Silent cyber, otherwise known as non-affirmative coverage for cyber risk in non-cyber policies, has been a growing issue in the insurance market.
Silent cyber occurs in some, but not all a non-cyber policies. Within the policy, an issue may arise when
- cyber events as triggers for loss are not explicitly included or excluded,
- cyber exclusionary language within the policy is ambiguous or absent,
- any express cyber coverage is ambiguous or conflicts with other policy wording.
When your non-cyber policy fails to implicitly include or exclude cyber risk, you might therefore assume the policy will pay claims for cyber losses in certain circumstances. This concerns insurers, as the ambiguous language in these policies expose their portfolios to unmeasured risks that they had neither underwritten nor charged for.
For you, the policyholder, ambiguous language creates a lack of clarity and can lead to confusion. Depending on how you interpret the policy wording, you might believe you have adequate cover for cyber risk when you do not. Ambiguous language in a policy may also be interpreted differently by different insurers, which could lead to legal disputes.
This ambiguous policy language is far from intentional and benefits neither the insurer nor the policyholder. Silent cyber has been discovered following the significant rise in scale and complexity of cyber-related incidents over a period of just a few years.
The world’s largest network of insurers, reinsurers, brokers and agents, Lloyd’s of London, recently started to address the issue of silent cyber. It conducted a review of policies that contained a level of cyber cover without charge and has taken action. Lloyd’s prompted members to be more explicit about the level of cyber cover included in policies. In response, some insurers have made announcements that clarify their intentions when it comes to coverage. These announcements are a ‘holding position’ as they begin to introduce new policy wording and underwriting guidelines. Others have made it clear that with effect from a certain date, they will either exclude or include cyber risk in their traditional policy wordings.
The ICAEW has reacted to the market, and has updated its minimum requirements. Now, inclusion of cyber cover in a non-cyber policy must be explicit and a certain level of cover is required. The ICAEW members’ professional indemnity (PI) scheme insurer, QBE, was also quick to react, and have updated their policy wording in line with the ICAEW’s minimum requirements.
Cyber: what’s the risk?
Changes in the insurance market and to the ICAEW’s minimum requirements all point towards the need to take out standalone cyber cover for your practice. There are plenty of cyber policies out there to choose from, but not all of them will meet your needs. To better understand the needs of your business, we start by reviewing cyber-crime, fraud and data breach events impacting similar businesses in the UK.
In 2021, 38% of small and micro-businesses in the UK identified security breaches or attacks. Of these, 27% were attacked at least once per week and 22% needed new measures to stop future attacks.
A recent study found the average cost for micro and SMEs that lost data or assets after breaches was £8,170. But an incident can cost you more than money. It’s important to factor in the time it takes to manage a cyber-incident and the resulting damage they can cause your business from a reputational point of view.1
Your staff are your number one risk
Human error is the biggest risk to your cyber security, in fact a recent study reported that our mistakes are responsible for 95% of cyber-security breaches. Employees make a variety of mistakes that can expose your business to fraud and data breach:
- failing to install software security updates
- using weak passwords/sharing passwords
- falling for phishing email scams.
Data breach can occur by an employee sending sensitive information by email to the wrong recipient, publishing it online by mistake or transferring data to an insecure network, for example to a personal device.
Choosing the right cyber policy for your practice
- Use a knowledgeable insurance broker
An insurance broker can help you arrange cover for your individual business, ensuring you only pay for what you need. At Marsh Commercial, we offer our expertise on emerging risks in the market – and can ensure there are no gaps in your cover. We work with a panel of insurers, so can provide a number of options depending on the needs of your business. Risk management features heavily in cyber policies – and we can help you to meet your responsibilities.
- Obtain cover for phishing email scams
82% of the 38% of businesses who reported incidents in the 2021 study suffered phishing email attacks. Phishing attacks are becoming more common, more sophisticated and a much greater risk to your business.2 One common exclusion in standard cyber policies is social engineering, an umbrella term for criminal attacks such as phishing email scams. Phishing is considered criminal loss, or fraud by insurers who require you to take out a separate crime policy.
A standard cyber policy could leave your business exposed to loss as a result of phishing scams. At Marsh Commercial, we work with insurers who can offer social engineering as part of your cyber insurance for an additional charge. This removes the need for you to take out a separate policy.
- Add assistance with public relations (PR)
It can be valuable to have access to PR experts to help you manage communications, notify customers and manage the reputation of your business while you address any incident.
We’re here to help.
Marsh Commercial are the exclusive, appointed insurance broker for ICAEW members’ professional indemnity, cyber and office insurance. We’ve worked closely with the ICAEW for more than 14 years, and now manage more than 4,300 policies on behalf of members.
Visit the ICAEW member hub for more information on cyber risk, email the team or talk to us today about finding the right cyber policy for your business on 0345 894 4684.