As many insurance industry observers know, one of the great concerns within the industry now is the possible impact of “silent cyber” – that is, the potential for cybersecurity-related coverage outside of purpose-built cyber insurance policies. In the following guest post, Umesh Pratapa takes a look at the silent cyber phenomenon. A version of this article previously was published on Umesh’s website (here). Umesh is an independent insurance consultant based in India. I would like to thank Umesh for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Umesh’s article.
Silence is Golden – Is it? Certainly not in insurance coverage enunciation.
Silent cyber, more appropriately known as non–affirmative coverage, is talk of the town now causing a great deal of concern and justified anxiety amongst insurers, insurance intermediaries and insureds.
Come January 1, 2020, Lloyd’s underwriters will be required to clarify whether first-party property damage policies affirm or exclude cyber cover. For liability and treaty reinsurance, the requirements will come into effect in two phases during 2020 and 2021.
What is silent cyber coverage?
In simple words, it is when the policy explicitly does not exclude or include coverage. This is also known as “unintended” or “non-affirmative” cyber coverage.
When cyber insurance was introduced in the 1990s, the focus was on covering data breach exposures in response to regulations framed by authorities in USA and Europe. Later, with business operations getting more digital and owing to spread of all pervasive influence of information technology, insurers started offering wider coverage. But, there was not much foresight about the seepage of silent coverage in other lines of insurance like property, marine and general liability insurance etc.
Why the noise about this subject now?
Many property and liability insurance policies were designed when cyber wasn’t perceived as a major risk. These policies often did not explicitly mention cyber coverage. While the insurance fraternity debated this issue as a part of regular review of operations, albeit at a low volume, the devastating NotPetya attack and other high-profile cyber security events, in the recent past, have placed the issue high on the agenda for the insurance industry.
An overview of NotPetya losses:
“NotPetya, which struck in 2017 and became the most devastating cyber attack in history, was a virus embedded into a Ukrainian tax-software program. The virus reportedly shut down 10% of the country’s computers and vital infrastructure. The contagion then spread to networks worldwide, infecting more than 2,000 companies in 65 countries, among them shipping company Maersk and FedEx, each reporting $300 million in related losses”
(Source: Silent No more – https://www.russbanham.com/2019/07/24/silent-no-more/)
While the quantum of losses resulting from the silent cyber losses is not known, there is no doubt that losses have been paid. It is only post NotPetya and Wannacry making news, the issue of silent cyber assumed significance, because of the crippling losses they caused. A few of the cases grabbed attention of public at large because of the enormous damage they inflicted. Mondelez and Merck cases which are in the public domain are noteworthy.
- Mondelez International filed a claim to the tune of USD 100 million with Zurich Insurance for losses attributed to the NotPetya cyber attack. This claim was repudiated based on the policy’s war exclusion.
- Merck also filed lawsuits against more than 20 insurers that rejected its claims under the war exclusion.
As regards reference to some Indian insurance policies is concerned, IAR (Industrial All Risks) policy buyers are aware of the fact that there is no reference to cyber coverage under Section I – Material Damage cover whereas under Section II – Business interruption cover, the exclusion relating to cyber risk reads as under.
“Damage resulting from:
- a) deliberate erasure loss distortion or corruption of information on computer systems or other records programs or software.
- b) other erasure loss distortion or corruption of information on computer systems or other records programs or software unless resulting from fire, lightning, explosion, aircraft, impact by any road vehicle or animals, earthquake, hurricane, windstorm, flood, bursting overflowing discharging or leaking of water tanks apparatus or pipes in so far as it is not otherwise excluded unless caused by Damage to the machine or apparatus in which the records are mounted.”
However, in the recent past some insurers have started incorporating an endorsement for excluding cyber cover for Section I also. Some other insurers are offering add-ons to bridge the gap and provide specific cover for cyber.
Why should all this worry us?
Cyber risk permeates all classes of insurance without boundaries of industries. A cyber event can trigger losses across various lines of insurance – property damage and business interruption resulting from computer systems failure / virus under property insurance, siphoning money through phishing under crime insurance, product liability / recalls from security vulnerabilities under product liability / recall insurance, breach of contract / negligence claims under E&O insurance and for managerial negligence under D&O insurance (FedEx case).
Having recognized the need to avoid assumption of unintended exposures / losses and due to regulatory intervention from bodies like Prudent Regulation Authority (please see here the letter of PRA dated 30/01/2019), insurers have begun to address this issue by specifically including or excluding coverage. This is not an easy task, as cyber risk modelling for non-affirmative risks is in its nascence. These developments make it all the more necessary for insurance buyers to consider the following:
- Analyze cyber exposure in terms of severity and frequency under various lines of insurance taking the help of the specialists
- Understand current coverage and exclusions
- Identify the gaps / uninsured cyber risk
- Identify classes which need inclusion of coverage
- Work with brokers / insurers and try to achieve ideal balance between premium and coverage
- Continuously monitor developments because of the dynamic nature of the subject and work on course correction
Back to the core issue of addressing non-affirmative coverage, new endorsements affirming or excluding coverage need to be understood clearly keeping the above in mind. The following links would be of use for further reading:
Consultant – Liability Insurance
Disclaimer: The information contained and ideas expressed in this article represent only a general overview of subjects covered. It is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insurance buyers should consult their insurance and legal advisors regarding specific coverage and/or legal issues.