LMA5400 and LMA5401: Cyber and Data endorsements

Analysis of LMA5400 and LMA5401

Background

Published on 13 November 2019 by Lloyd’s Market Association (LMA), LMA5400 and LMA5401 are intended for use on property insurance policies arranged either on a direct or facultative reinsurance basis.

It is difficult to concisely summarise the effects of LMA5400 and LMA5401 because they contain six far-reaching exclusions which utilise broad definitions (a ‘Computer System’, for example is ‘any… electronic device’). LMA5400 has a very limited exception to some of its exclusions, though this may not be effective because of the operation of LMA5400’s other exclusions. Rather than excluding cyber risks such as computer viruses, denial-of-service (DOS) attacks or hacking, LMA5400 and LMA5401 are based on the possible results of such risks rather than the causes, and only require ‘connections’ rather than causation for the exclusions to operate. As a result, LMA5400 and LMA5401 may exclude damage and losses that are not caused by cyber risks, and it is unclear whether insurers understand the uncertainty that this creates for themselves and insureds.

Exclusions LMA5400 LMA5401
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded
Loss or damage in connection with loss of use or reduction in functionality of Data Excluded Excluded
Replacement or restoration of Data Excluded Excluded
Value of Data Excluded Excluded
Exceptions and scenarios
Exception for property damage caused by fire or explosion which results from Cyber Incident Yes, but Cyber Act or Data exclusions may prevail Excluded
Exception for business interruption caused by fire or explosion which results from Cyber Incident Excluded Excluded
Exception for property damage or business interruption if insured peril causes unavailability or failure to use an electronic device Excluded Excluded
Basis of Valuation
Basis of Valuation for Data Processing Media Cost to repair or replace the media, plus costs of copying Data from back-ups or originals None

The Exclusions: LMA5400 and LMA5401

LMA5400 and LMA5401 contain four separate exclusions on damage and loss in connection with:

  1. any unauthorised, criminal or malicious act involving a Computer System (a ‘Cyber Act’), whether the Computer System is the Insured’s or a third party’s;
  2. an error or omission involving access to, processing of, use of or operation of any Computer System (a ‘Cyber Incident’);
  3. partial or total unavailability or failure to access or use any Computer System (also a ‘Cyber Incident’); and,
  4. the loss of use or reduction in functionality of Data.

Beyond this, LMA5400 and LM5401 also exclude:

  1. the replacement or restoration of Data; and,
  2. the value of Data.

Initial observations: LMA5400 and LMA5401 are far broader than ‘cyber’ endorsements

Although considered further below, LMA5400 and LMA5401 define ‘Computer System’ as ‘any… electronic device… owned or operated by the Insured or any other party’ (see ‘Definition: Computer System’). From this, it is apparent that:

a) Exclusion 1), above, excludes damage and loss in connection with criminal acts – such as criminal damage, theft or vandalism – involving an electronic device;

b) Exclusion 1), above, may exclude damage and loss in connection with a person using an electronic device in an unauthorised manner (i.e. in breach of instructions). Exclusion 2), above, is also relevant in this scenario since it excludes property damage or loss in connection with an error or omission in using an electronic device;

c) Exclusion 1), above, may exclude damage and loss in connection with a person that has not been authorised to use an electronic device doing so, notwithstanding that they may have used the device in an authorised manner;

d) Exclusion 3), above, excludes damage and loss in connection the unavailability of an electronic device. Clause 2 of LMA5400 provides a partial exception to this exclusion (see ‘Perils exception’, below), but this only applies where the unavailability results in a fire or explosion. If there is an insured peril which causes damage to an electronic device, that damage may be excluded by LMA5400 and LMA5401, as may subsequent damage and business interruption;

e) Because the unavailability of a computer system will often involve a loss of use of Data, there is overlap between Exclusions 3) and 4), above. Even if the partial exception for Exclusion 3) and Cyber Incidents applies, effect would be given to the exclusion (see ‘A Cyber Incident and another exclusion applies? Exclusion prevails’); and,

f) Similar to Exclusion 3), Exclusion 4) excludes damage and loss from the loss of use of Data. If there is an insured peril which causes damage to a device containing Data, that damage will be excluded by LMA5400 and LMA5401, as will subsequent damage and business interruption.

