:

  1. For LMA5469A and LMA5470A, the exceptions to the exclusions now appear in paragraph 2 (i.e. immediately after the exclusions of paragraph 1); and,
  2. The definition paragraphs are not numbered. As a result, the definition of ‘Cyber Incident’ has sub-clauses (a) and (b), which is inconsistent with the other sub-clauses of the wording which are numbered 1.1, 1.2, 2.1 and 2.2.

Summary of LMA5468A, LMA5469A and LMA5470A

Exclusion LMA5468A LMA5469A LMA5470A
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded Excluded
Any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident Excluded Excluded Excluded
Loss of use or reduction in functionality of Data Excluded Excluded Excluded
Repair, replacement, restoration, reproduction of Data Excluded Excluded Excluded
Loss or theft of Data Excluded Excluded Excluded
Value of Data Excluded Excluded Excluded
Exceptions
If arising out of a Cyber Incident, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception Excepted Excepted
If arising out of a Cyber Act, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception No such exception Excepted

LMA5468, LMA5469 and LMA5470: Cyber and Data endorsements for Liability policies

Background

LMA5468, LMA5469 and LMA5470 are Cyber and Data Exclusion Endorsements for Liability policies that were released by the LMA in November 2020.

At their broadest, LMA5468, LMA5469 and LMA5470 all exclude liability ‘in connection with’:

  1. any Cyber Act;
  2. any Cyber Incident;
  3. any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident;
  4. any loss of use or reduction in functionality of any Data;
  5. any repair, replacement, restoration, reproduction of any Data;
  6. any loss or theft of any Data; or
  7. any amount pertaining to the value of such Data.

Where the exclusions differ, however, is in their exceptions: LMA5468 has none, LMA5469 has an exception for Cyber Incidents, and LMA5470 has exceptions for both Cyber Incidents and Cyber Acts.

Exclusion LMA5468 LMA5469 LMA5470
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded Excluded
Any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident Excluded Excluded Excluded
Loss of use or reduction in functionality of Data Excluded Excluded Excluded
Repair, replacement, restoration, reproduction of Data Excluded Excluded Excluded
Loss or theft of Data Excluded Excluded Excluded
Value of Data Excluded Excluded Excluded
Exceptions
If arising out of a Cyber Incident, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception Excepted Excepted
If arising out of a Cyber Act, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception No such exception Excepted

Overview of the definitions

As noted elsewhere on insurance-endorsements.com, the definitions of Cyber Act, Cyber Incident, Computer System and Data are problematic. For example,

  1. Cyber Act means ‘an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.’ In this definition, it is unclear how ‘unauthorised’ should be interpreted. Is it from the perspective of the insured? If an act has not been authorised, does that mean it is unauthorised? If an employee unintentionally exceeds their authority, is that unauthorised? If an authorised employee commits an act that violates a policy, does that make it unauthorised? These questions could have been avoided if the LMA had sought to define a ‘Cyber Act’ in terms of actual cyber threats rather than generalities.
  2. Cyber Incident has two limbs:
    1. an error or omission involving access, processing, use or operation of a Computer System. For this limb, it appears that the errors or omissions could be by the insured or a third party. But it is appropriate to consider: where is the cyber risk here? Separately, the second limb of ‘Cyber Incident’ is concerned with the outcome rather than the cause – this makes the Cyber Incident exclusion very broad and means that it could exclude liability in the absence of an actual cyber risk; and
    2. any unavailability (whether partial or total) or failure to access, process, use or operate (whether partial or total) any Computer System.
  3. The definition of Computer System includes ‘any electronic device’. While the concept of a computer system has undoubtedly changed over time, not every electronic device is a computer system. In this respect, the LMA’s definition of Computer System over-reaches;
  4. Data means information, facts, concepts, code or any other information of any kind that is recorded or transmitted in a form to be used, accessed, processed, transmitted or stored by a Computer System [emphasis added]. Since physical documents could be scanned, photocopied or faxed, such documents could be ‘Data’. It would be more appropriate if Data were re-defined such that it was limited to electronic data (perhaps even using ‘electronic data’ without definition) and did not extend to physical documents.

