Perspective

Silent Cyber No Longer Silent?

By: Siobhan O’Brien and Erica Davis

Silent (or non-affirmative) cyber refers to cyber-related exposure within many all-risk general insurance products. If no explicit cyber exclusion applies, coverage for losses caused by cyber perils may apply. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the re/insurance industry.

Background

The 2017 NotPetya and WannaCry cyber events demonstrated the very real existence of cyber exposure, with economic losses exceeding $8bn and insured losses estimated at $3.6bn on both affirmative and non-affirmative (silent) covers globally.

In 2016, the U.K. Prudential Regulatory Authority (PRA) carried out a thematic review involving a range of stakeholders including insurance and reinsurance firms, re/insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators. The results of that review were an expression of concerns about the materiality of silent cyber as a risk to re/insurance companies and a recommendation that firms needed to identify clear ways of managing “silent” cyber risk, set clear appetites and strategies that would be owned by boards and invest in cyber expertise. Subsequently in 2017, the PRA issued their Supervisory Statement SS4/17 setting out their expectations of firms regarding cyber insurance underwriting risk.

In January 2019, all U.K.-regulated insurers received a further letter from the PRA confirming that they “should have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover.”

In July 2019, Lloyd’s issued its Market Bulletin Y5258, and updated this in January 2020 with the follow up Market Bulletin Y5277. The update required all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty and a clear understanding of the coverage provided by their policies. This requirement was introduced to ensure that cyber risks and accumulations are understood by all relevant stakeholders, from the boards of directors to junior underwriters, pricing and capital actuaries and exposure analysts.

This approach, which will be phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it. Insurers should appropriately quantify the risks on an expected basis for pricing and assess the potential for attritional and extreme events. Subsequently, they can reduce the likelihood of silent cyber claims accumulation by identifying classes of business and policy types that are particularly vulnerable to residual silent cyber loss leakage and developing approaches to pricing and capital setting for such cyber risks.

Globally, we have seen regulators issue similar statements on managing silent cyber risks, including the European Insurance and Occupational Pensions Authority and the National Association of Insurance Commissioners in the United States issuing their guidelines to help firms manage this risk.

Safeguarding the sustainability of the insurance market

The goals of Lloyd’s and global regulators are to safeguard the sustainability of the insurance market, provide contract certainty for clients and drive innovation of new cyber products to fill the evolving needs of clients.

One of the challenges in achieving the changes necessary lies in the fact that there is no globally agreed upon definition of what constitutes “cyber.” Across various classes of insurance, the differences become apparent as some clauses refer to “cyber events” while others refer to the use of “software.” Certain clauses deal only with malicious cyber events, some refer to “systemic” risk and others impose conditions related to an insured’s ability to demonstrate the adequacy of their cybersecurity. This anticipated lack of consistency presents considerable challenges, though underwriters are actively taking steps to address the issue. Approaches underwriters are taking include:

 

Reliance on information technology

As companies depend more on technology to conduct business, they are also increasingly subject to technology’s unique vulnerabilities. These are wide-ranging and can include system or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks that may result in increased costs and lost revenue. The timing and severity of these issues can be difficult to predict, and companies increasingly look to their insurance policies to cover business interruptions stemming from these events. Businesses would traditionally have relied on their property policies for this coverage; however, property insurers have been reluctant to address this financial, non-physical loss and have been pushing their clients to purchase cyber-specific policies for these risks by excluding this coverage under their property policies.

Silent cyber case law development

Recently there have been many high-profile legal cases where coverage has been denied by insurance providers. Media coverage has criticized insurers for not paying cyber claims, compounding the impression that cyber policies do not pay. However, none of these cases involves a cyber policy denying cover, but clients seeking “silent cyber” coverage under traditional policies.

Case law involving silent cyber claims has the potential to expand re/insurer exposures significantly. In a recent Maryland federal court case, National Ink and Stitch, LLC (the insured) sued its insurance provider (State Auto Property and Casualty Insurance Company) over their decision to deny its property damage claim following a ransomware attack. State Auto argued that because National Ink only lost data, “an intangible asset,” and the computers National Ink was seeking to replace were not inoperable, the cyberattack damage did not meet the criteria of a “direct physical loss.”

However, the court ruled in favor of the insured, noting that the policy in question expressly lists data as an example of covered property, and contains the phrase “including software” in its heading describing covered property. Though National Ink’s computers still functioned after the attack, the Judge found that the overall damage to the efficiency of the computer system also constituted physical loss or damage.

Despite this, it is important to clarify that Maryland courts “have not expressly decided whether data or software can be susceptible to physical loss or damage.”

With the increasing prevalence of ransomware and coverage being sought under non-cyber policies, we will undoubtedly see a rise in legal disputes around coverage and further clarification of intent of coverage under these policies in the future.

What does the future hold?

To mitigate of the potentially catastrophic impact of silent cyber within non-cyber lines of business, re/insurers require an effective means of qualifying and quantifying the risk of silent cyber across their whole portfolios.

Regulators and re/insurers will all continue to clarify their respective intentions and appetites for cyber in standalone policies and inclusion of cyber in traditional lines. This should give clients greater clarity of the intent of coverage under their insurance contracts, though there will be some tough negotiations in situations where clients believe they are potentially losing coverage.