The topic of silent cyber, or non-affirmative cyber, has been anything but silent in recent years. It refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. As cyber risk evolves into something more prevalent and all-encompassing, insurers around the world are in hot debate about how and when different policies should trigger and respond to losses.
The desire of any good broker is to “do what’s best for the client,” according to Robert Parisi, US cyber product leader at Marsh. That includes looking at all of a client’s available coverage, including standalone cyber and potential non-affirmative cyber in more traditional P&C policies, and having upfront discussions about how placing a particular grant of coverage on a particular policy form might impact the entirety of their risk.
Read next: Cyber claims data shows worrying trend
“Carriers are looking to align their policy language to better maximize recovery,” Parisi told Insurance Business. “Let’s say we have another NotPetya-type event – they don’t want to create an insurance situation where there’s a grant under the property policy and the standalone cyber policy, and assuming the war exclusion isn’t an issue, all of a sudden they have two insurance policies responding to an event.
“If you haven’t handled certain insurance 101 things correctly when it comes to the policy language, you’re going to have two deductibles apply and two limits apply. When that happens, carriers are either going to split the baby and say: ‘We’re only going to cover half the limit,’ or they’re both going to argue that the other is the primary coverage. Basically, you reach a stalemate.”
Brokers never want to reach a situation where one cyber event has a client susceptible to two deductibles, according to Parisi. To avoid that, they can ensure that all policy language aligns together appropriately, and that grants are aligned to maximize any potential coverage that might exist in other standard P&C insurance policies.
“The standalone cyber insurance carriers have never been in love with covering physical damage or bodily injury losses,” Parisi commented. “Marsh’s position is that if there’s an intervening physical cause, which there almost has to be to break something or to hurt somebody, we view that as properly within the property & casualty market to begin with.
“But you do have situations, like bricking, where a cyber event damages the firmware of an electronic device, but the device itself is not physically damaged. That falls into that gray area – the crack between the property policy and the standalone cyber policy. Recently, we’ve seen the cyber market be more flexible and recognize that it’s almost always their job to step into that void.”
There are opportunities for brokers to work with the markets to address these gaps and coverage gray areas. It starts with asking the right questions and diligently picking apart all aspects of a client’s technology risk.
Parisi added: “We like to go to market and say: ‘Here’s a coverage gap that our clients are concerned about. Work with us to figure out how to solve that gap. Tell us what you need to know and what we need to ask our clients. What do our clients need to tell you in order to allow you to underwrite that risk and provide that coverage?’” Cyber risk, no matter how seemingly silent, is something that can be solved.