Re-thinking the Data exclusions

Paragraph 1.2 of LMA5468, LMA5469 and LMA5470 contains the ‘Data’ exclusions, excluding liability in connection with any:

1.2 loss of use, reduction in functionality, repair, replacement, restoration, reproduction, loss or theft of any Data, including any amount pertaining to the value of such Data;

Paragraph 1.2 is problematic because it puts separate exclusions into a single clause and seems to confuse what could be termed ‘circumstance’ and ‘property’ exclusions. Consider if paragraph 1 of LMA5468, LMA5469 and LMA5470 were amended to the following:

1. Notwithstanding any provision to the contrary within this Policy or any endorsement thereto –

1.1 this Policy does not apply to any loss, damage, liability, claim, fines, penalties, cost or expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with:

1.1.1 any Cyber Act or Cyber Incident; or

1.1.2 any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident; or

1.1.3 any loss of use or reduction in functionality of Data,

regardless of any other cause or event contributing concurrently or in any other sequence thereto unless subject to the provisions of paragraph 5 [note: subjectivity only appropriate for LMA5469 and LMA5470];

1.2 this Policy excludes any loss, damage, liability, claim, fines, penalties, cost or expense of whatsoever nature for any:

1.2.1 repair, replacement or restoration of Data; [note: deleted ‘reproduction’]

1.2.2 loss or theft of Data; or

1.2.3 amount pertaining to the value of Data.

The exclusions in paragraphs 1.2.1, 1.2.2 and 1.2.3, above, are concerned with Data as property and not circumstances within a broader chain of causation. Note, also, that the word ‘reproduction’ has been intentionally omitted from sub-clause 1.2.1 – the term ‘reproduction’ is problematic because it could apply to a third party that is distributing the Data and this is inconsistent with the other terms in that sub-clause.

The exceptions of LMA5469 and LMA5470

While LMA5468 does not have any exceptions to its exclusions, LMA5469 and LMA5470 do. Specifically,

  • LMA5469 has exceptions for ‘ensuing third party bodily injury’ or ‘ensuing physical damage to or destruction of third party property’ arising from a Cyber Incident; while,
  • LMA5470 has exceptions for ‘ensuing third party bodily injury’ or ‘ensuing physical damage to or destruction of third party property’ arising from a Cyber Incident or Cyber Act.

However, these exceptions may not be effective if the Data exclusions in paragraph 1.2 were enlivened. This is why the ‘Data’ exclusions should be amended, potentially as proposed above.

In determining the scope of the LMA5469 and LMA5470 exceptions, it is important to consider the cover provided by the underlying policy. In Australia, many General Liability (GL) or Public and Product Liability (PPL) policies indemnify the insured for its liability to pay compensation for:

  1. ‘injury’, which may include bodily injury, mental injury, invasion of privacy, defamation and discrimination; and
  2. ‘property damage’, which may include both a) damage to tangible property (including loss of use therefrom) and b) loss of use of tangible property which arises out of damage to other tangible property.

In comparing the exceptions in LMA5469 and LMA5470 with these definitions, it is apparent that:

  1. ‘bodily injury’ in the exceptions of LMA5469 and LMA5470 is narrower than ‘injury’ in many General Liability policies, such that mental injury, invasion of privacy, defamation and discrimination remain excluded; and
  2. ‘damage to or destruction of tangible third party property’ in the exceptions of LMA5469 and LMA5470 is narrower than ‘property damage’ in many General Liability policies since there is no allowance for ‘loss of use’ of property.

Other features of LMA5468, LMA5469 and LMA5470

Other features of LMA5468, LMA5469 and LMA5470 are as follows –

  1. Paragraph 2: a ‘reading down’ clause whereby, if any portion is invalid or unenforceable, the remainder shall apply in full force and effect (or, in the words of the endorsement, ‘the remainder shall remain…’);
  2. Paragraph 3: a ‘primacy clause’ whereby the endorsement supersedes or replaces any other clauses in the policy regarding Cyber Acts, Cyber Incidents or Data. Note, however, that this clause is deleted from LMA5468A, LMA5469A and LMA5470A;
  3. Paragraph 4: reverses the onus of proof such that, if the insurer alleges that the endorsement excludes ‘loss sustained by the Insured’, then the insured has the burden of proving otherwise. Here, it is appropriate to consider:
    1. what would be required for an insurer to ‘allege’ that the exclusion applies? The endorsement is silent on this; and
    2. what justifies reversing the onus of proof? Parties to an insurance contract may specify who bears the onus of proving a particular fact, even if this involves reversing the onus of proof: see Levy v Assicurazione Generali [1940] AC 791. However, reversing the onus of proof is contrary to the interests of insureds and conflicts with the traditional position whereby the insurer must prove that an exclusion applies. Given the resources and expertise of insurance companies, it is difficult to see how reversing the burden of proof could lead to more equitable outcomes.

