Despite the introduction of specific cyber policies to cover risks, many policyholders believe they are covered under their property and liability policies only to discover they are not insured.

The insurance market terms this silent cyber or non-affirmative cyber: occurring when cyber-related events or potential losses are not expressly covered or excluded within traditional policies.

The result is that (re)insurers can pay claims that were both unexpected and priced incorrectly. Because of the confusion around coverage, policyholders also run the risk of having unexpected coverage gaps, according to an article in Risk and Insurance Magazine.

Lloyd’s of London has therefore led the insurance sectors to take a position that all property and casualty (P&C) policies must now either implicitly exclude or include cyber coverage. This mandate came into being at the start of 2020. The New York State Department of Financial Services’ cyber security insurance risk framework, announced in February this year, is expected to have a similar effect on U.S. insurers.

“From a broker standpoint, failure to have clarity on cyber risk within policies can cause coverage disparity over what events are and aren’t covered,” said Kelly Castriotta, managing director and global cyber underwriting executive at Markel.

“For insurers, it can cause accumulated losses not necessarily priced for, and for the policyholder, they may not have the right coverage to offset the operational disruption as well as the physical damages and losses caused by a cyber event.”

Silent Cyber: A Boardroom Issue 

In this digital world it becomes more important – essential even - to create appropriate, understandable policies. Failure to do so could lead to business failure.

“Silent cyber remains a top-tier concern for the insurance market, on a par with the ransomware epidemic,” said Michael Phillips, chief claims officer at Resilience.

“This has been driven by the rapid growth in technology and the race to digitization. At the same time, the insurance industry is rushing to keep pace, both in understanding clients’ risks and making sure they know exactly what product they are buying. The stakes are higher than ever before, and that’s why insurers and underwriters need to have a handle on the problem.”

Silent Connected Risk

“A cyber incident may trigger coverage under multiple insurance policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple insurance policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”

Since issuing its first Lloyd’s marketing bulletin in 2019 mandating that all policies need to be clear on whether coverage is provided for losses caused by a cyber event, new clauses have been added, requiring Syndicates to expressly include or exclude cyber as a coverage. Non-Lloyd’s insurers are taking a lead from Lloyd’s.

“This approach allows insurance companies to manage accumulation risk much better, which results in better underwriting and avoids unforeseen losses,” said Anthony Dagostino, Lockton’s cyber practice lead.

As cyber continues to evolve as a risk, insurers will need to stay alert to all eventualities. Being clear on policy wordings is vital as is an approach that better understands how cyber risk is connected to multiple lines of business. Russell Group’s cyber risk modelling solution can help to provide (re)insurers with a better, more holistic understanding of their aggregate cyber exposures.