“Silent cyber” is the possibility that an insurer of a non-cyber insurance policy will assume risk triggered by cyber peril such as a ransomware attack that would otherwise be insured under a full cyber insurance policy.
Other cyber examples include denial-of-service attacks or data breaches. Note the definition I’ve used specifies insurer – because the carrier is the one most directly impacted by any claims, or disputes over claims, that arise from a cyber event.
But the carriers clearly aren’t the only actors in the insurance ecosystem. As such, they are not the only ones potentially impacted by a major cyber event. Brokers themselves have a duty to their clients, and errors and omissions (E&O) risk could arise from that duty where claims intersect with the cyber coverage the broker has advised their client to (or not to) purchase.
Silent Cyber: A Primer
If you’re not familiar with the term, there are a few key things to understand about silent cyber. First, not all policies that omit cyber language present silent cyber risk. For first-party risks like Property and Cargo, the policy must also cover damage to property and business interruption. For third-party risks like General Liability or Personal Injury, the policy must insure liability exposures that might be triggered by other events. These are both low hurdles, but are essential: it is these coverages, combined with the omittance of cyber-specific language, that produce the conditions for silent cyber risk.
If a ransomware attack causes business interruption when thousands of employees cannot use their laptops for work, are those losses tacitly covered under a standard Property/BII cover? Perhaps yes and perhaps not.
In the insurance industry, we have seen this kind of ambiguity in policy language before, in the development of new underwriting categories. It typically results in years of costly litigation before the right coverage and pricing prevail. Considering the scale of losses relating to data breaches witnessed in the past five years or so, that is a grim prospect for carriers, policyholders, and the industry.
A recent statement from the Prudential Regulation Authority (PRA), the UK’s insurance regulator, underlines this risk and effectively ups the ante for all insurers. Their statement, issued in January of 2019, demands that insurers “develop an action plan by H1 2019 with clear milestones and dates by which action will be taken” to reduce the unintended exposure to non-affirmative cyber risk. Notably, the PRA does not just impact UK companies — it also regulates Lloyds of London, and thereby the $250 billion U.S. Commercial P&C insurance industry that is reinsured by Lloyd’s. Yet insurers have been slow to respond, with none wanting to be the first to exclude Cyber in a given class and then suffer the consequences of an efficient market wiping out some of their shares.
Brokers, Cyber, and Errors and Omissions
Brokers, of course, want clarity of coverage as much as anyone in the chain in order to better serve their clients. Any broker that has persevered through the lack of clarity around claims of Terrorism (particularly resulting from the 9/11 attacks), Pollution, or Employment Practices knows that clients can be lost when a claim is not responded to in a clear fashion by their insurers. Perhaps even worse, brokers can expect claims against their own Errors & Omissions policies and retentions from clients who find insurers' response to claims unfair.
This particular form of risk is worrisome given the dynamic nature of the offerings available. When the market for affirmative cyber policies was still nascent, one could argue that this untested area of insurance was not an obvious choice for a given client, especially considering that their property policy was silent about cyber, and coverage for damages could be assumed. What may have been a reasonable defense against a claim a few years ago may not be today, given the offerings now in the market for cyber coverage, and the precedent of disputes over cyber coverage.
The Way Out of the Thicket
The insurance market is making its first attempts to address Silent Cyber. Insurers like FM and AXA now offer some high-end Property accounts with coverage against certain Cyber Perils-related losses. While this is good news for brokers and their clients, in its present stage it presents a heightening of risk for brokers. What happens to brokers when they place coverage with an insurer that does not offer Affirmative Cyber and a claim payment is denied as a result of Silent Cyber positions? It is almost better for brokers to have no insurers offering coverage.
The solution, of course, is more integrated Affirmative Cyber offerings across the marketplace, not fewer. If “software is eating the world,” as venture capitalist Marc Andreessen — the inventor of the first commercial web browser — famously wrote, then insurers need to respond with its corollary: Cyber Insurance is eating Commercial Insurance. More robust strategies are needed by insurers. Brokers should demand them.