Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks.
Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber cover, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber and could theoretically pay claims for cyber losses in certain circumstances.
This is particularly true for all risk property coverages that do not exclude cyber risk - also known as ‘non-affirmative’ cyber - and is particularly relevant for marine, aviation, transport and property lines, although it is also present in some liability covers.
For example, a study by the UK’s Prudential Regulation Authority (PRA) in 2016 found that the aviation insurance sector has to date been comfortable providing implicit cyber cover and the market has not witnessed a move to introduce exclusions.
Similarly, there are currently no widespread cyber exclusions in the property market. However, underwriters have acknowledged the potential for cyber aggregation resulting from cyber attacks on high-profile commercial or industrial targets, or from smart-house technology, the PRA said.
Casualty lines may also have significant exposure to silent cyber losses, reflecting the fact that exclusions are not widely used or because some policies cannot exclude cyber losses, such as mandatory coverages like motor. Directors and officers, professional indemnity, financial institutions and general liability products are likely to be exposed to various degrees to ‘silent’ risks due to a lack of use of effective exclusions, the PRA said.
Why does it matter?
How the market approaches silent cyber exposures will have a direct impact on coverage and the way in which the market reacts to very large and systemic losses.
In 2016, the PRA wrote to insurers in the London market expressing its concerns about silent cyber, noting that the potential for a significant ‘silent’ cyber insurance loss is increasing with time. This was followed by a Supervisory Statement in July 2017, in which the PRA urged insurers to tackle silent cyber exposures through robust wordings and exclusions, specific limits and rating.
Rating agency Fitch also recently warned on silent cyber exposures, suggesting that if poorly managed, silent exposures would place pressure on insurers’ earnings, capital and ratings. They believe that a large cyber disaster would see a major proportion of insured losses incurred within traditional policies.
Addressing the issue of silent cyber risk is crucial. The lack of clarity in standard property/casualty policies has led some companies to believe that they have adequate cover for cyber risks when they may not.
Ambiguity in coverage may also be holding the market back, according to a JLT Re Viewpoint report earlier this year. For example, reinsurers and insurers are concerned that quantified cyber exposures are buried in traditional policies by virtue of not being excluded, raising the prospect of unexpected losses in the event of a cyber incident. This has created the situation where cover is often not properly provided or understood.
The growing focus on silent cyber exposures is likely to see changes in the way the insurance market approaches cyber. In some cases, cyber will be considered a ‘peril’ to be addressed in traditional placements with the support of cyber specialists. However, JLT believes that standalone cyber insurance is best placed to facilitate innovative and comprehensive solutions to better account for the way cyber risks cut across every aspect of business today.
As more premiums flow into the standalone market, carriers will be able to evaluate and price risks more accurately as good-quality claims data and sophisticated modelling tools become increasingly accessible. This, in turn, will help ensure the market is better placed to trade through future systemic losses.