INSURANCE AND REINSURANCE DISPUTES ANNUAL REVIEW OF 2018 PUBLISHED

We are pleased to share with you our Insurance and Reinsurance Disputes Annual Review of 2018, published today, which provides an overview and analysis of the key cases and developments affecting those engaged in or with contentious matters in the insurance and reinsurance market.

Please click here or on the picture below to access the 2018 review.

Paul Lewis
Paul Lewis
Partner, dispute resolution
Email | Profile
+44 20 7466 2138
David Reston
David Reston
Partner, dispute resolution
Email | Profile
+44 20 7466 2244
Anthony Dempster
Anthony Dempster
Partner, dispute resolution
Email | Profile
+44 20 7466 2340
Alexander Oddy
Alexander Oddy
Partner, dispute resolution
Email | Profile
+44 20 7466 2407
Sarah McNally
Sarah McNally
Partner, dispute resolution
Email | Profile
+44 20 7466 2872
Greig Anderson
Greig Anderson
Partner, dispute resolution
Email | Profile
+44 20 7466 2229
 
Fiona Treanor
Fiona Treanor
Senior Associate, dispute resolution
Email | Profile
+44 20 7466 2307

Leave a Comment

Filed under Annual Review, Case law, Insurers, Intermediaries, Legal/Regulatory, Miscellaneous, Policyholders

Another non-party costs order against a liability insurer

In Various Claimants v Giambrone & Law and Ors [2019] EWHC 34 (QB), the High Court awarded a non-party costs order against a law firm’s professional indemnity insurer under section 51 of the Senior Courts Act 1981 in circumstances where the insurer had effectively relinquished control of the defence of the litigation. The decision follows on the back of the Court of Appeal’s decision in Travelers Insurance Company Ltd v XYZ [2018] EWCA Civ 1099.

Continue reading

Leave a Comment

Filed under Case law, Insurers

Cyber insurance: the impact of evolving legal and regulatory risk

Cyber insurance is still (just about) the new kid on the block. It is commonly thought of as a tool to mitigate exposure to ever-evolving cyber risks. That is right up to a point; but the increasing exposure of business to losses potentially covered by cyber insurance is, in our view, in material part driven by changes in the legal and regulatory risk environment.

It is helpful to start by understanding what cyber insurance does: it transfers to the insurance market some categories of loss resulting from cyber and data risks which may not be covered under other insurance products (although to some extent there may be overlap). These losses may include, for example, cyber incident response costs, data breach claims and business interruption losses caused by cyber incidents.

Cyber and data risk may be considered as part of the peril or event from which insurable losses may result. These are well understood to be quickly evolving risk. According to the 2019 edition of the World Economic Forum’s Global Risks Report, cyber-attacks and data fraud are two of the top five risks that respondents identified as most likely to occur.

But the way in which a cyber and data risk translates into loss for a business, particularly for liabilities, fines and costs, is heavily impacted by the legal and regulatory environment. Recent developments include:

  • the UK Court of Appeal’s decision in the first data breach class action (WM Morrisons Supermarket Plc v Various Claimants [2018]) to uphold the finding of the High Court that an employer can be vicariously liable for an employee’s data breach even when the employer was not at fault. In response to an argument put forward by Morrisons that public policy considerations militate against imposing a disproportionate burden on an employer, the Court of Appeal’s response was that “the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees“;
  • the well-publicised General Data Protection Regulation (GDPR); and
  • the implementation in national law of the Network and Information Security Directive (Cyber Security Directive).

From an insurance perspective each of these developments carries significant potential exposures for businesses and, by corollary, insurers. The decision in Morrisons (which Morrisons is seeking permission to appeal to the Supreme Court) deals with liability and not with quantum. However, the data of almost 100,000 employees leaked and any awarded compensation, including distress based damages, will likely be considerable. A breach of the GDPR can lead to fines of up to the higher of EUR 20 million or 4% of global turnover; and similarly a breach of the Cyber Security Directive can lead to fines of up to £17 million.

There are also legal risks regarding the scope of what is insurable. Cyber insurance policies tend to provide cover for fines “to the extent insurable by law“. However, there is some uncertainty as to whether or to what extent some fines are insurable as a matter of English law. PRA/FCA fines are uninsurable; but whether GDPR or Cyber Security Directive fines are insurable turns broadly upon the application of the so-called illegality defence (i.e. the ex turpi causa doctrine) or, put another way, whether the basis of the fine may be considered quasi-criminal. By way of analogy, in the case of Safeway v Twigger the UK courts determined that a penalty for anti-competitive practices in breach of the Competition Act was not recoverable on these grounds. In the case of GDPR fines, it must be highly doubtful that fines for fraudulent conduct are insurable; but there is a debate to be had in relation to the insurability of fines for innocent or negligent behaviour, including whether it is correct to determine insurability by reference to conduct on a case by case basis. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD’s insurance and private pensions committee is considering the issue. Until these issues are resolved, we are left with the unsatisfactory position that policyholders cannot count on coverage for fines and, conversely, insurers may be exposed to them if they have agreed to underwrite that risk.

These legal and regulatory issues drive exposure to underlying loss, and the extent of coverage, in tandem with evolving cyber and data risk. In the meantime, the insurance market is responding with innovative insurance products aimed at mapping and mitigating risk. By way of example, some insurers are partnering with cyber security companies to offer cover in tandem with advice on cyber security and GDPR compliance policies, or to measure objectively and score the insured’s network’s resilience to evaluate the insurer’s risk. These types of products may become more widespread as a means for insurers to assess, control and manage their exposure to legal and regulatory risks in the cyber and data sphere.