Separately, it is unusual that paragraph 4 only uses the term ‘loss’ when paragraph 1 uses the terms ‘loss’, ‘damage’, ‘liability’, ‘claim’, ‘fines’, ‘penalties’, ‘cost’ and ‘expense’. While the intention of the clause is almost certainly to exclude all of these, the endorsement itself is not so explicit.

Please note that LMA5468, LMA5469 and LMA5470 have since been replaced by LMA5468A, LMA5469A and LMA5470A. The analysis in this article, however, is relevant to those updated endorsements.

LMA5400 and LMA5401: Cyber and Data endorsements

Analysis of LMA5400 and LMA5401

Background

Published on 13 November 2019 by Lloyd’s Market Association (LMA), LMA5400 and LMA5401 are intended for use on property insurance policies arranged either on a direct or facultative reinsurance basis.

It is difficult to concisely summarise the effects of LMA5400 and LMA5401 because they contain six far-reaching exclusions which utilise broad definitions (a ‘Computer System’, for example is ‘any… electronic device’). LMA5400 has a very limited exception to some of its exclusions, though this may not be effective because of the operation of LMA5400’s other exclusions. Rather than excluding cyber risks such as computer viruses, denial-of-service (DOS) attacks or hacking, LMA5400 and LMA5401 are based on the possible results of such risks rather than the causes, and only require ‘connections’ rather than causation for the exclusions to operate. As a result, LMA5400 and LMA5401 may exclude damage and losses that are not caused by cyber risks, and it is unclear whether insurers understand the uncertainty that this creates for themselves and insureds.

Exclusions LMA5400 LMA5401
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded
Loss or damage in connection with loss of use or reduction in functionality of Data Excluded Excluded
Replacement or restoration of Data Excluded Excluded
Value of Data Excluded Excluded
Exceptions and scenarios
Exception for property damage caused by fire or explosion which results from Cyber Incident Yes, but Cyber Act or Data exclusions may prevail Excluded
Exception for business interruption caused by fire or explosion which results from Cyber Incident Excluded Excluded
Exception for property damage or business interruption if insured peril causes unavailability or failure to use an electronic device Excluded Excluded
Basis of Valuation
Basis of Valuation for Data Processing Media Cost to repair or replace the media, plus costs of copying Data from back-ups or originals None

The Exclusions: LMA5400 and LMA5401

LMA5400 and LMA5401 contain four separate exclusions on damage and loss in connection with:

  1. any unauthorised, criminal or malicious act involving a Computer System (a ‘Cyber Act’), whether the Computer System is the Insured’s or a third party’s;
  2. an error or omission involving access to, processing of, use of or operation of any Computer System (a ‘Cyber Incident’);
  3. partial or total unavailability or failure to access or use any Computer System (also a ‘Cyber Incident’); and,
  4. the loss of use or reduction in functionality of Data.

Beyond this, LMA5400 and LM5401 also exclude:

  1. the replacement or restoration of Data; and,
  2. the value of Data.

Initial observations: LMA5400 and LMA5401 are far broader than ‘cyber’ endorsements

Although considered further below, LMA5400 and LMA5401 define ‘Computer System’ as ‘any… electronic device… owned or operated by the Insured or any other party’ (see ‘Definition: Computer System’). From this, it is apparent that:

a) Exclusion 1), above, excludes damage and loss in connection with criminal acts – such as criminal damage, theft or vandalism – involving an electronic device;

b) Exclusion 1), above, may exclude damage and loss in connection with a person using an electronic device in an unauthorised manner (i.e. in breach of instructions). Exclusion 2), above, is also relevant in this scenario since it excludes property damage or loss in connection with an error or omission in using an electronic device;

c) Exclusion 1), above, may exclude damage and loss in connection with a person that has not been authorised to use an electronic device doing so, notwithstanding that they may have used the device in an authorised manner;

d) Exclusion 3), above, excludes damage and loss in connection the unavailability of an electronic device. Clause 2 of LMA5400 provides a partial exception to this exclusion (see ‘Perils exception’, below), but this only applies where the unavailability results in a fire or explosion. If there is an insured peril which causes damage to an electronic device, that damage may be excluded by LMA5400 and LMA5401, as may subsequent damage and business interruption;

