Have You Got IT Covered?

February 22, 2013

29 January saw the gathering of an expectant group in the well-appointed offices of Clyde & Co. for an SCL event modestly entitled ‘Have You Got IT Covered?’  In this case the title did not say it all and this audience member went along as much out of curiosity as expectation.  It turns out I was not alone in that.  Neither was I to be disappointed.

The event was chaired by David Sharp, Partner at Charteris, who was joined by two panel members – Andrew Horrocks, Partner at Clyde & Co, and Phil Mayes, Senior VP, Global Technology & Privacy Practice at Lockton.  An excellent panel, covering the bases of IT litigation, IT consultancy and technology insurance brokerage.

David kicked off the event, laid out in a round-table format, by having all attendees introduce themselves and explain what they hoped to get out of the event.  It turns out this was not a clever attempt to gobble-up ten minutes of allocated time, but illustrated the unusually broad range of SCL members in attendance.  We had lawyers, both litigious and commercial, including DP specialists, insurers, insurance brokers and IT consultants. 

After the introductions, we kicked off with a hypothetical case-study used as the background to the subject-matter of the event, again discussed in a round-table format:

·                  insurance for supply of IT & IT consultancy

·                  effect of insurance on limitation clauses

·                  insurance for customers’ live systems

·                  insurance coverage for mitigation costs

·                  trends – what’s new in IT and insurance? – BYOD, Cloud, First Party Cyber

·                  general discussion and questions.

The case study related to an automated process, enabling per-customer delivery of pharmaceutical products to pharmacies/care homes/other customers.  The automated process utilised third-party supplied software and an IT managed service.  This being an insurance event, something must go wrong and the managed service provider duly obliged.  No IT, no deliveries – no deliveries, no business for the delivery company and its customers.  All parties suffered loss and all looked to their insurance position.  The panel discussed the position under the respective insurance policies of the various parties and, in particular, the suppliers of IT goods and services, together with the customer.  It also discussed the position of the parties’ insurers.  The distinction between first and third party cover was explored, from the position of the various insured. Plenty of subject matter there.  A lively discussion duly followed and that was only amongst the panel members!  The audience did their best to keep up with the panel, chipping in with questions and comments.

In relation to supplier insurance, Andrew led us through an interesting analysis of the effect of insurance on limitation of liability clauses, replaying some now elderly case-law gems and digging out more recent shiny baubles from his treasure chest.  While much of the case law is fact specific, it is always timely to be reminded of the overhang of statutory requirements, including UCTA.  A short sidebar on statutory requirements and cloud supplier T&Cs allowed for active audience participation.

Overall, what struck me was the difference in insurance positions of customers and suppliers of IT goods and services, including outsourcing.  The position of the suppliers seems relatively clear, with PI cover applying to a range of commercial activities and specific data management cover also available.  The position of the customer seems less certain.  Various reasons for this were discussed, including the availability of business interruption cover (broader than any single IT project/contract), the general one-off nature of material customer projects and the insurance industry’s general reluctance to insure single projects.  I remain a little puzzled as to why the insurance industry has not yet figured out a viable IT/outsourcing customer-side product, given that large numbers of MLEs in particular now engaged in almost constant inter-relating projects.  Phil did hint as to new customer-side products under development.  Perhaps the SCL will revisit this topic later in 2013?  The meeting then nipped on to consider the area of cyber/data insurance, applicable to large-scale data processors, which, while not a new product area, is one which is fast coming to the forefront of risk management discussions, with new products coming to the market in quick succession. 

Overall, the event was ambitious in its scope, with something for all the many shades of interest in the audience.  The event used a complex case study as the basis for discussion of the broad agenda mentioned above.  In addition, we had interesting sidebars on topics such as UCTA and cloud computing supplier standard contract terms and whether data is ‘property’ for the purposes of insurance claims. In addition, we discussed the tricky issue of insurance policy terms and contract liability clauses dealing with DP fines.  A huge amount was tackled in the traditional 11/2 hour slot and the audience left happy with the event scope, content that they had the opportunity to contribute and pleased to be offered necessary post-event refreshments by their hosts.  The insurance area is one which it looks like SCL members have a strong appetite to consider further. 

Pearse Ryan is a partner in the Technology & Life Sciences Group at Arthur Cox, Dublin, specialising in IT, outsourcing, cloud computing and IT security issues.