What is Silent Cyber?
Cyber risk impacts practically every line of commercial insurance, yet it remains unaddressed in many lines of insurance. The lack of clarity in some standard property and casualty policies has led to confusion or misunderstanding about coverage for cyber risks. Simultaneously, an insurer covering losses they have not contemplated jeopardizes their credit rating and/or financial solvency.
What does it mean for policyholders that insurers and their regulators have taken action to address silent cyber risk?
In 2020 AIRMIC hosted an event with Paragon International Insurance Brokers to discuss silent cyber and insurance. Over the past year more and more insurers have issued endorsements to their policies to address the issue so we thought it would be helpful to share a high-level summary of the content discussed.
1. Policy language is evolving
Silence provides an argument for cover but that cannot be relied upon. Policyholders may believe that they have adequate cover for cyber risk when they do not. Ultimately, as the coverage outcome is uncertain the situation would likely evolve into protracted coverage discussions or even a legal dispute.
2. Renewal and placement challenges
There is no market standard appetite nor language to address silent cyber. Insureds will need to review and evaluate:
- Inconsistent response from primary insurers. Underwriters have varied appetite for cyber risk. Some may exclude and others may affirm, and each may use their own preferred language.
- Potential coverage gaps - some examples to consider are:
- Overly broad exclusions may overreach. An exclusion, such as one for loss “arising out of” or “in connection with the use of computers” needs to be balanced with the reality of the prevalent use of technology in the modern economy.
- New language, even if affirmative, may be limited; e.g. a property damage policy that affirms only cyber risk which results in a fire, excludes cyber risk resulting in otherwise covered perils.
- New language may be written a different basis to the rest of the policy and therefore not address confusion about coverage, e.g. what has been achieved if a policy covers intentional acts but the cyber endorsement addresses negligent acts?
- Inconsistent language on excess layers can create gaps within a program tower - the more restrictive the comparative language, the higher it should attach.
3. Review for coverage gaps?
The starting point for assessing coverage gaps would be to review the parameters of each unamended base policy. We would recommend applying the impact of an event to current insurances by considering three questions:
- What is the injury or harm insured?
Broadly speaking, the injury or harm can be tangible or financial, physical or non-physical. Because policies cover different injuries or harms, it is unlikely that every impact from one event will be covered by one policy. It is far more likely multiple policies will respond to different aspects of the harm suffered. Consider for example, how many lines of insurance responded to asbestos?
- What is the coverage trigger?
Some policies trigger when the insured receives notification of a claim (alleging they have violated a regulation or are responsible for injuries or damage to a third party) arising from a specified act. Some trigger on the insured’s own loss (loss of income, loss of assets) arising from a specific peril.
- What is the Act or Peril / proximate cause of the loss?
Proximate cause in insurance is the act from which an injury results as a natural, direct, uninterrupted consequence and without which the injury would not have occurred. It’s also important to understand whether coverage is for internal acts or external acts; unintentional acts or intentional acts; physical or non-physical event.
4. Prepare for renewal not as expiring! Develop a strategy:
Many insurers across product lines are currently pushing for premium rate adequacy and renewals are taking longer to complete. But even without the hardening market, it would have been very unlikely that you will be able to secure “coverage as expiring” at “premium as expiring” with respect to cyber risk.
- The most important thing you can do is give yourself time
You’ll need time to identify renewal priorities, compile the submission and presenting the risk to market or markets will also take time. Standard renewals are taking longer, in part because insurers are requiring more information and because the market is hardening, but also because more market feedback is sought and therefore needs to be reviewed.
- Identify renewal priorities
Is the priority program limits, premium spend, or coverage? Living with an exclusion will be the path of least resistance, enabling least pressure on available limits or renewal pricing and will highlight coverages you do not have.
The good news and the bad news is that cyber risk, silent or otherwise, is not addressed consistently in the broader P&C market – including within cyber insurance. This means if there is coverage your organization has identified as a priority it may be found amongst competitors, or it may be negotiated or created for a premium and depending on the submission materials made available.
- Compile a thorough submission
Without sufficient underwriting information to review, an insurance company can neither produce a reasonable benefit amount nor premium cost and therefore will be limited in what coverage they can offer. An insurer should ask the questions, but only if they intend to provide affirmative coverage. To position yourself for the broadest possible coverage, don’t wait on them. Provide a thorough submission and ask for the coverage you want – only your organization can know your risks and risk management best.
- Approach the market(s) with high level support
There are many cyber risk stakeholders in your organization whose feedback will be required in order to make a fair presentation of risk as is required under the Insurance Act of 2015. You may need to lock in availability of C Suite members to present to market.
- Discuss with insurers to clarify the extent of their appetite under each policy for cyber risk.
- Review feedback
For more information, please contact:
What is Silent Cyber? Cyber risk impacts practically every line of commercial insurance, yet it remains unaddressed in many lines of insurance. The lack of clarity in some standard property and casualty policies has led to confusion or misunderstanding about coverage for cyber risks. Simultaneously, an insurer covering losses they have not contemplated jeopardizes their credit rating and/or financial solvency. What does it mean for policyholders that insurers and their regulators have taken action to address silent cyber risk?