As the situation in Ukraine evolves, businesses should be mindful of potential risks to their people, assets, operations, or supply chains in the region and globally. Marsh, as part of the Marsh McLennan family of companies, has created a page with information, tools, and resources related to the Russia-Ukraine conflict. Please visit the page for the latest information.

May 11, 2022

Silent Cyber

Can cyber be covered by traditional forms of insurance?

Put Content Author Name here

Cyber risk has been a factor since the dawn of the digital age. However, several recent high-profile incidents have placed cybersecurity in the spotlight for countless people and organizations. Because of this, many may be left wondering what their “traditional” policies—or those that don’t specifically focus on cyber risk—may cover, as they may not have a standalone cyber program in place. To begin to find an answer to this question, it’s crucial to understand the difference between affirmative and non-affirmative coverage. Affirmative coverage means having specific coverage for some cyber risks within your insurance policy—either through stand-alone network security and privacy policies or endorsements added to property and casualty policies. Non-affirmative coverage, or “silent cyber,” refers to the use of traditional insurance policies to potentially cover cyber risks that were not explicitly referred to within the policy. In theory, cyber losses may be paid under these traditional policies, as they were not specifically excluded from coverage.

It’s worth asking at this point, “If cyber exposures can be covered under traditional insurance, why bother with a standalone cyber policy?” While the answer to this question is multi-faceted, it’s important to remember that having proper cyber coverage is always a good thing—and there’s no single silver bullet. However, a more detailed answer to this question can be found by exploring the evolution of coverage itself. While traditional insurance policies have evolved, cyber risk was once not the vital consideration it is today as businesses were not as reliant on technology and cyber-attacks were not as advanced or prevalent. Therefore, the parameters of coverage for cyber exposures were not defined as they are in modern standalone cyber policies. As a result, businesses may incorrectly assume they are covered for cyber risks, making the “in theory” aspect of coverage even more pertinent. Alternatively, the market could end up paying for losses it wasn’t prepared to cover. This, in turn, could affect the sustainability of the cyber and non-cyber insurance markets and these unfulfilled promises could result in expensive court cases. Insurance is always evolving, and so are the efforts in making cyber coverage less “theoretical” and more defined. The Prudential Regulation Authority has urged London market underwriters to employ more robust wordings and exclusions, which feature specific limits and ratings to avoid these silent exposures. Fitch Ratings Agency echoed this sentiment by highlighting the pressure non-affirmative coverage has on insurer earnings, capital, and ratings when ill-managed. Lloyd’s of London also raised concerns about the assembly of cyber risk in non-cyber policies, you can read more about that here.

So, with all of this in mind, what role do “traditional” coverages versus those specific to cyber play when it comes to understanding and managing cyber risk?

A patchwork of policies

First and foremost, you need to have a clear understanding of how the elements of their current insurance portfolio interlock to cover their cyber risk exposures. This knowledge will provide you with a roadmap to plan an effective risk transfer strategy. This could involve either expanding the boundaries of their existing policies or purchasing a new standalone insurance product to address any gaps in coverage. Some current programs may insure the same cyber triggers but only pay for specific financial impacts, whereas other elements of cyber risk may prove more difficult to insure at all. Typically, all risk property policies—including directors and officers liability (D&O), professional indemnity (PI), financial institutions (FI), and general liability (GL) insurance lines—are likely to cover silent cyber exposures, as they don’t often feature specific cyber exclusions, although this has been rapidly changing with carriers moving to more affirmative exclusions for these lines of coverage. This is particularly relevant for businesses in the marine, aviation, and transport industries. However, the same cannot always be said of other, more specific policies.

While not an exhaustive list, the below are examples of “traditional” policies and how they may respond to cyber events.

  • Crime policies may cover manipulation of data in SWIFT or CHAPS systems (bank hacks), employee dishonesty, forgery or alteration (rogue employees), third-party computer fraud (social engineering), unlawful taking of money resulting from a computer violation (ransomware), and funds transfer fraud. The impact covered in a crime policy is usually limited to the actual theft of money, rather than the wider implications covered in affirmative cyber coverage.
  • Kidnap and ransom (K&R) policies, also known as special crime or extortion, may offer extortion cover when property damage threats are made. This property includes computer hardware and software. Cyber extensions can also be added to indemnify ransom payments, legal liability, crisis response, business interruption, and customer identity threat. Following the widespread global ransomware incidents of 2017, K&R insurers have significantly scaled back ancillary cyber coverage, and now only cover investigation of a ransom demand and payment of ransom arising from an electronic threat.
  • D&O insurance may cover legal fees and personal losses if a company director is sued because of a cyber attack that reduces the company’s share value. Directors and officers generally have a duty to protect confidential information and implement an adequate security culture within the business. When they fail to do so, class action lawsuits may be filed, and regulatory fines may be imposed. Criminal activity, fraud, and misrepresentation are often excluded.
  • PI policies, also known as errors and omissions (E&O) insurance, cover professional negligence, data breach/loss, defamation or libel, loss of money under your responsibility (client accounts), and legal fees/compensation. The missing cyber coverage in these policies is a first-party loss. This includes investigation costs, crisis response, notification costs, data restoration, credit and ID monitoring services, business interruption (loss of revenue), and cyber extortion.
  • Property policies typically pay for business interruption and property damage involving a listed peril that damages electronic data (including computer viruses). These programs generally exclude cyber-triggered bodily injury, physical damage, and other cyber-specific elements. Many industry-specific carve backs to cyber exclusions exist in property policies, but companies should be very wary of the specific limitations of these extensions, as they are usually more restrictive than purpose-built cyber coverage.
Some existing programs may insure the same cyber triggers but only pay for certain financial impacts, whereas other elements of cyber risk may prove more difficult to insure at all.

Looking ahead

The insurance market’s approach to silent cyber exposures will directly affect the coverage available to businesses and how those policies respond to large, systemic losses. As this issue receives more attention, the cyber market will continue to evolve, requiring specialist advice, relevant policy wraps and extensions, and coordination with other coverage specialists. Companies of all sizes continue to turn to standalone cyber programs, as traditional policies often explicitly exclude cyber and limit the amount of coverage available for cyber exposures. This shift to standalone cyber may have several indirect effects, including:

  • More premiums entering the cyber market
  • Improved access to evolving claims data
  • Risk modeling tools proving more effective
  • More reinsurance capacity being required to fulfil capacity requirements

This evolution could also improve the sustainability of the insurance market, enabling it to evaluate and price risks more accurately, and subsequently, make various forms of cyber coverage more affirmative for buyers. However, some risks may still be considered so systemic that the industry responds with a public or private pool approach to supplement the traditional commercial insurance market. This will be important to monitor as the overall cyber insurance marketplace is still recovering from unprecedented loss frequency and severity, which could further limit coverage extensions.

Cyber risk is widely accepted across all industries as one of the top business risks. Technology is constantly evolving, and corporate networks and the information they hold play a more integral role than ever in an organization’s ability to offer products and services, interact with customers and employees, and generate revenue. Finding the right cyber risk solution for your business can make all the difference to your balance sheet.

MMA is here to help. Contact us today to discuss your cyber risk and let us help you prepare for whatever comes next.