Hidden gaps: Business risks your insurance may not cover

Regulatory fines

The scope and intensity of regulatory enforcement in the UK have increased significantly in recent years. The ICO can impose fines of up to £17.5 million or four per cent of global turnover¹. The FCA, CMA, and sector-specific regulators have all shown a growing willingness to take enforcement action, and the financial consequences of an adverse outcome can be severe.

Whether insurance will respond to a regulatory fine is a more complicated question than it might appear. Standard commercial policies frequently exclude fines and penalties altogether. Some specialist wordings extend to “insurable fines” where local law permits indemnification, but the scope of that cover, and its enforceability, varies between policies and jurisdictions.

Even where a policy does not contain an express exclusion, there is a longstanding question under English law about whether it is contrary to public policy to insure against a punitive fine.

In England and Wales, there is a varied position on the insurability of fines depending on the nature of conduct. For example,

• Fines imposed for intentional or deliberate wrongdoing are not indemnifiable as a matter of public policy, conduct such as price fixing in the case of Safeway v Trigger² and insider trading in Patel v Mirza³.
• By contrast, fines arising under strict liability regimes may, in principle, be insurable due to the absence of requirement for immoral conduct. For example, a manufacturer may be held in breach of the Consumer Protection Act (CPA) 1987 for a defective product without there being a finding of negligence.
• Where a fine follows negligent conduct, the doctrine of ex turpi causa (illegality) becomes relevant: if the negligence reaches a sufficiently serious level of culpability, indemnification may still be barred on public policy grounds. Application of this requires a case-by-case assessment.

In addition to these common law principles, policyholders must also consider regulator specific rules. For example, the FCA expressly prohibits insurance for fines imposed under FSMA 2000⁴.

For businesses operating in heavily regulated sectors, this is worth examining carefully. A detailed review of the relevant policy wordings, together with advice on the public policy position in each applicable jurisdiction, is the most reliable way to understand where cover exists and where it does not.

Cyber risks: Ransomware and extortion

Cyber extortion is a common feature of many cyber-attacks on organisations, involving a demand for payment in exchange for restoring access to an organisation’s systems or data. Many cyber policies include cover for extortion payments, but the terms on which that cover is available deserve close attention. Insurers commonly require the insured to obtain prior written consent before making any payment, restrict the use of incident response services to pre-approved vendors, and cap extortion coverage through sub-limits that may be substantially lower than the overall policy limit.

Compliance with sanctions adds a further layer of complexity. UK sanctions restrictions administered by the Office of Financial Sanctions Implementation (OFSI) prohibit making payments directly or indirectly to, or for the benefit of, designated individuals and entities (or persons owned or controlled directly or indirectly by the same) and in some cases those designated persons are involved in cyber extortion. Where this occurs, an insurer cannot lawfully indemnify the payment regardless of what the policy provides, absent receipt of all relevant licences. A policyholder could, in principle, face a situation in which its most effective route to restoring its systems is a payment that neither it nor its insurer can legally make. OFSI has issued guidance addressing this scenario.

The practical point is that extortion cover should not be taken at face value. Policyholders would benefit from reviewing the conditions, sub-limits, and notification requirements that apply to extortion claims under their policies, and from having an incident response protocol in place that takes the sanctions position into account.⁵

Pure financial loss

Standard product liability wordings typically respond to claims for bodily injury or property damage caused by a defective product. They do not typically cover pure financial loss, which is economic harm suffered by a third party that does not stem from any physical damage.

This distinction matters in practice. If a component fails to meet specification but causes no physical harm, and the end customer’s losses are purely economic (lost revenue, the cost of sourcing an alternative), a claim under a standard product liability policy may well fall outside scope.

Businesses whose supply chain exposure is more likely to give rise to financial loss than physical injury or damage should consider whether their existing cover addresses that risk. Potential mitigation measures include reviewing whether current wordings are triggered by losses “arising from” or “directly or indirectly caused by” an occurrence (as opposed to the narrower “in respect of” formulation) or exploring appropriately drafted financial loss extensions.⁶

A note on artificial intelligence (AI)

The increasing use of AI across commercial sectors raises its own set of questions about insurance coverage for AI-related risks, including how existing wordings apply to liability arising from the use of AI-systems or the incorporation of AI elements into products and services. We have considered these issues separately in our article ‘Insuring AI Risks: Is your business already covered?’ and would suggest reading that alongside this piece.

Practical steps

Each of the areas discussed above involves a degree of complexity that is not always apparent from the face of a policy. A periodic, detailed review of existing insurance programmes, conducted with specialist legal and broking input, is the most straightforward way to identify and address these issues before they become live problems.

Authored by Lydia Savill and Keira Wallace-Flint.