These initial observations are not intended to be an exhaustive analysis, but demonstrate how LMA5400 and LMA5401 are far broader than the ‘Cyber’ endorsements which they purport to be.

Attribution language: causation not required for exclusions to apply

Sub-clause 1.2 includes the following attribution language: directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with. Of these, ‘in connection with’ (as used in the list of exclusions above) is the broadest and most significant because it may not require the excluded circumstance to be a proximate or remote cause of the damage/loss for the exclusion to apply. As per the anti-concurrent causation language (‘regardless of any other cause or event contributing concurrently or in any other sequence thereto’), the exclusions in LMA5400 and LMA5401 can apply even if there are other proximate or remote causes of damage/loss.

LMA5400 Perils exception

Despite the exclusions of clause 1, clause 2 of LMA5400 contains an exception where:

1) a Cyber Incident

results in

2) a fire or explosion

that causes

3) physical loss or damage to property insured.

However, this exception will not apply where the Cyber Incident has a connection with a Cyber Act.  Furthermore, while the exclusions exclude ‘loss’ generally, the exception in clause 2 is only for ‘physical loss or physical damage to property insured’ such that business interruption losses remain excluded by clause 1. This appears to be an unfair result for insureds – where the intention of the underlying policy is to pay business interruption loss that results from covered damage to property – since this intention is overridden by the endorsement.

LMA5401 does not contain an equivalent exception to clause 2 in LMA5400.

What if the peril comes first? Exclusion prevails

While clause 2 of LMA5400 provides cover where a Cyber Incident results in a fire or explosion that causes physical loss or damage to property insured, what happens if:

1) a fire or explosion

results in

2) a Cyber Incident, i.e.

a) an error or omission involving access or use of a Computer System, or

b) unavailability (partial or total) or failure to access or use a Computer System,

which causes

c) damage to property and business interruption?

In this case, the property damage and business interruption will be excluded. Again, this outcome may justifiably be considered unfair for the insured where the proximate cause of damage and business interruption is an insured peril. Nonetheless, the words ‘regardless of any other cause or event contributing concurrently or in any other sequence to the thereto’ in clauses are clearly intended to have this effect.

This unfairness may be exacerbated by the realisation that Computer System is defined to include ‘any… electronic device’ (see ‘Definition: Computer System’).

A Cyber Incident and another exclusion applies? Exclusion prevails

Consider a scenario in which:

1) a computer virus infects the insured’s computer systems

causing

2) those Computer Systems to be unavailable (a ‘Cyber Incident’ for which the exception would apply); and

3) Data on those Computer Systems to be deleted or corrupted (as per the exclusion in sub-clause 1.2),

resulting in

4) a fire or explosion

that causes

5) physical loss or damage to property insured.

In this scenario, it can be appreciated that there are two circumstances connected with the loss:

1) the Cyber Incident for which there is cover under clause 2; and,

2) the deletion or corruption of Data, which is excluded under clause 1.2.

As such, the common law principle as articulated in Wayne Tank and Pump Co Ltd v Employers’ Liability Assurance Corpn Ltd [1974] QB 57 (CA) may apply such that effect would be given to the exclusion. Per Cairns LJ in Wayne Tank:

if one cause is within the words of the policy and the other comes with an exception [i.e. exclusion] in the policy, it must be taken that the loss cannot be recovered under the policy. The effect of an exception is to save the insurer from liability for a loss which but for the exception would be covered.

While an outcome that is consistent with a common law principle may be hard to argue against, it should be noted that some policies – such as the Mk.V Modified Industrial Special Risks (ISR) policy – do provide cover where there is a non-excluded proximate cause of damage, notwithstanding that an excluded cause of damage may have preceded or followed it. From the Mark V Modified ISR:

Provided that the Insurer will indemnify the Insured for any Damage to Property Insured caused directly by any circumstances not excluded under Section 1 of this Policy, notwithstanding that these circumstances may in turn have been caused by any of the circumstances referred to in Exclusions 6.2.1 to 6.2.17.

Ultimately, this example of a computer virus should serve to demonstrate just how limited the perils exception in clause 2 of LMA5400 is.

Separately, it may be recalled that NMA2914 and NMA2915 have exceptions for property damage if:

1) loss of or damage to Electronic Data

causes

2) a Fire or Explosion.

