Reactions: Silent Cyber-no longer silent?

Silent (or non-affirmative) cyber refers to cyber-related exposure within many all-risk general insurance products. If no explicit cyber exclusion applies, coverage for losses caused by cyber perils may apply. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the re/insurance industry.

Background

The 2017 NotPetya and WannaCry cyber events demonstrated the very real existence of cyber exposure, with economic losses exceeding $8bn and insured losses estimated at $3.6bn on both affirmative and non-affirmative (silent) covers globally.(1)

In 2016, the U.K. Prudential Regulatory Authority (PRA) carried out a thematic review involving a range of stakeholders including insurance and reinsurance firms, re/insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators.(2) The results of that review were an expression of concerns about the materiality of silent cyber as a risk to re/insurance companies and a recommendation that firms needed to identify clear ways of managing “silent” cyber risk, set clear appetites and strategies that would be owned by boards and invest in cyber expertise. Subsequently in 2017, the PRA issued their Supervisory Statement SS4/17 setting out their expectations of firms regarding cyber insurance underwriting risk.

In January 2019, all U.K.-regulated insurers received a further letter from the PRA confirming that they “should have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover.”

In July 2019, Lloyd’s issued its Market Bulletin Y5258, and updated this in January 2020 with the follow up Market Bulletin Y5277. The update required all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty. This approach, which will be phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it.

• This initiative is further explained in the 2019 publication Lloyd’s Cyber Risk Strategy. Here are highlights of its requirements:

• Customers have a clear understanding of the coverage provided by their policies.

• Cyber risks and accumulations are understood by all relevant stakeholders, from boards of directors to junior underwriters, pricing and capital actuaries and exposure analysts.

• Risk is appropriately quantified on an expected basis for pricing, and the potential for attritional and extreme events and accumulations is understood.

•Reduce the potential for silent cyber claims accumulation by:

• Identifying classes of business and policy types that are particularly vulnerable to residual silent cyber loss leakage

 • Developing approaches to pricing and capital setting for silent cyber risk.

Globally, we have seen regulators issue similar statements on managing silent cyber risks, including the European Insurance and Occupational Pensions Authority and the National Association of Insurance Commissioners in the United States issuing their guidelines to help firms manage this risk.

Safeguarding the sustainability of the insurance market

The goals of Lloyd’s and global regulators are to safeguard the sustainability of the insurance market, provide contract certainty for clients and drive innovation of new cyber products to fill the evolving needs of clients.

One of the challenges in achieving the changes necessary lies in the fact that there is no globally agreed upon definition of what constitutes “cyber.” Across various classes of insurance, the differences become apparent as some clauses refer to “cyber events” while others refer to the use of “software.” Certain clauses deal only with malicious cyber events, some refer to “systemic” risk and others impose conditions related to an insured’s ability to demonstrate the adequacy of their cybersecurity. This anticipated lack of consistency presents considerable challenges, though underwriters are actively taking steps to address the issue. Approaches underwriters are taking include:

 

Another challenge lies in the fact that re/insurers in all classes of business are now constructing/finalising language and formulating underwriting guidelines in accordance with their own strategies for dealing with silent cyber. Moreover, various industry bodies such as the International Underwriting Association of London and Lloyd’s Market Association have issued model exclusions that re/insurers are proposing to add to policies. This will inevitably lead to differing approaches to the issue and inconsistency in what is being offered to clients.

Reliance on information technology

As companies depend more on technology to conduct business, they are also increasingly subject to technology’s unique vulnerabilities. These are wide-ranging and can include system or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks that may result in increased costs and lost revenue. The timing and severity of these issues can be difficult to predict, and companies increasingly look to their insurance policies to cover business interruptions stemming from these events. Businesses would traditionally have relied on their property policies for this coverage; however, property insurers have been reluctant to address this financial, non-physical loss and have been pushing their clients to purchase cyber-specific policies for these risks by excluding this coverage under their property policies.