e) Because the unavailability of a computer system will often involve a loss of use of Data, there is overlap between Exclusions 3) and 4), above. Even if the partial exception for Exclusion 3) and Cyber Incidents applies, effect would be given to the exclusion (see ‘A Cyber Incident and another exclusion applies? Exclusion prevails’); and,

f) Similar to Exclusion 3), Exclusion 4) excludes damage and loss from the loss of use of Data. If there is an insured peril which causes damage to a device containing Data, that damage will be excluded by LMA5400 and LMA5401, as will subsequent damage and business interruption.

These initial observations are not intended to be an exhaustive analysis, but demonstrate how LMA5400 and LMA5401 are far broader than the ‘Cyber’ endorsements which they purport to be.

Attribution language: causation not required for exclusions to apply

Sub-clause 1.2 includes the following attribution language: directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with. Of these, ‘in connection with’ (as used in the list of exclusions above) is the broadest and most significant because it may not require the excluded circumstance to be a proximate or remote cause of the damage/loss for the exclusion to apply. As per the anti-concurrent causation language (‘regardless of any other cause or event contributing concurrently or in any other sequence thereto’), the exclusions in LMA5400 and LMA5401 can apply even if there are other proximate or remote causes of damage/loss.

LMA5400 Perils exception

Despite the exclusions of clause 1, clause 2 of LMA5400 contains an exception where:

1) a Cyber Incident

results in

2) a fire or explosion

that causes

3) physical loss or damage to property insured.

However, this exception will not apply where the Cyber Incident has a connection with a Cyber Act.  Furthermore, while the exclusions exclude ‘loss’ generally, the exception in clause 2 is only for ‘physical loss or physical damage to property insured’ such that business interruption losses remain excluded by clause 1. This appears to be an unfair result for insureds – where the intention of the underlying policy is to pay business interruption loss that results from covered damage to property – since this intention is overridden by the endorsement.

LMA5401 does not contain an equivalent exception to clause 2 in LMA5400.

What if the peril comes first? Exclusion prevails

While clause 2 of LMA5400 provides cover where a Cyber Incident results in a fire or explosion that causes physical loss or damage to property insured, what happens if:

1) a fire or explosion

results in

2) a Cyber Incident, i.e.

a) an error or omission involving access or use of a Computer System, or

b) unavailability (partial or total) or failure to access or use a Computer System,

which causes

c) damage to property and business interruption?

In this case, the property damage and business interruption will be excluded. Again, this outcome may justifiably be considered unfair for the insured where the proximate cause of damage and business interruption is an insured peril. Nonetheless, the words ‘regardless of any other cause or event contributing concurrently or in any other sequence to the thereto’ in clauses are clearly intended to have this effect.

This unfairness may be exacerbated by the realisation that Computer System is defined to include ‘any… electronic device’ (see ‘Definition: Computer System’).

A Cyber Incident and another exclusion applies? Exclusion prevails

Consider a scenario in which:

1) a computer virus infects the insured’s computer systems

causing

2) those Computer Systems to be unavailable (a ‘Cyber Incident’ for which the exception would apply); and

3) Data on those Computer Systems to be deleted or corrupted (as per the exclusion in sub-clause 1.2),

resulting in

4) a fire or explosion

that causes

5) physical loss or damage to property insured.

In this scenario, it can be appreciated that there are two circumstances connected with the loss:

1) the Cyber Incident for which there is cover under clause 2; and,

2) the deletion or corruption of Data, which is excluded under clause 1.2.

As such, the common law principle as articulated in Wayne Tank and Pump Co Ltd v Employers’ Liability Assurance Corpn Ltd [1974] QB 57 (CA) may apply such that effect would be given to the exclusion. Per Cairns LJ in Wayne Tank:

if one cause is within the words of the policy and the other comes with an exception [i.e. exclusion] in the policy, it must be taken that the loss cannot be recovered under the policy. The effect of an exception is to save the insurer from liability for a loss which but for the exception would be covered.