LMA5400, however, has no such exception.

Basis of Valuation

LMA5400 provides a basis of valuation (or basis of settlement) for Data Processing Media, which is defined as property on which Data can be stored. Specifically, the basis of settlement for Data Processing Media is:

1) the cost to repair or replace the Data Processing Media; and

2) costs of copying Data from back-ups or from originals.

Like NMA2915 and NMA2914A, LMA5400 excludes costs of research and engineering, and costs to recreate, gather or assemble such Data. As per NMA2914, NMA 2915 and NMA2914A, LMA5400 states that if the media is not repaired, replaced or restored, then the basis of valuation is the cost of blank Data Processing media.

Similar to NMA2914, NMA 2915 and NMA2914A with respect to Electronic Data, LMA5400 states that the policy does not insure the value of Data. While this proposition is readily understandable for Electronic Data, on the basis that intangible assets and intellectual property are not typically covered by property policies, it is problematic for LMA5400 because its definition of ‘Data’ could include physical documents (see ‘Definition: Data’, below).

LMA5401 does not contain a basis of valuation.

Definitions

Definition: Computer System

In LMA5400 and LMA5401, the definition of ‘Computer System’ includes ‘any… electronic device’. It is noted that the ‘electronic device’ does not have to be associated with an actual computer. While the term ‘electronic device’ may lack a precise definition, the term could be applied to electrically powered devices and electronically-controlled devices.

To be clear, the broad definition of ‘Computer System’ in LMA5400 and LMA5401 makes the exclusion far broader than may have been intended. Specifically, Exclusion 3, above, has the effect that LMA5400 and LMA5401 will exclude loss or damage in connection with the unavailability or failure to access/use an electronic device.

It is noted that the definition of ‘Data’ (considered below) includes ‘code’, while the definition of ‘Computer System’ includes ‘software’ which consists of code. Under LMA5400 and LMA5401, the definition of ‘Computer System’ could also include ‘Data’. Consideration of the incongruities of these overlapping definitions, however, is beyond the scope of this analysis.

Definition: Data

The definition of ‘Data’ in LMA5400 and LMA5401 is unusual in that it is defined as ‘information of any kind that is recorded… in a form to be used, accessed, processed, transmitted or stored by a Computer System’. Given the ability of computers to scan and interpret physical documents, the definition of ‘Data’ in LMA5400 and LMA5401 could include physical documents. This may appear to be a perverse outcome, but the definition is not explicitly limited to ‘Electronic Data’ as that term is commonly defined in property policies (and was used in NMA2914, NMA2915 and NMA2914A).

As such, LMA5400 and LMA5401 could exclude damage to physical documents, manuscripts, deeds, specifications, plans, drawings, designs, books and other records.

Definition: Cyber Act

For LMA5400 and LMA5401, Cyber Act means “an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.”

The term ‘unauthorised act’ could be applied to:

1) an otherwise authorised person carrying out an act:

a) for which they have not been authorised (perhaps the act is outside the scope of their duties); or

b) that is contrary to instructions or guidelines (perhaps issued by an employer or manufacturer of a device);

2) an unauthorised person carrying out an act.

There may be emergency scenarios which compel persons to perform acts – involving electronic devices – for which they are not authorised in order to avoid or minimise the risk of injury or property damage. LMA5400 and LMA5401 do not appear to have considered such scenarios.

As noted above, the term ‘malicious or criminal act’ is also problematic because it could be applied to criminal damage, theft or vandalism involving an electronic device. Such acts should not be the subject of a cyber exclusion.

Definition: Cyber Incident

For LMA5400 and LMA5401, ‘Cyber Incident’ means

  • any error or omission or series of related errors or omissions involving access to, processing of, use of or operation of any Computer System; or
  • any partial or total unavailability or failure or series of related partial or total unavailability or failures to access, process, use or operate any Computer System.

The definition of ‘Cyber Incident’ demonstrates why LMA5400 and LMA5401 can have such broad application: they contemplate the results of cyber risks rather than cyber risks themselves. In its second limb, a ‘Cyber Incident’ is the unavailability or failure to use an electronic device. It should be apparent that there are many insured, non-cyber perils that could cause this, yet LMA5400 and LMA5401 make no such distinctions.