P&C insurers must move cyber risk from the shadows to the light

It's time to treat cyber like a standard named peril

P&C insurers must move cyber risk from the shadows to the light


By Bethan Moorcraft

It’s time for property & casualty insurers to start treating cyber risk like a standard named peril. Cyber has grown into one of the most ubiquitous exposures of the 21st century, impacting both individuals and businesses. No longer can insurers lurk in muddy waters, hiding behind unclear and/or complex coverage positions; now’s the time to pivot cyber risk from the “gray area” to the light so that agents and insureds know exactly what is covered and what is not.

Today, there is potential for cyber risks to be covered across multiple coverages within almost all traditional P&C insurance policies. But rather than treating cyber as a common peril and providing coverage via standard commercial package policies and homeowners’ policies, many insurers either stay “silent” on the topic of cyber, or they push insureds towards specialty cyber products offered by others.  

If insurers are non-affirmative or “silent” on whether cyber risk is covered via standard policy forms like business owner policies (BOP) and homeowners’ policies, they run the risk of having to pay out for cyber-triggered claims that were not factored into the pricing of those policies. If they attempt to bar those “silent cyber” losses from being covered, they risk creating an acrimonious relationship with their policyholders and could potentially lose their business. More broadly, insurance agents selling their homeowners and business insurance packages may ultimately determine that not actively covering cyber is a negative product differentiator and decide to start moving their book to traditional insurers that do offer cyber within their package solutions. 

“Cyber has become this peril that can impact almost every aspect of coverage,” said Matt Cullina (pictured), managing director of Global Markets at Cyberscout. “There could be physical damage, liability exposure, business interruption – it hits on multiple aspects of a standard insurance policy today. It has become such a ubiquitous peril that insurance companies simply cannot treat it like a specialty risk that they don’t want to get involved with.

“Why not be proactive? Insurers should treat cyber like a standard coverage offering and be methodical and affirmative in what they’re going to cover. If they do that, insurers can control the cyber exposure they have across their portfolios, they can limit the amount of coverage they’re willing to offer, and they can make it very explicit to insurance agents as to what their risk appetite is. That’s much better than this coverage gray area that we find ourselves in today.”

There is definite client retention benefit for insurers that provide affirmative cyber coverage, Cullina added. By treating cyber as a common peril, much like fire, in a small business policy or a homeowners’ policy, insurers strengthen their relationships with their policyholders rather than sending them to a specialty market. This makes life easier for policyholders, especially small businesses, because they can deal with one agent, under one roof, and get all the coverage they need from one carrier.    

“It’s about being relevant in this ever-advancing digital world,” Cullina told Insurance Business. “If insurers remain silent on cyber, they risk losing relevance with their customer base because they’re ignoring a key aspect of risk.

“Furthermore, by being absolutely clear on intent and coverage, this would make it much easier to sell cyber offerings and for insurers to train agents around the benefits of these offerings and how to better protect insureds. This will also drive the market towards developing standard cyber coverages for homeowners and SME businesses.”

There has been some market movement on the issue of silent cyber since Lloyd’s of London announced in 2019 that it would require all insurance policies to clearly state whether they will or will not provide affirmative cyber coverage. This has played into a domino effect, causing other insurers to seek guidance on silent cyber evaluation.  

“There is plenty of support and resources out there to help insurers who want to treat cyber risk with a standard approach,” Cullina added. “Even if insurers only provide a small amount of cyber coverage within their standard policies via endorsement, that’s a much clearer intent than staying silent. If a claimant tries to challenge an insurer to trigger other parts of a policy, the insurer can explicitly say: ‘That wasn’t our intent. Why would we introduce a cyber endorsement if we thought other parts of our policy would cover cyber risk?’ Treating cyber like a common peril and standard coverage offering is beneficial for all parties – insurers, agents and policyholders.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!