However, today, when everything is digital and connected, from the heating system to the connected car, cyber risks can impact all aspects of life and consequently can be relevant to other lines of insurance such as property, marine and general liability insurance etc.
For example, if a malware attack causes a store heating system to overheat and thereafter causes an explosion, shouldn’t the bodily injury and property damage be covered by the property insurance policy? What happens if the store does not have a cyber insurance policy? What happens if the existing property policy includes fire but does not mention a cyber attack as the cause of the fire?
This lack of explicit addressment of cyber risks in non-cyber insurance policies is called “Silent Cyber” and is also known as “non–affirmative coverage”. This is when a policy does not explicitly exclude or include coverage of cyber-related incidents. The claim is that non-cyber insurance policies should consider cyber threats as another risk factor, and if they do not consider it, they should clearly exclude it from the policy.
The devastating affect of the NotPetya attack
Many property and liability insurance policies were designed when cyber wasn’t perceived as a major risk. These policies often did not explicitly mention cyber coverage. However, the devastating NotPetya attack, from 2017, which economic losses exceeding USD 8 billion and insured losses estimated at USD 3.6 billion on both affirmative and non-affirmative (silent) covers globally and other high-profile cyber security events, in the recent past, have placed the issue high on the agenda for the insurance industry.
UK insurers decide to end the silent cyber practices
In January 2019, all UK-regulated insurers received a letter from the Prudential Regulatory Authority (PRA) confirming that they “should have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover.” In July 2019, Lloyd’s issued its Market Bulletin Y5258, and updated this in January 2020 with the follow up Market Bulletin Y5277. The update required all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty. This approach, which is being phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it.
What should insurers do to be ready?
Although Lloyd’s decision applies primarily to the UK insurance market, it is clear that other markets are heading towards the same direction. So, the question is what can insurers do to prepare themselves to this new reality in which cyber coverage will be implemented across all insurance products?
- Understand and assess cyber risks – if cyber risks will be part of most insurance products, then all insurance professionals should be able to understand and assess cyber related risks and exposures, each within the context of their specialty field. As part of this process, they should learn about cyber threats and exposures, learn about existing security measures, be able to understand the security requirements of cyber-related clauses, and more.
- Revise all policies – silent cyber requires a comprehensive revision of all insurance policies. Specifically, upon renewal, insurers should ensure all policies have affirmative or non-affirmative clauses concerning cyber-related risks. Every risk should be assessed on whether or not it relates to a cyber element. In addition, since many customers may have a stand-alone cyber insurance policy, insurance brokers should ensure that there are no overlaps, gaps, or contradictions between the non-cyber policy and the cyber insurance policies.
- Brokers need to be able to speak the cyber language – today in most places there are a few brokers that specialize in cyber insurance and handle the stand-alone cyber insurance policies, while the rest deal with non-cyber policies. The silent cyber revolution means that all policies will include cyber elements in them. This means that all brokers should be trained to understand cyber insurance. All brokers should be able to communicate and at least speak the “cyber insurance language”. They should be able to comfortably communicate with the clients’ technical and cyber security staff (e.g. CISOs) to discuss risks, requirements and assess the current security posture.
- Cyber insurance training for Claims professionals – in a world where all policies include cyber elements, the Claims department will have to deal with a raising number of cyber-related claims. In order to avoid bottlenecks, all Claims professionals should be trained on the Cyber Insurance basics as well as learn how to handle cyber-related claims. For example, they will need to be able to deeply understand the cyber insurance policy and its coverages, learn how to assess the incident and how it relates to the policy terms; learn how to appoint experts to assist in quantifying losses, and learn how to properly read a technical IR report.