In short, the answer is yes, but insurers are increasingly encouraged by regulators and rating agencies to remove “non-affirmative” coverage, so that they have a clear picture of their aggregate cyber risk and aren’t surprised by major losses in the market.
Non affirmative coverage or ‘silent cyber’ refers to the use of traditional insurance policies to cover cyber risks that were not explicitly referred to within the policy. In theory, cyber losses can be paid under these traditional policies, as they were not specifically excluded from coverage.
As traditional insurance policies evolved, cyber risk was not the consideration it is today, as businesses were not as reliant on technology and cyber-attacks were not as advanced or prevalent. Therefore the parameters of cover for cyber exposures were not defined, as they are in modern standalone cyber policies.
As a result, businesses may incorrectly assume they are covered for cyber risks when they are not. Alternatively, the market could end up paying for losses it wasn’t prepared to cover, which could affect the sustainability of the cyber and non-cyber insurance markets. These unfulfilled promises could then result in expensive court cases.
The Prudential Regulation Authority has urged London market underwriters to employ more robust wordings and exclusions, which feature specific limits and ratings to avoid these silent exposures.
Fitch Ratings Agency echoed this sentiment by highlighting the pressure non-affirmative coverage has on insurer earnings, capital and ratings when ill managed.
Lloyd’s of London also raised concerns about the aggregation of cyber risk in non-cyber policies.
A Patchwork of Policies
Organisations need to have a clear understanding of how the elements of their current insurance portfolio interlock to cover their cyber risk exposures. This knowledge will provide them with a roadmap with which to plan their risk transfer strategy, which could involve either expanding the boundaries of their existing policies, or purchasing a new standalone insurance product to address any gaps in coverage.
Some of their existing programmes may insure the same cyber triggers, but only pay for certain financial impacts; whereas other elements of cyber risk may prove more difficult to insure at all.
Typically all risk property policies – including directors and officers liability (D&O), professional indemnity (PI), financial institutions (FI) and general liability (GL) insurance lines - are likely to cover silent cyber exposures, as they don’t often feature specific cyber exclusions. This is particularly relevant for businesses in the marine, aviation and transport industries.
How Traditional Policies May Respond To Cyber Events
Crime policies cover manipulation of data in SWIFT or CHAPS systems (bank hacks), employee dishonesty, forgery or alteration (rogue employees), third-party computer fraud (social engineering), unlawful taking of money resulting from a computer violation (ransomware) and funds transfer fraud.
The impact covered in a crime policy is usually limited to the actual theft of money, rather than the wider implications covered in affirmative cyber coverage.
Kidnap and ransom (K&R) policies, also known as special crime or extortion, offer extortion cover when property damage threats are made. This property includes computer hardware and software.
Cyber extensions can also be added to indemnify ransom payments, legal liability, crisis response, business interruption, and customer identity threat. Following the widespread global ransomware incidents of 2017, K&R insurers have significantly scaled back ancillary cyber coverage, and now only cover investigation of a ransom demand and payment of ransom arising from an electronic threat.
D&O insurance covers legal fees and personal losses if a company director is sued as a result of a cyber-attack that reduces the company’s share value. Directors and officers generally have a duty to protect confidential information and to implement an adequate security culture within the business. When they fail to do so, class action lawsuits may be filed and regulatory fines may be imposed. Criminal activity, fraud, and misrepresentation are often excluded.
PI policies, also known as errors and omissions (E&O) insurance, covers professional negligence, data breach/loss, defamation or libel, loss of money under your responsibility (client accounts), and legal fees/ compensation. The missing cyber coverage in these policies is first-party loss: investigation costs, crisis response, notification costs, data restoration, credit and ID monitoring services, business interruption (loss of revenue), and cyber extortion.
Property policies pay for business interruption and property damage involving a listed peril that damages electronic data (including computer viruses). These programmes generally exclude cyber-triggered bodily injury, physical damage, and other cyber specific elements.
Many industry-specific carve backs to cyber exclusions exist in property policies, but companies should be very wary of the specific limitations of these extensions, as they are usually more restrictive than purpose built cyber coverage.
The insurance market’s approach to silent cyber exposures will directly affect the type of coverage available to businesses and how those policies respond to large, systemic losses.
As this issue receives more attention, cyber may evolve to be considered a peril that requires specialist advice, plus relevant policy wraps and extensions.
Alternatively, companies may turn to standalone cyber programmes, as traditional policies start to explicitly exclude cyber and limit the amount of coverage available for cyber exposures. This shift to standalone cyber may have several knock on effects, including:
- More premiums entering the cyber market
- Claims data improving
- Risk modelling tools proving more effective
- More reinsurance capacity being required to fulfil capacity requirements.
This evolution could also improve the sustainability of the insurance market to trade through future losses, enabling it to evaluate and price risks more accurately, and subsequently make cyber cover more affordable for buyers.
Some risks may still be considered so systemic, however, that the industry responds with a public or private pool approach to augment the traditional commercial insurance market.
Cyber risk is widely accepted across all industries as one of the top business risks. Technology is constantly evolving and the upcoming introduction of 5G internet will only exacerbate this change; making corporate networks and the information they hold more integral to a company’s ability to offer products and services, interact with customers and employees, and generate revenue.
Purchasing the right cyber risk solution for your business can therefore make all the difference to your balance sheet.