Cyber risk is already impacting many lines of business, from property to auto liability, and most industries, from the public sector and retail to financial services and manufacturing, the last of which was evidenced in the recent Norsk Hydro cyberattack. As cyber-related losses from traditional policies not specifically designed to address cyber risk grow in number, the term ‘silent cyber’ has landed on the radars of many insurance professionals, with insurance companies now having to figure out how to plug the silent cyber holes.
“Cyber as a standalone dedicated insurance policy is still pretty new within the past decade or so. Now, carriers are really being tested as claims come in [from] the cyber incidents, the malware, and the ransomware,” said Kelly Castriotta (pictured), deputy product development leader for the North America region of Allianz Global Corporate & Specialty (AGCS). “In particular, one of the major considerations for the industry is that we didn’t realize necessarily that there would be physical loss or loss of life stemming from these cyber incidents, so how is that treated and how does that impact all of our portfolios, not just in a dedicated cyber policy? I think that’s exactly why these questions are coming up, when you see this widespread, potentially catastrophic kind of loss that can harm multiple companies and multiple industries.”
Unlike the specialist standalone cyber insurance products that are available on the market today, traditional liability policies were not designed with cyber exposures in mind and therefore may not implicitly include or exclude cyber risks. This coverage ambiguity can result in a silent cyber scenario, whereby an insurer may have to pay claims for cyber losses off a policy not designed for that purpose.
Read more: What is silent cyber risk?
AGCS knows this issue well, and announced that it was going to update its policy wording in light of silent cyber in recent months.
“Our conclusion is that essentially every line of business can be impacted by the cyber peril,” explained Castriotta. “It’s been a huge undertaking because we have such a range of diversified products. In traditional lines, where products have been in place for hundreds of years and haven’t necessarily contemplated a complete digitization of the world, [those] don’t necessarily address cyber head on. I think the undertaking is imagining the kinds of risks that can impact the policyholder or company, and how that plays out in the wording of your policy. It’s really taking every policy line by line, looking at whether it’s addressed at all and if it’s not, how do you want to address it – do you want to affirm it, do you want to say we’re covering cyber perils, or are we excluding them?”
Communicating the issue of silent cyber to brokers, and making sure they make the significance of this potential exposure known to their insureds is likewise crucial in this journey.
“We have that dialogue with our brokers, and that’s really the first step. We’re trying to get our brokers to see this from a more global comprehensive perspective, not just as a siloed sort of issue,” said Castriotta. “For example, very sophisticated companies realize that cyber can impact multiple lines of business, and I think they are starting to realize that it’s a board-level issue, it’s a company financial health issue, and their risk managers are talking about this and having this dialogue. We really want to bridge that gap because if our brokers are underprepared with answers, we want to be able to provide them with solutions.”