Dual cyber coverage: what are the implications for insurers?

The High Court has held that where multiple policies cover a single cyber incident, an Insured is entitled to claim up to the maximum limit of each policy and in any order the Insured sees fit, even where there are "other insurance" provisions in the policies.

Summary

On 23 March 2020, the Claimant - Watford Community Housing Trust - sent an email to 3,167 recipients inadvertently disclosing personal data relating to 3,544 of the Claimant’s tenants and employees. This data breach gave rise to some 1,136 complaints of which the Claimant considered 1,050 amounted to valid claims that the Claimant has either settled or is attempting to settle.

The Claimant had in place three insurance policies:

• A cyber policy with an aggregate limit of £1,000,000
• A combined risks policy with an aggregate limit of £5,000,000, and
• A professional indemnity policy with a limit of £5,000,000.

Both the Cyber and Combined Policy Insurers agreed to indemnify the Insured, but as the Insured's losses were expected to exceed £6,000,000 this exhausted the cover under those policies. The PI Policy Insurers declined cover on the basis that the Insured had failed to notify it of the data breach, which was the fault of the Insured's broker, AJ Gallagher. The Insured therefore brought proceedings against its broker for negligence and damages.

The Defendant broker admitted that it was responsible for the failure to notify the PI Insurer and that it had been negligent. However, it denied that the Insured had suffered any loss on the basis that the "other insurance" provisions in the insurance policies capped the total cover level under all the policies to £5,000,000 and so the PI Policy's share of that cover was capped at £2,333,333. The Court was therefore asked to rule on the meaning and effect of the other insurance provisions.

The Court's decision was that:

• The "other insurance" clauses cancelled each other out and were ineffective
• The Insured therefore had the benefit of a horizontal layer of three insurance policies, which in total provided £11,000,000 of cover
• The Insured was free to claim under any or all of the policies in any order it saw fit
• The relative contributions between the Insurers towards indemnifying the losses was a separate matter for the Insurers to resolve between themselves
• Accordingly, the broker was liable in damages for the loss of cover under the PI Policy up to the fully policy limit of £5,000,000.

The rationale of the decision

The decision turned on construing the words of each of the "other insurance" clauses. 

Cyber Policy (Lloyds syndicate; PEN underwriters):

"This insurance shall apply in excess of any other valid and collectible insurance available to You, including any excess or deductible portion thereof, unless such other insurance is written only as specific excess insurance over the limit of liability of this Policy.”

Combined Policy (QBE):

“If at the time of any claim under this policy there is any other valid and collectible insurance available to the insured... other than insurance that is specifically stated to be in excess of this policy... then the insurance afforded by this policy will be in excess of and will not contribute with such other insurance.”

PI Policy (Hiscox):

"We will not make any payment under this policy where you would be entitled to be paid under any other insurance if this policy did not exist except in respect of any amount in excess of the amount that would have been payable under such other insurance had this policy not been effected."

On face value, each of these clauses attempts to turn the primary cover under the relevant policy into an excess layer that follows the primary cover offered in the other policies. The difficulty with these types of clause arises when each insurance contract tries to do the same thing. Taken literally, the effect would be that each of the policies would become excess layer cover, leaving the Insured with no primary cover. The Courts have for a long time[1] considered that such an outcome would be unjust and repugnant to the commercial purpose of insurance contracts. They have therefore construed these clauses by interpreting each "other insurance" clause so as to exclude from its scope any other policy which contained a similar "other insurance" clause. In simple terms, the clauses cancel each other out and are rendered ineffective – resulting in each policy remaining in force as primary cover.

The Defendant broker argued that the wording of the "other insurance" provision in PI Policy warranted a departure from the usual approach. The Defendant argued that the wording “if this [i.e. the PI Policy] did not exist” meant that the "other insurance" clauses in Cyber and Combined Policies had to be interpreted as if the PI Policy did not exist. Accordingly, the PI Policy could not constitute “other valid and collectible insurance” for the purposes of the "other insurance" clauses in either the Cyber or Combined Policies and so those clauses were not triggered. The result was that the Cyber and Combined Policies remained as primary cover, and the PI Policy sat as excess cover on top.

The Court did not accept this argument. It saw the additional words ("if this policy did not exist") as a drafting device relying on minute textual analysis that would be undertaken by a lawyer, rather than how the policy would be understood to a conscientious ordinary policyholder. The effect of the PI policy clause was deemed to be the same as the "other insurance" clauses in the Cyber and Combined Policies, and so they all cancelled each other out. The Court concluded that:

"on their proper construction, all three other insurance clauses cancel one another out such that, but for the Defendant’s breach of duty, the Claimant would have had the benefit of triple insurance against its losses from the data breach under a horizontal layer of primary insurance providing £1 million of cover under the Cyber Policy, £5 million of cover under the Combined Policy and a further £5 million of cover (plus defence costs) under the PI Policy."

Secondary argument: rateable contribution

The Defendant broker raised a secondary argument based on the concept of rateable contribution. Rateable contribution clauses (sometime called "rateable proportion" clauses) are often found in insurance policies. Their effect is to require the Insured to claim from each of their Insurers in proportion, rather than claiming all their loss from one Insurer. So, for example, if two policies (with rateable contribution clauses) both provided £1,000,000 of cover and the Insured's total loss was £250,000, then each Insurer would only be liable for £125,000. The Insured could not claim the full £250,000 from just one Insurer.

The Defendant broker submitted that even if all three policies were available to the Insured, the principle of "rateable contribution" was engaged, which capped the maximum amount recoverable across all the policies to £5,000,000, with each Insurer only be liable up to their proportionate share, being £2,333,333 under the PI Policy.[2]

The Court rejected this argument. First, there was no rateable contribution clause in any of the policies and there was no common law basis to imply one. Second, there was nothing in the language of the "other insurance" clauses that allowed the Court to interpret them as being "rateable contribution" clauses or to have the same effect. Third, in any event, a rateable contribution clause only controls the sequence in which the Insured can make a claim (e.g. in proportion across all policies) and does not reduce the limit of cover under a policy.

In conclusion the Court found that:

"but for the Defendant’s negligence, the Claimant [Insured] would have been legally entitled to recover an indemnity under the three policies in respect of the whole of its loss caused by the data breach up to a combined limit of £11 million. In my judgment, therefore, the Claimant is entitled to damages from the Defendant in an amount equivalent to the losses that the insurers would have been legally liable to pay over and above the £6 million that the Claimant has already recovered from QBE and the Cyber Insurers."

The takeaways from this judgment are as follows:

1. It is still worth including an "other insurance" clause in a policy because it will be effective if other relevant policies do not have "other insurance" clauses. However, the prevalent use of these clauses means they will, in practice, often be cancelled out.
2. For the principle of rateable contribution to apply, there must be an express rateable contribution clause in the policy. Absent a rateable contribution clause, the Insured can claim from any of their Insurers in any order. It will then be for the Insurers to recover a proportionate contribution from the other Insurers.

For all the case details, click here.

Footnotes:

[1] Weddell v Road Transport and General Insurance Co. [1932] 2 K.B. 563

[2] This was on the basis that all three Insurers were liable for the first £1m, being £333,333 each. And then two Insurers were liable for the next £4m (i.e. in excess of £1m but up to the limit of cover of £5m), being £2m each. Thus, in total the PI policy Insurer's maximum exposure was £2,333,333.