Three Insurance Policies Walk into a Data Breach…None Pay Out

A recent High Court ruling in Watford Community Housing Trust v Arthur J. Gallagher Insurance Brokers Ltd [2025] has brought an old problem back into the spotlight: what happens when a client has more than one insurance policy that could cover a loss — but no one makes sure they’re all used properly?

In this case, Watford had three policies in place: cyber, professional indemnity (PI), and combined liability. When a serious data breach occurred, the broker only told the cyber insurer. The other two weren’t notified in time — and their reporting deadlines came and went. Watford ended up missing out on a potentially much larger recovery, and the broker was held liable for the poor advice.

What the Court Decided

The broker argued the other policies wouldn’t have paid anyway, because of “other insurance” clauses. The boilerplate text insurers often use to say they won’t pay if someone else is already covering it. The court disagreed. It said if all the policies have that clause, they essentially cancel each other out — unless one is clearly written to act as an excess layer.

Put simply, if more than one insurer could respond, they all need to be told.

Where Else This Could Be a Problem

The Watford case focused on cyber, PI and combined policies — but the same kind of policy overlap and wording clashes can come up in lots of other areas. Often, the issue isn’t whether there’s cover, it’s whether the right policies have been reviewed, and the insurers properly notified. Here are some real-world examples:

D&O (Directors’ & Officers’)

A regulatory or shareholder claim following a data breach or compliance failure could fall under D&O, or PI. Each policy may have exclusions for matters “covered elsewhere,” so if wordings aren’t compared side by side — and all relevant insurers aren’t put on notice, cover can fall through the cracks.

Employers Liability

Workplace problems like stress, harassment linked to data breaches, or injuries caused by tech failures could fall under more than one policy — like Employers’ Liability, Public Liability, or even PI. But EL policies often have strict wording. For example, some won’t cover mental health issues unless there was also a physical injury, or they may exclude anything caused by a cyber event.

Brokers need to check these details carefully and make sure that they understand how all of the client’s policies work together — not just the one they’re focused on

• Business Interruption (BI)

It’s not always clear whether a ransomware attack should be picked up by the cyber policy or the BI extension under property. Definitions of “event” and “system failure” can vary between policies — and unless both are reviewed and notified, there’s a risk the claim gets stuck in limbo.

• Motor Fleet & Legal Expenses

An accident involving an employee, where legal defence costs are incurred, may touch both fleet liability and a legal expenses policy — especially if the latter is bundled via an industry association. If no one checks the terms or notifies both, you risk losing access to useful cover.

• Contingent Risk (e.g. Tax, Litigation)

In the M&A space, a tax dispute might fall under a bespoke contingent policy or Warranty & Indemnity, depending on the structure. “Other insurance” clauses in both can cause delays or denials unless the client (and broker) have planned for potential overlaps.

• Cyber Extensions in Traditional Policies

Many standard PI, property, or combined policies now include limited cyber cover. But these extensions often have lower limits, tight exclusions, or “follow-form” language that defers to standalone cyber policies. If not coordinated properly, valuable cover can be missed or trigger disputes.

And many others…

What Brokers, Insurers/MGAs, and Compliance Teams Should Be Doing

The takeaway from Watford isn’t complicated: if you’re a Broker and you think a loss might trigger more than one policy, notify all of them. Don’t wait to see what sticks. Don’t rely on assumptions. And don’t let the policy wording do your job for you.

The Watford ruling is a reminder that policy overlap isn’t just an admin issue — it can cause real harm to clients and real exposure for firms. Here’s what each part of the market should be doing next:

Insurers & MGAs

• Review your wordings — especially around “other insurance,” notification, excess layers, and exclusions
• Be clear about how your policy interacts with others. Avoid ambiguous language like “this insurance is excess unless otherwise stated” unless you really mean it
• If you’re offering extensions (cyber, legal expenses, etc.) or indirect products (like contingent risk or fidelity), make sure they don’t conflict with broader primary policies
• Excess insurers: clarify your trigger points. Don’t assume the primary layer’s failure to notify is your out

Brokers

• Ask about all existing policies at placement, not just the ones you’re selling or renewing
• Compare clauses side by side (especially notification and other insurance wording)
• Record advice clearly. If a policy isn’t notified, make sure the client understands the risk
• Ask your client about all other live policies, even if you didn’t place them. You’re expected to consider any other cover that could respond to the same risk
• Advise your client to notify all potentially relevant insurers about any incident or claim as early as possible — even if those policies were arranged by another broker. Early notification protects the client’s right to recover and avoids delays or disputes

Compliance & Risk Teams

• Revisit your advice standards under IDD and Consumer Duty — notification is now clearly a “foreseeable harm” area. Remember that even if the business if out of scope for Consumer Duty, the “Customers Best Interest” rule still applies
• Build checks into your file reviews for dual policy risks
• Ensure client-facing teams are trained to spot overlaps and flag them early
• Consider running internal audits on recent claims where multiple policies may have applied

So yes, three policies can walk into a data breach. But if insurers don’t coordinate, brokers don’t advise properly, or customers don’t notify all their insurers promptly, the result could be legal battles instead of claim payments.

GreenKite is an insurance consultancy partnering with insurers, brokers, and MGAs to enhance compliance, risk management, and operational effectiveness. Get in touch to learn how we can support you.