Silent Cyber's Days are Numbered
Average read time: 4.5 minutes.
What is "silent" cyber?
"Silent" cyber is reference to the fact that cyber risks may be covered by traditional property and liability insurance policies which were not originally designed to cover such risks. The cyber coverage is "silent" because it is not explicitly dealt with in the policy. This is compared to "affirmative" cyber policies, which expressly state that cyber risks are covered. "Silent" cyber is also known as "non-affirmative" cyber, which is generally considered to be the less ambiguous terminology.
The purchase of stand-alone cyber cover has experienced a rapid uptick in the last few years in the UK for a number of reasons, including more advanced and high profile cyber-attacks, an enhanced understanding of the types of risks businesses may face and a growing realisation by policyholders that non-affirmative cyber in existing policies is unlikely to be a reliable safety-net in which to catch cyber risks.
Concern about non-affirmative cyber cover
In recent years, the insurance market has become increasingly concerned about the level of non-affirmative cyber "exposure" i.e. a concern that many insurance policies may inadvertently be covering cyber-related loss. In November 2016, the PRA wrote an open letter flagging the issue and the need for action to manage non-affirmative cyber risks. This was followed in July 2017, by the PRA publishing a supervisory statement titled ‘Cyber insurance underwriting risk’ setting out its expectation that firms would robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposure.
This greater awareness and understanding of non-affirmative cyber risk has led many insurers to identify and eliminate non-affirmative cyber exposures in traditional lines of insurance by tightening policy wordings. Despite these concerns, as at May 2018, according to a survey published by PRA January 2019, there was still considerable exposure to non-affirmative cyber risk in the market, some of which continues to exist today.
Examples of cyber losses
Cyber-losses can take the form of physical losses and non-physical losses. Physical losses can include damage to computer hardware, plant and machinery and even stock. Non-physical losses comprise loss of data (own and third party), loss of financial assets (own and third party), business interruption costs, compensation to third parties and incident response costs to name but a few. They can arise from a number of cyber-incidents, including:
- Cyber-extortion, e.g. use of ransomware created by a third party to prevent access to data or networks, with the promise to restore access in return for payment. The famous NotPetya attack in 2017 is often cited as a ransomware attack, although the inability to restore data upon payment of ransom in that case has led many to believe that NotPetya was simply a form of malware masquerading as ransomware.
- Cyber-fraud, e.g. using social engineering (such as email phishing) to procure illegitimate financial transactions.
- Hacking, whereby a third party gains unauthorised access to data and compromises the confidentiality of such data and/or causes a privacy breach.
- Unauthorised access and disclosure of data by internal agents which compromises the confidentiality of such data and/or causes a privacy breach.
Where might non-affirmative cyber cover be found?
Because of the pervasive nature of cyber-risks, some policyholders have historically considered that these risks may be covered by existing insurance programmes. Whilst it is possible in some cases that cover may be available, in reality, cyber-losses are rarely going to be covered in full by other policies. For example:
- A property and casualty (P&C) policy may cover damage to physical assets as a result of a malware attack, but is very unlikely to cover non-physical loss, such as loss of data or business interruption or remedial costs.
- A professional indemnity (PI) policy may cover liabilities to third parties as a result of loss of data but is unlikely to cover the costs of customer care or the cost of regulatory investigations.
- A fidelity or crime policy may cover loss to the business as a result of cyber fraud, but is unlikely to cover ongoing loss of profits or reputational damage.
Recognising the grey area that is non-affirmative cyber cover, and the risk that it poses to insurers by allowing policyholders to claim cyber losses under non-cyber specific policies, AIG announced that as of January 2020, virtually all of its commercial lines policies will affirmatively cover or exclude physical and non-physical cyber exposures. This stricter division of cyber insurance risks has been driven by the reinsurance market's reluctance to absorb underlying non-affirmative cyber losses which were not expressly anticipated, and were therefore not priced into policies.
Whilst the approach taken by AIG will ultimately provide greater certainty to policyholders, it serves to emphasise the growing attitude by insurers (and their reinsurers) that claims for cyber-losses under non-cyber specific policies will be met with resistance. This reinforces the need for businesses to carefully assess their potential cyber exposures and to stress test whether their existing insurance programme is adequate. Where significant cyber risks exist, an affirmative cyber policy should be seriously considered.
Michelmores assists policyholders by reviewing policy wordings to ensure they are fit for purpose. We also represent policyholders in a wide range of coverage disputes, including those relating to cyber losses. If you would like to discuss your company's insurance cover with us please contact Garbhan.Shanks@michelmores.com or Naomi.Hall@michelmores.com.