The use of technology has transformed the business landscape and has defined much of the modern era. This has not only increased the scope but also the scale of cyber exposures. With cyber-attacks progressing beyond simple data breaches, to sophisticated schemes designed to disrupt your business operations for financial gain.
New risk issues are emerging which has led to the rise of “silent cyber” issues, or “non-affirmative” coverage for cyber risk in non-cyber policies. As a result, insurers are individually interpreting and seeking to comply with silent cyber mandates by adopting various exclusions, limitations, and changes to traditional non-cyber insurance policies.
Robert Morris is back with more cyber insurance expert insights, expanding on a topic he introduced previously, to break down what all this means. A frequently discussed subject in the world of cyber insurance, it’s one you need to understand.
What does silent cyber mean?
Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies which, may not implicitly include or exclude cyber risk (the possibility of loss relating to or involving data, technology and funds). Silent cyber can arise in a number of ways, for example, if:
- Cyber events as triggers for loss are not explicitly included or excluded.
- Cyber exclusionary language within the policy is ambiguous or absent.
- Any express cyber coverage is ambiguous or conflicts with other policy wording.
Where standalone cyber insurance (sometimes called “affirmative” cyber cover), clearly defines the parameters of cyber cover. Many traditional policies (for example, property and casualty) do not specifically refer to cyber and could theoretically be assumed to pay claims for cyber losses in certain circumstances.
Why are insurers concerned about silent cyber?
Simply put, insurers are concerned that claims stemming from cyber risks — risks that they had neither underwritten to nor charged for — are creating unmeasured exposure in their portfolios. They therefore might not have calculated the policyholder's increased exposure or adjusted the premium, or assessed potential risk aggregation in its own portfolio.
Should silent cyber be a concern?
The lack of clarity in some standard property and casualty policies can lead to confusion. Some policyholders may believe they have adequate cover for cyber risk when they do not. Also non-affirmative language within a traditional insurance policy may be subject to differing interpretation by insurers, which could lead to legal disputes.
What are insurers doing to eliminate silent cyber?
Insurers are taking several steps to address silent cyber, some of which are required by regulators. Some insurers have made announcements that clarify their intentions when it comes to coverage. These announcements are "a holding position" as they begin to introduce new policy language and underwriting guidelines.
Other announcements, such as those issued by Lloyd’s, have also made clear that, with effect from a certain date, they will either clearly exclude or include cyber risk in their traditional policy wordings. The earliest date these changes came into effect was 1 January 2020. This applied to coverage for first-party property damage policies underwritten by Lloyd’s syndicates. However from 1 January 2021, Lloyd’s syndicates are required to be completely explicit about their position on ‘silent cyber’ in Professional Indemnity (PI) and Directors’ and Officers’ (D&O) policies.
What you should do if you want standalone cyber coverage
Depending upon the insurance product and the insurer, you may be able to purchase affirmative cyber coverage under a non-cyber policy. You should be aware of how the insurer adds the coverage though because imitations may be applied.
You should also consider whether having affirmative cyber coverage in a non-cyber policy is what you need. In most cases, the cyber coverage available in a standalone cyber policy will be better (both in terms of its breadth and limits) than the cover you would get by adding affirmative cyber coverage to a more traditional line of non-cyber insurance, which is not designed to cater for cyber risks.
If you’re unsure about the level of cyber insurance cover in your current insurance programme, contact your broker. Our colleagues in Marsh have also explored this topic in more detail. View the FAQs document here.