While an outcome that is consistent with a common law principle may be hard to argue against, it should be noted that some policies – such as the Mk.V Modified Industrial Special Risks (ISR) policy – do provide cover where there is a non-excluded proximate cause of damage, notwithstanding that an excluded cause of damage may have preceded or followed it. From the Mark V Modified ISR:

Provided that the Insurer will indemnify the Insured for any Damage to Property Insured caused directly by any circumstances not excluded under Section 1 of this Policy, notwithstanding that these circumstances may in turn have been caused by any of the circumstances referred to in Exclusions 6.2.1 to 6.2.17.

Ultimately, this example of a computer virus should serve to demonstrate just how limited the perils exception in clause 2 of LMA5400 is.

Separately, it may be recalled that NMA2914 and NMA2915 have exceptions for property damage if:

1) loss of or damage to Electronic Data

causes

2) a Fire or Explosion.

LMA5400, however, has no such exception.

Basis of Valuation

LMA5400 provides a basis of valuation (or basis of settlement) for Data Processing Media, which is defined as property on which Data can be stored. Specifically, the basis of settlement for Data Processing Media is:

1) the cost to repair or replace the Data Processing Media; and

2) costs of copying Data from back-ups or from originals.

Like NMA2915 and NMA2914A, LMA5400 excludes costs of research and engineering, and costs to recreate, gather or assemble such Data. As per NMA2914, NMA 2915 and NMA2914A, LMA5400 states that if the media is not repaired, replaced or restored, then the basis of valuation is the cost of blank Data Processing media.

Similar to NMA2914, NMA 2915 and NMA2914A with respect to Electronic Data, LMA5400 states that the policy does not insure the value of Data. While this proposition is readily understandable for Electronic Data, on the basis that intangible assets and intellectual property are not typically covered by property policies, it is problematic for LMA5400 because its definition of ‘Data’ could include physical documents (see ‘Definition: Data’, below).

LMA5401 does not contain a basis of valuation.

Definitions

Definition: Computer System

In LMA5400 and LMA5401, the definition of ‘Computer System’ includes ‘any… electronic device’. It is noted that the ‘electronic device’ does not have to be associated with an actual computer. While the term ‘electronic device’ may lack a precise definition, the term could be applied to electrically powered devices and electronically-controlled devices.

To be clear, the broad definition of ‘Computer System’ in LMA5400 and LMA5401 makes the exclusion far broader than may have been intended. Specifically, Exclusion 3, above, has the effect that LMA5400 and LMA5401 will exclude loss or damage in connection with the unavailability or failure to access/use an electronic device.

It is noted that the definition of ‘Data’ (considered below) includes ‘code’, while the definition of ‘Computer System’ includes ‘software’ which consists of code. Under LMA5400 and LMA5401, the definition of ‘Computer System’ could also include ‘Data’. Consideration of the incongruities of these overlapping definitions, however, is beyond the scope of this analysis.

Definition: Data

The definition of ‘Data’ in LMA5400 and LMA5401 is unusual in that it is defined as ‘information of any kind that is recorded… in a form to be used, accessed, processed, transmitted or stored by a Computer System’. Given the ability of computers to scan and interpret physical documents, the definition of ‘Data’ in LMA5400 and LMA5401 could include physical documents. This may appear to be a perverse outcome, but the definition is not explicitly limited to ‘Electronic Data’ as that term is commonly defined in property policies (and was used in NMA2914, NMA2915 and NMA2914A).

As such, LMA5400 and LMA5401 could exclude damage to physical documents, manuscripts, deeds, specifications, plans, drawings, designs, books and other records.

Definition: Cyber Act

For LMA5400 and LMA5401, Cyber Act means “an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.”

The term ‘unauthorised act’ could be applied to:

1) an otherwise authorised person carrying out an act:

a) for which they have not been authorised (perhaps the act is outside the scope of their duties); or

b) that is contrary to instructions or guidelines (perhaps issued by an employer or manufacturer of a device);

2) an unauthorised person carrying out an act.

There may be emergency scenarios which compel persons to perform acts – involving electronic devices – for which they are not authorised in order to avoid or minimise the risk of injury or property damage. LMA5400 and LMA5401 do not appear to have considered such scenarios.

As noted above, the term ‘malicious or criminal act’ is also problematic because it could be applied to criminal damage, theft or vandalism involving an electronic device. Such acts should not be the subject of a cyber exclusion.

Definition: Cyber Incident

For LMA5400 and LMA5401, ‘Cyber Incident’ means

  • any error or omission or series of related errors or omissions involving access to, processing of, use of or operation of any Computer System; or
  • any partial or total unavailability or failure or series of related partial or total unavailability or failures to access, process, use or operate any Computer System.

