Some call it silent cyber. Others call it non-affirmative cyber. A select few call it … cybergeddon.
It’s ironic how loud conversations around silent cyber risk have become over the last 12-18 months. It’s a major topic of concern for insurers and risk managers, but it remains clouded in ambiguity and uncertainty.
What is silent cyber exposure?
Silent cyber refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. Unlike the specialist standalone cyber insurance products that are available in the market today, traditional liability policies were not designed with cyber exposures in mind and therefore may not implicitly include or exclude cyber risks. This coverage ambiguity can result in a silent cyber scenario, whereby an insurer may have to pay claims for cyber losses off a policy not designed for that purpose.
Speaking at the NetDiligence cyber risk summit in London in 2018, Johnny Fraser, cyber reinsurance broker at Capsicum Re, said: “I regard silent cyber as an exposure on an insurance line of business derived from some sort of computer system, computer software virus or malicious code. We call it silent cyber because we’re trying to describe a situation where there’s coverage ambiguity, so it’s neither explicitly included on an insurance policy, nor explicitly excluded.
“I think it’s interesting the industry still calls it silent cyber. I think non-affirmative cyber is probably a more accurate description for the cyber peril. I think silent cyber is probably something that was a more accurate description six or seven-years-ago when the industry didn’t perhaps place enough emphasis or attention on cyber exposures across insurance lines. In light of recent losses, regulatory emphasis, management board level attention, and media attention, there’s an acknowledgement that non-affirmative is probably a better way to describe the peril.”
Where do silent cyber issues crop up?
Silent cyber situations can arise in a number of different insurance coverage areas. In fact, issues can arise in any account where technology is present. Property and/or commercial general liability policies are spoken about most with regards to silent cyber. Many insureds believe cyber events should be covered under these traditional policies, especially if the events lead to property damage (or a third party’s property damage), bodily injury, or business interruption.
Why has discussion around silent cyber become so loud?
Simply put – insurers are starting to experience losses.
June 2018 marked the first anniversary of the costliest cyberattack in history – NetPetya. The NotPetya attack ravaged a range of businesses from shipping ports and supermarkets to ad agencies and law firms, by encrypting their master files and demanding a Bitcoin ransom to restore access to those files. Most victims were based in Ukraine, but several global corporations were also infected – including shipping giant Maersk, advertising firm WPP, pharmaceutical outfit Merck, and FedEx’s TNT Express division. NotPetya resulted in silent cyber losses on non-cyber lines of business for various insurers.
“There have been some big silent cyber losses in the market. This is forcing chief underwriting officers to sit down with leaders across all lines of business and ask: ‘What are you doing about this exposure?’,” said David Legassick, head of life sciences, technology and cyber at CNA Hardy. “The challenge comes when you actually sit down and start thinking about the exposure, what it means in the world of an insurance company and how you address it. It’s a really difficult task to get your head around. Where do you start and how do you figure out what exposures you’ve got?”
What’s the regulatory landscape around silent cyber looking like?
In mid-2017, the Prudential Regulation Authority (PRA) in the UK released a supervisory statement detailing its expectations of firms regarding cyber insurance underwriting risk – both affirmative and non-affirmative/silent. In short: “the PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk.”
Likewise, global ratings agency A.M. Best announced it “expects companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and accumulation of their cyber liability exposure.”
There are some geographic differences in terms of regulatory scrutiny.
Luke Foord-Kelcey, co-head Aon Benfield’s global cyber practice group, commented: “Silent cyber is not a new topic. It has been around since businesses have relied upon technology and insurers haven’t excluded cyber as a peril. A lot of regulators have [started] to take interest in this. They’re not saying people should stop writing cyber. But they have asked that people manage their silent cyber exposure. This has really brought [the issue of silent cyber] to the forefront of the boards of insurance companies’ minds.
“The interesting thing when you look at defining silent cyber is figuring out when a cyber exposure in a non-cyber class of business moves from being silent to being non-silent. For us at Aon Benfield, that doesn’t necessarily mean changing how you define or cover cyber in the original policy. Rather it’s about managing the exposure appropriately. It might just be that you charge more additional premium. Obviously there are commercial pressures, but if you’re a property underwriter and you recognise that you’re already providing silent cyber, you need to allocate a premium figure to that exposure.”
In what ways can insurers address their silent cyber exposures?
According to BitSight, there are multiple ways for carriers to address silent cyber. They can acknowledge and own it by affirmatively providing cyber coverage in non-cyber lines of business. However, this is not a very common practice. Most insurers seem to prefer the option of providing stand-alone cyber coverage and then noting a clear cyber exclusion in their traditional property and liability policies.
Another option is to stay silent. As the BitSight blog states: “Silence is what you may call the status quo when it comes to silent cyber. Many companies choose not to affirmatively come out and say their policy is meant to provide cyber-related exposure - but in not making the language certain, they don’t deny it either.”
The problem is, the global property and casualty markets are filled with massive insurance programs, written decades ago with outdated exclusions. Often, policy wordings are not as up-to-date as they need to be, which leaves insurers exposed to new and emerging risks like silent cyber.
“Five-years-old is ancient in terms of cyber. And yet, we’ve got policies out there in the P&C market that haven’t been re-written for 30-years. The mechanics are basically the same as they were in the 1970s and 80s, so how could those policies possibly address this risk where you have a coverage gap now opening up?” said John Merchant, director of customer solutions at Guidewire Cyence Risk Analytics. “Products are starting to catch up a little bit here and there but it’s this systemic issue, this institutional challenge within the industry, that’s impeding progress. It’s like a software system that’s 30-years-old. To replace it is easier said than done.”
How do reinsurers view silent cyber risk?
Aon Benfield’s Foord-Kelcey divides insurers into two silent cyber groups around the world: good silent cyber risk and bad silent cyber risk. He described an insurer with bad silent cyber risk as someone who acknowledges they have the exposure and then simply transfers that risk to a reinsurer. On the other hand, a good silent cyber risk, according to Foord-Kelcey, is a company that says: “Yes, I’ve got silent cyber exposure. I’ve got regulators, rating agencies, corporate governance units and shareholders on my back and I need to do something about it. However, I realise that action could take three to five years, so please can I transfer that risk to you [the reinsurer] in the interim period?”
What needs to change?
As cyber risk evolves and becomes even more mainstream, the insurance industry around the world needs to get rid of the coverage ambiguity around silent cyber.
Capsicum Re’s Fraser pointed out: “The insurers that have the best understanding of non-affirmative cyber exposures will be best positioned to offer more coverage clarity, and therefore better products for their insureds. Also, the more certainty and the less ambiguity they have on this topic, the more capital the reinsurance community will free up in support.”