The noise around silent cyber has become somewhat deafening in the past year. Ever since the term silent cyber was coined a few years ago, the issue has garnered more and more attention from insurers worldwide, causing its so-called “silent” status to quickly abate.
Silent cyber refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. Unlike standalone cyber insurance products, traditional property and liability policies in the past have not always implicitly included or excluded cyber risks. This coverage ambiguity is what is referred to as silent cyber. It had led to insurers having to pay claims for cyber losses off policies not designed or priced for that purpose.
One of the first big coverage disputes around silent cyber involved Mondelez International, one of the world’s largest confectionary companies. In 2017, Mondelez was left crippled by the NotPetya cyberattack, an alleged state-funded ransomware attack that took out the computer systems of firms operating around the world. Mondelez reported that 1,700 of its servers and 24,000 laptops were infiltrated with the malware, resulting in losses of more than US$100 million.
When Modelez sought to claim for the cyberattack under an all-risk property insurance policy, the claim was denied on the basis of an exclusion in the policy for losses triggered by a “hostile or war like act”. The insurer used the widely considered view that NotPetya was state-sponsored by the Russian government in order to decline coverage for the cyber-triggered property loss – a decision that Mondelez contested. To this day, the Mondelez claim remains central to the discussion about the efficacy of cyber coverage, and the potential for property damage and bodily injury resulting from a cyber event.
“By nature, cyber risk bleeds into every line of coverage because almost every business utilizes technology to operate, and technology has been woven into basically every service or product that any company offers,” said Kasey Armstrong, vice president, Amwins Brokerage. “When all eyes turned towards the issue of silent cyber, insurers had to address their exposure.”
In 2019, Lloyd’s issued a mandate that all policies written through the London market – whether written on an all-risk or a named perils basis – must give clarity around cyber exposure by either affirmatively providing or excluding coverage. With Lloyd’s often seen as a lynchpin for the global insurance industry, many other insurers have since followed suit, addressing silent cyber by introducing affirmative exclusions on non-cyber lines.
“As evolutionary as the cyber insurance market is, there’s still a hierarchical debate about where a property damage or bodily injury loss should fall if it is the result of a cyber event,” said Megan North, vice president, Amwins Brokerage. “Cyber carriers aren’t fully comfortable opening up their policies to cover all types of loss. Meanwhile, property carriers are uncomfortable with the cyber trigger, so there’s a bit of a battle going on.”
To solve the conundrum of how cyber risks are covered by insurance, Amwins developed CyberUP, the market’s first modern cyber umbrella insurance policy, with full drop-down coverage capabilities. CyberUP is a self-contained insurance policy with two insuring agreements. Insuring agreement A is traditional follow-form excess insurance and provides policyholders with additional limits over their primary policy, while insuring agreement B is the umbrella function, offering higher liability limits and dropping down to provide coverage where the underlying policy might not.
“Insureds can sometimes find themselves in no man’s land after a cyber-triggered loss,” said Armstrong. “If an insured suffers a loss and they have no coverage under their non-cyber insurance policy, and no coverage under their primary cyber policy, then our CyberUP umbrella policy can fill that gap. Because it is self-contained, it is not reliant upon any primary insurance policy, whether cyber or otherwise; in other words, it shifts over and drops down to dollar one, becoming the primary policy. That’s what makes CyberUP fundamentally unique.
“CyberUP will always be broader than the primary insurance policy because of its two insuring agreements. Insurance agreement A is follow-form excess; it follows the primary, therefore it’s as broad as the primary policy. Secondarily, insureds get the drop-down functionality, so if by chance they suffer a loss that is not covered by their primary policy, there’s the possibly that it could be covered by insuring agreement B, the umbrella function, thus providing fundamentally broader coverage.”
North described CyberUP as a “broad and comprehensive” policy, with the ability to cover multiple types of losses arising out of cyber incidents, including the exposures previously deemed “silent” and affirmatively excluded by most carriers on non-cyber policies.
She added: “Cyber risk is evolutionary; therefore, the coverage is evolutionary by nature – and we have contemplated that within our CyberUP policy. We actually have a liberalization endorsement built into the base policy wording so that as the CyberUP product evolves to stay relevant with the exposures and the risks that we’re seeing, all policyholders will get the benefit of any advancements that we make to the form or endorsements. We’ve designed the underwriting process to be very simple and efficient. That’s not something that cyber insurance is known for, and I think that separates our product from anything else in the market.”
Learn more about Amwins’ exclusive CyberUP product at amwins.com/cyberup.