Background to LMA5410
Published on 6th March 2020 by the Lloyd’s Market Association (LMA), LMA5410 is a Cyber Exclusion Clause intended for use on Property treaty reinsurance.
LMA5410 Exclusions: Computer Systems and Data
Generally, the LMA5410 clause excludes loss in connection with:
- “any loss of, alteration of, or damage to or a reduction in the functionality, availability or operation of a Computer System”; or
- “any loss of use, reduction in functionality, repair, replacement, restoration or reproduction of any Data, including any amount pertaining to the value of such Data”.
The Computer System exclusion (i.e. 1., above) can operate as both a peril and property exclusion, i.e. it excludes loss in connection with the circumstances described, and excludes damage to a “Computer System”.
The primary intent of the Data exclusion (i.e. 2., above) appears to be to act as a property exclusion on Data, i.e. exclude damage to Data. Nonetheless, it could also act as a peril exclusion by excluding other losses in connection with the circumstances described. Unlike LMA5400 endorsement, the Data exclusion in LMA5410 is absolute in that is has no exceptions.
Exception to the Computer System Exclusion
The Computer System exclusion has an exception whereby cover is provided for:
“physical damage to property insured under the original policies and any Time Element Loss directly resulting therefrom where such physical damage is directly occasioned by any of the following perils:
fire, lightning, explosion, aircraft or vehicle impact, falling objects, windstorm, hail, tornado, cyclone, hurricane, earthquake, volcano, tsunami, flood, freeze or weight of snow.”
Interpretation of the words “directly occasioned by” could depend on the circumstances, but may require a listed peril to be a proximate cause of the damage for the exception to apply. However, a listed peril could be the proximate cause of the physical damage regardless of whether it occurred before OR after the circumstances described in the Computer System exclusion (i.e. “loss of, alteration of, or damage to or a reduction in the functionality, availability or operation of a Computer System”). Though it is difficult to see how the circumstances described in the Computer System exclusion could cause natural perils like windstorm, tornado, cyclone, hurricane, earthquake, volcano, tsunami, flood, freeze or weight of snow.
Operation of the exception when the Data exclusion also applies?
The exception to the Computer System exclusion, however, may not operate if the circumstances causing the loss also enliven the Data exclusion, which does not have an exception. While the internet may not need further explanation of the Wayne Tank judgment (perhaps see Spark Helmore’s “Storms, floods and exclusions: a refresher on the application of Wayne Tank principles”), it could be summarised as follows: if a loss arises from two perils – one of which is excluded and the other is not – and it is not possible to apportion the loss between the perils, then the exclusion prevails and the insured will not be indemnified. Predicting how a court may view the Computer System exception when the Data exclusion is enlivened may be a fool’s errand.
What about malicious cyber events?
An unusual aspect of LMA5410 is that is does not distinguish between malicious and non-malicious cyber events (c.f. with the absolute exclusions on “Cyber Acts” in LMA5400 and LMA5401, i.e. “an authorised malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System”). This invites the following questions:
- do reinsurers really have an appetite to cover malicious cyber acts under Property reinsurance treaties?
- Are malicious cyber activities considered an insurable risk? Should they be?
Given the nature of malicious cyber activities (including nation-state involvement or support), there is potential overlap with a policy’s “War” and “Terrorism” exclusions. But since 2019, the UK’s Prudential Regulation Authority (PRA) and Lloyd’s have been aligned in seeking to eliminate “silent cyber” coverage and clarifying policy positions. But when it comes to malicious cyber events (or “Cyber Acts” to use the terms of LMA5400 and LMA5410), it seems strange that LMA5410 is silent.