Greig Anderson
Greig Anderson
Partner, London
Email | Profile
+44 20 7466 2229
Sarah Irons
Sarah Irons
Professional Support Consultant, London
Email | Profile
+44 20 7466 2060
Rachelle Waxman
Rachelle Waxman
Associate, London
Email
+44 20 7466 2400

Leave a Comment

Filed under Insurers, Legal/Regulatory, Policyholders

Hong Kong prepares for regulation of insurance intermediaries in mid-2019 – progress to date

The Hong Kong Insurance Authority (IA) is expected to assume responsibility for regulating insurance intermediaries from around the middle of 2019.

In preparation for the new regime, the IA has launched a number of public consultations on guidelines and rules.  Further codes and guidelines are being prepared and will be released for consultation in due course.

Please click here for discussion of the new regime and what it means for intermediaries operating in Hong Kong.

Leave a Comment

Filed under Intermediaries, Legal/Regulatory

Preparing for Brexit: EEA (re)insurers – UK Temporary Permissions Regime

The FCA portal for incoming EEA firms to notify the PRA and the FCA of their intention to enter the UK Temporary Permissions Regime (“TPR”) is now open.

The TPR will apply if the UK leaves the EU on 29 March 2019 without an implementation (transitional) period. It ensures that EEA firms currently operating under an incoming passport (either from a UK branch or on a cross-border services basis into the UK) can continue to carry out regulated activities in the UK until they receive new direct authorisation by the UK regulators.

This short “at a glance” guide contains an overview of how the TPR will apply to EEA (re)insurers and suggests some next steps.  Notifications must be submitted before 29 March 2019.

 

Leave a Comment

Filed under At a Glance, Insurers, Legal/Regulatory

EIOPA Conference: The Main Themes

Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.

EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.

Continue reading

Leave a Comment

Filed under Insurers, Legal/Regulatory

Brexit Final Political Declaration: Nothing [new] to see here?

The Political Declaration setting out the Framework for the Future Relationship between the EU and the UK was published earlier today.

On financial services (including insurance), the final declaration essentially contains the same three points as in last week’s outline political declaration (as discussed in our blog post of 15th November), although there is some limited further clarification.

Continue reading

Leave a Comment

Filed under Insurers, Intermediaries, Legal/Regulatory

Brexit deal – what does it mean for insurers and insurance intermediaries?

Yesterday’s announcements on the terms agreed for the UK’s withdrawal from the EU say relatively little about the future framework for cross-border trade in goods or services.  More detail is expected on this next week.

The final deal remains subject to approval by the European Council, the EU Parliament and, crucially, the UK Parliament.  Nonetheless, yesterday’s agreement must have increased the chances of a transitional (or implementation) period for the UK’s withdrawal from the EU.  During that period, both (re)insurers and (re)insurance intermediaries would continue to benefit from the passporting rights that they currently hold, but ultimately stand to lose.

Continue reading

Leave a Comment

Filed under Insurers, Intermediaries, Legal/Regulatory

Brexit – Deal on financial services may deliver little for insurance industry

Press reports over the past couple of days suggest that a deal struck by the UK government would “give UK financial services companies continued access to European markets after Brexit” and that “UK financial companies will be able to operate as they now do in Europe“.

There has not been any confirmation that a deal on services has in fact been reached. Rather, there have been denials. Any deal on services is also dependent on all other aspects of a withdrawal agreement and the new UK-EU relationship being agreed.

The press reports suggest that the EU may have agreed to accept that the UK regulatory regime is “equivalent” to EU standards (which will undoubtedly be true at the time of exit), and that the UK will be given greater certainty than other third countries that this acceptance will not be arbitrarily withdrawn. Michel Barnier has since suggested (in a tweet on 1 November) that this greater certainty for the UK as to withdrawal of equivalence may not be forthcoming.

Whether or not a deal has in fact been reached on services, it is important to recognise that securing “equivalence” does not mean that UK insurers and intermediaries can continue to carry on cross-border business as if they held passporting rights.

Continue reading

Leave a Comment

Filed under Insurers, Intermediaries, Legal/Regulatory

Coverage for ‘Doomsday or Armageddon’ data breach class actions: insurance implications of the Court of Appeal’s decision to confirm Morrisons’ vicarious liability for employee’s deliberate actions

In the recent judgment in Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 233 the Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself. It is understood that Morrisons intends to appeal to the Supreme Court. Our full analysis of the Court of Appeal’s decision can be found here.

Companies now find themselves exposed to potential UK data breach class action claims, including for distress-based damages, based on vicarious liability, even if they have appropriate safeguards in place and even if they are the intended victim of the breach. Day by day businesses find themselves responsible for higher volumes of personal data; and the risk of data breach claims is exacerbated by the legislative changes made by the GDPR, increasing public awareness of data protection issues and the publicity that this case has attracted. In addition, the facts of Morrisons were such that the company had been found not to be in breach of data protection laws. Future class action claims may be even easier to launch in circumstances where a company has been found to breach the GDPR, for example, by not having appropriate security measures in place. It is understood that Morrisons intends to appeal to the Supreme Court.

Continue reading

Leave a Comment

Filed under Case law, Insurers, Miscellaneous, Policyholders