LMA5468A, LMA5469A and LMA5470A: Amended Cyber and Data endorsements for Liability policies

Background

While LMA5469A was issued in October 2022, LMA5468A and LMA5470A were issued on 15 March 2023 (beware the Ides of March!). Since LMA5468A, LMA5469A and LMA5470A are similar to their LMA5468, LMA5469 and LMA5470 predecessors, I recommend reading the analysis of those endorsements separately since I have chosen not to reproduce it here.

In LMA Bulletin LMA22-034-SD, the LMA stated that the changes to LMA5469 made for LMA5469A were ‘to clarify that the limited write-back of cover to the exclusion is subject to all the terms, conditions and exclusions of the policy (and any attached endorsements)’. This statement, however, does not tell the full story since the changes amount to more than a ‘clarification’.

Changing how LMA5468A, LMA5469A and LMA5470A operate

For each of LMA5468A, LMA5469A and LMA5470A, the primacy clauses of their predecessors have been deleted:

‘This endorsement supersedes any other wording in the Policy or any endorsement thereto having a bearing on a Cyber Act, Cyber Incident or Data, and, if in conflict with such wording, replaces it’.

This change should be considered in conjunction with the change to the preamble for the exceptions in paragraph 2:

‘Subject to all the terms, conditions and exclusions contained in this Policy or any endorsement thereto…’

Taken together, these changes are significant because they mean that other exclusions in the policy or attached to the policy – including those relating to cyber or data risks – could operate alongside those of LMA5468A, LMA5469A or LMA5470A. And if any exclusion in the policy applies to an insured’s claim, the claim is excluded. As such, these changes increase the likelihood that an insured’s claim will be excluded.

Rather than ‘clarifying’ how the LMA5468A, LMA5469A or LMA5470A apply, it would be more accurate to say that the exceptions to the exclusions in the amended versions operate differently because they are also subject to the underlying policy’s other exclusions.

Other changes

Other changes introduced in LMA5468A, LMA5469A or LMA5470A are as follows:

  1. For LMA5469A and LMA5470A, the exceptions to the exclusions now appear in paragraph 2 (i.e. immediately after the exclusions of paragraph 1); and,
  2. The definition paragraphs are not numbered. As a result, the definition of ‘Cyber Incident’ has sub-clauses (a) and (b), which is inconsistent with the other sub-clauses of the wording which are numbered 1.1, 1.2, 2.1 and 2.2.

Summary of LMA5468A, LMA5469A and LMA5470A

Exclusion LMA5468A LMA5469A LMA5470A
Cyber Act: loss or damage in connection with unauthorised, malicious or criminal act involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #1: loss or damage in connection with error or omission involving access to or use of an electronic device Excluded Excluded Excluded
Cyber Incident #2: loss or damage in connection with the unavailability or failure to access or use an electronic device Excluded Excluded Excluded
Any action taken in controlling, preventing, suppressing or remediating any Cyber Act or Cyber Incident Excluded Excluded Excluded
Loss of use or reduction in functionality of Data Excluded Excluded Excluded
Repair, replacement, restoration, reproduction of Data Excluded Excluded Excluded
Loss or theft of Data Excluded Excluded Excluded
Value of Data Excluded Excluded Excluded
Exceptions
If arising out of a Cyber Incident, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception Excepted Excepted
If arising out of a Cyber Act, exceptions for: 1) third party bodily injury; and 2) physical damage to or destruction of third party property. No such exception No such exception Excepted