The NotPetya/WannaCry attacks in 2017 changed the landscape for cyber risk awareness. These events demonstrated the speed at which cyber-attacks can spread and go beyond the traditional limitations of size, geography or industry sector, and highlighted the reliance on supply chain and the financial impact of disruption to these supply chains. Furthermore, the attack challenged the boundaries of traditional policies with payment of cyber-related claims sought under non-cyber policies. Following these events, re/insurers and regulators around the world agreed that something needed to change in how silent cyber exposures are identified and addressed. Global insurers such as Allianz and AIG were amongst the first re/insurers to make public statements to clarify their intent for policyholders.

AIG commentary: “American International Group Inc. will make all of its cyber insurance coverage explicit. The shift from silent cyber was designed not only to allow AIG to understand its own exposure better, but also to make it clearer to clients what is and is not covered under its cyber policies.”

Allianz commentary: “We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed. The new strategy also responds to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios.

Silent cyber case law development

The NotPetya and WannaCry events have resulted in certain high profile legal actions where coverage has been denied by insurers. Separately, Target recently filed suit against its general liability insurer to settle the costs of repaying card issuers for their 2014 cyber breach. Recent media coverage has criticised insurers for not paying cyber claims and these cases only serve to further compound the media impression that cyber policies do not pay. Importantly, none of these cases involves a cyber policy denying cover, but clients seeking “silent cyber” coverage under traditional policies.

Case law involving silent cyber claims have the potential to expand re/insurer exposures significantly. In a recent Maryland federal court case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, the insured (National Ink) sued its insurance provider (State Auto) over their insurer’s decision to deny its property damage claim following a ransomware attack. State Auto argued that because National Ink only lost data, “an intangible asset,” and the computers National Ink was seeking to replace were not inoperable, the cyberattack damage did not meet the criteria of a “direct physical loss.”

Judge Stephanie Gallagher ruled in favour of the insured, noting that the policy in question expressly lists data as an example of covered property, and contains the phrase “including software” in its heading describing covered property. Though National Ink’s computers still functioned after the attack, the Judge found that the overall damage to the efficiency of the computer system also constituted physical loss or damage.

Despite this, it is important to clarify that Maryland courts “have not expressly decided whether data or software can be susceptible to physical loss or damage.”

With the increasing prevalence of ransomware and coverage being sought under non-cyber policies including property, kidnap and ransom and crime, we will no doubt see a rise in legal disputes around coverage and further clarification of intent of coverage under these policies in the future.

What does the future hold?

The NotPetya and WannaCry events of 2017 highlighted the potentialcatastrophic impact of silent cyber within non-cyber lines of business. To address this challenge, re/insurers require an effective means of qualifying and quantifying the risk of silent cyber across their whole portfolios.

To help, Guy Carpenter has established a relationship with RiskGenius, an insurtech firm that utilises artificial intelligence to evaluate potential silent cyber exposure at an individual policy level. This provides clients with a means of assessing their silent cyber exposure at scale, whilst generating much deeper risk insight that will support a greater understanding of silent cyber at an industry level.

Regulators, Lloyd’s and re/insurers will all continue to clarify their respective intentions and appetites for cyber in standalone policies and inclusion of cyber in traditional lines. This should give clients greater clarity of the intent of coverage under their insurance contracts, though there will be some tough negotiations in situations where clients believe they are potentially losing coverage.

The ongoing litigation demonstrates the importance of attaining clarity on the coverage, and the costs to both sides if this issue is not resolved.

Standalone cyber insurance grew to $6.4bn in 2019 (4) and is expected to continue to grow to $20bn by the year 2025 in part driven by this eradication of cyber under other policies and the business community’s increasing awareness of the risks of cyber. These market movements reinforce the need for the re/insurance industry to develop new cyber products so we can respond with innovative risk transfer options as cyber exposures continue to expand.

Endnotes

  1. PCS EVENT SERIAL NO. 1717 bulletin dated April 3, 2020.
  2. PRA Dear CEO letter dated November 14, 2016.
  3. https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/silent-cyber.html
  4. A.M. Best.

Contacts

Siobhan O’Brien
International Cyber Center of Excellence Leader
E: Siobhan.Obrien

Erica Davis
North America Cyber Center of Excellence Leader, Guy Carpenter
E: Erica.Davis