In February 2021, the Aviation Insurance Clauses Group (AICG), a group set up by the Lloyd's Market Association and the International Underwriting Association of London to establish non-binding standard wordings, clauses and variants for use in aviation insurance policies, published a suite of software1-related clauses for the aviation industry.
The proposed clauses covered a variety of potential loss scenarios and there was initial concern within the aviation industry that the new clauses would significantly limit coverage in many eventualities, particularly as they had the potential to be adopted as industry standard around the world.
The software clauses are intended to give a range of options as well as offer standard language so that insurers can manage their exposure to both systemic and non-systemic cyber risks. Their development followed a supervisory statement (SS4/17) from the Bank of England’s Prudential Regulation Authority (PRA), which regulates and supervises financial services firms, which stated that insurers need to “identify, quantify and manage”2 their exposure to cyber related perils. In a separate consultation paper in 2016 (CP39/16 referenced in the supervisory statement), the PRA expressed significant concerns about aviation’s exposure to ‘silent cyber’ 3.
The new clauses ranged from an absolute exclusion (AVN133) to an affirmation of coverage (AVN139) with the clauses in between (AVN134-138)4 providing various options for insurers to limit the scope of coverage they were offering in the event of a software related aviation loss. Some of the clauses are designed to only apply to malicious events while others would apply to both malicious and non-malicious events.
The publication of these clauses created several questions for aviation insurance buyers. How would aviation insurers use them? Was insurers’ main concern any software losses or simply losses resulting from malicious software? Would these clauses apply to hull coverages, liability coverages or both? Or were insurers happy simply to affirm that coverage continues to apply to software related losses?
Buyers had to consider potentially extreme outcomes: the inclusion of AVN133 would exclude all coverage under all sections of the policy for claims ‘caused by the use of or inability to use software’, which would mean, in short, that an aircraft loss caused by onboard software failure would not be covered by insurance. AVN134 would aggregate the available limit in respect of software related losses. AVN138 would reduce the liability limit for malicious software related losses, including in respect of passenger legal liability.
The ubiquity of software in modern aviation creates a range of potential claims scenarios and there was widespread concern about how the clauses toolkit would be used. The limitation clauses could put aircraft operators in breach of their lease agreements. The imposition of aggregate limits could leave airlines with expensive but underinsured assets or leave airports and air traffic control (ATC) providers with lower and aggregated sub-limits for software related incidents.
Despite the initial uncertainty, eighteen months on, the toolkit appears to have been a positive development for customers. So far aviation insurers have only utilised AVN139, the toolkit’s most benign clause, which affirms coverage for software related losses.
It is important to remember that this clause doesn’t create any additional coverage. AVN139 allows insurers to address the issue of silent cyber by making a positive statement that coverage for losses arising from cyber risks exists subject to the policy’s terms and conditions (other than where specific exclusions take it away through clauses such as the London & International Insurance Brokers’ Association Electronic Data Event Liability Exclusion Clause AV001). It also means that insurance buyers will not find themselves in a situation where they are not covered in the event of a claim simply because software and cyber risks are not explicitly mentioned in a policy wording.
It remains to be seen whether the PRA is satisfied that the new clauses mean that aviation insurers have “identified, quantified and managed” their exposure to cyber related perils. At this stage however, the fact that AVN139 is the predominant clause starts to bring some clarity to the situation and in that respect, it represents positive progress.
1 Software in this context means programs, source codes, binary codes, scripts, applications and electronic data used to instruct computers to perform one or more task(s).
2 https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2017/ss417.pdf Para 1.6
3 https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/policy-statement/2017/ps1517.pdf Para 2.7
4 https://www.iua.co.uk/IUA_Member/Clauses/eLibrary/Clauses_Search_Title.aspx?SUB=AVN