The definition of ‘Cyber Incident’ demonstrates why LMA5400 and LMA5401 can have such broad application: they contemplate the results of cyber risks rather than cyber risks themselves. In its second limb, a ‘Cyber Incident’ is the unavailability or failure to use an electronic device. It should be apparent that there are many insured, non-cyber perils that could cause this, yet LMA5400 and LMA5401 make no such distinctions.

NMA2914, NMA2914A, NMA2915 and NMA2915A

Analysis of NMA2914, NMA2915, NMA2914A and NMA2915A

About

NMA2914, NMA2915, NMA2914A and NMA2915A are Electronic Data Endorsements that have been widely applied to Property policies. Since these endorsements can significantly reduce cover, it is important that their effects are understood. While NMA2914 and NMA2915 were published by the Non-Marine Association (NMA) on 25/01/01, NMA2914A and NMA2915A were released on 11/3/2015.

While NMA2914, NMA2915, NMA2914A and NMA2915A have been used by insurers (and reinsurers) to avoid exposure to cyber risks, these endorsements only address cyber risk indirectly by including ‘Computer Virus’ as a possible cause of loss of, or damage to, Electronic Data. Instead, these endorsements exclude damage and loss that results from damage to or loss of Electronic Data.

Summary: reductions in cover

1) NMA2914, NMA2915, NMA2914A and NMA2915A exclude loss of or damage to Electronic Data. However, NMA 2914 and NMA 2915, do provide cover for property damage if loss of, or damage to, Electronic Data causes a Fire or Explosion; NMA2914A and NMA2915A do not.

2) NMA2914, NMA2915, NMA2914A and NMA2915A all exclude business interruption loss that results from loss of or Damage to Electronic Data.

3) If a) an insured peril causes loss of or damage to Electronic Data, and b) that loss of or damage to Electronic Data results in subsequent property damage and business interruption, then such subsequent losses are excluded. This outcome demonstrates why insureds should resist the application of NMA2914, NMA2915, NMA2914A and NMA2915A.

For further analysis, please continue reading.

NMA2914 NMA2915 NMA2914A NMA2915A
Loss of, or damage to, Electronic Data Excluded Excluded Excluded Excluded
Cover for property damage caused by fire or explosion if such perils result from loss of, or damage to, Electronic Data Yes Yes No No
Cover for business interruption if loss of or damage to, Electronic Data causes fire or explosion No No No No
Cover if an insured peril causes loss of or damage to Electronic Data and subsequent property damage and business interruption No No No No
Basis of valuation: media Cost to repair, replace or restore such media Cost to repair, replace or restore such media. If no sub-limit: Cost of blank media Cost of blank media Cost of blank media
Basis of valuation: Electronic Data Cost to reproduce any electronic data Cost to reproduce any electronic data. If no sub-limit: cost of copying electronic data from back-ups or originals Cost of copying electronic data from back-ups or originals Cost of copying electronic data from back-ups or originals
Sub-limit In the risk details In sub-clause 2.1.1 No reference No reference
Value of Electronic Data None None None None

The Exclusions: NMA2914, NMA2915, NMA2914A and NMA2915A

Sub-paragraphs a) of NMA2914 and NMA2915, and Clauses 1.1.1 of NMA2914A and NMA2915A, effectively contain two exclusions:

1) An exclusion on loss of or damage to Electronic Data; and,

2) An exclusion on loss resulting from 1), above (i.e. an exclusion on loss resulting from loss of or damage to Electronic Data).

To the extent that Electronic Data may be considered property, the first exclusion may be regarded as a property exclusion; the second exclusion may then be considered a business interruption exclusion.

Definition of Electronic Data

The definitions of Electronic Data in NMA2914, NMA2915, NMA2914A and NMA2915A are identical and similar to those in many Property policies. If the underlying policy already has such a definition, however, then the definition of Electronic Data in NMA2914, NMA2915, NMA2914A and NMA2915A could be deleted.

Definition of Computer Virus

Since ‘computer virus’ is included as a cause of loss of or damage to Electronic Data, its definition is not material. Nonetheless, the definition of ‘Computer Virus’ in NMA2914, NMA2915, NMA2914A and NMA2915A poses interpretive difficulties –

1) if a computer virus is an unauthorised instruction or code, how is ‘authorisation’ determined? Practically, the vast majority of computer instructions and code will not have been ‘authorised’ by users or system administrators;

2) ‘propagate’ is typically used in the context of organisms being reproduced from parent stock. Here, the term is applied to instructions/code that ‘propagates’ through a computer system or network. But what of instructions/code on a single computer system that carries out a malicious operation but does not ‘propagate’? And what of malicious instructions/code that is transmitted by e-mail between computers that are not networked? Potentially, such instructions/code may not fit the definition of ‘computer virus’ in 1.1.3.

The above items are not exhaustive, though further analysis is beyond the scope of this analysis.

Listed Perils writeback: NMA2914 and NMA2915 only

Unlike NMA2914A and NMA2915A, NMA2914 and NMA2915 do provide cover in sub-clause 1(b) for property damage if:

1) loss of or damage to Electronic Data

causes

2) a Fire or Explosion.

On this basis, NMA2914A and NMA2915A may be regarded as inferior to NMA2914 and NMA2915. However, this sub-clause 1(b) in NMA2914 and NMA2915 only writes back cover for property damage such that business interruption losses remain excluded by sub-clause 1(a). This appears to be an unfair result for insureds – where the intention of the underlying policy is to pay business interruption loss that results from covered damage to property – since this intention is overridden by the endorsement.

What if the peril comes first? Exclusion prevails

While the listed perils writeback in NMA2914 and NMA2915 is beneficial, consider:

1) a peril insured by the policy (including but not limited to Fire or Explosion)

which causes

2) loss of or damage to Electronic Data

which, in turn, causes

3) further damage and business interruption.

The effect of NMA2914, NMA2915, NMA2914A and NMA2915A is that the loss of or damage to Electronic Data, the resultant property damage and the resultant business interruption are all excluded (i.e. 2) and 3), above). This outcome may justifiably be considered unfair for the Insured where the proximate cause of damage and business interruption is an insured peril. Nonetheless, the words ‘regardless of any other cause or event contributing concurrently or in any other sequence to the loss’ in sub-clauses 1(a) of NMA2914 and NMA2915, and sub-clauses 1.1.1 in NMA2914A and NMA2915A, are clearly intended to have this effect.

Basis of Valuation/Settlement: Electronic Data Processing Media Valuation

While NMA2914, NMA2915, NMA2914A and NMA2915A exclude loss of or damage to Electronic Data, the ‘Electronic Data Processing Media Valuation’ clause does provide for the reinstatement of Electronic Data, but this is conditional on covered damage to ‘electronic data processing media’.

For NMA2914, the basis of valuation (or basis of settlement) for ‘electronic data processing media’ is the cost to:

1) repair, replace or restore such media to its prior condition; and,

2) ‘reproduce’ any electronic data contained thereon.

NMA2914A provides the same basis of valuation if a sub-limit is specified in sub-clause 2.1.1.

However, for

1) NMA2914A where a sub-limit is not specified in sub-clause 2.1.1,

2) NMA2915, and

3) NMA2915A,

the basis of valuation for electronic data processing media is:

1) the cost of blank media; and

2) the costs of copying the electronic data from back-ups or originals.

These bases of valuation are inferior to that in NMA2914 because it does not include costs to ‘reproduce’ electronic data. In practice, there may not be any practical difference if the insured has back-ups of the electronic data. But if the insured does not have back-ups, then the term ‘reproduce’ may include activities to re-create, gather or assemble electronic data, because such activities are explicitly excluded in NMA2914A, NMA2915 and NMA2915A.

Sub-Limits

To summarise,

1) NMA2914 requires the sub-limit to be specified in the Risk Details;

2) NMA2915 and NMA2915A do not have sub-limits; and,

NMA2914A provides for a sub-limit to be entered in sub-clause 2.1.1, but sub-clause 2.1.2 addresses cases where no sub-limit is entered.

For NMA2914A, the absence of a sub-limit from sub-clause 2.1.1 is beneficial from an insured’s perspective for the reinstatement of the electronic data processing media, but this benefit may be outweighed by the detriment of the inferior basis of valuation.

Value of Electronic Data: none

Finally, NMA2914, NMA2915, NMA2914A and NMA2915A clarify that the policy does not insure the value of Electronic Data. While Electronic Data may be property for the purposes of the underlying policy, the value of such Electronic Data is an intangible asset and represents intellectual property. Intangible assets and intellectual property are not typically covered by property policies.