One of the hot topics for mainstream P&C insurers these days is dealing with “silent cyber” – that is, the coverage for cyber-related losses in traditional property and casualty insurance policies. There are a number of initiatives underway in the insurance underwriting community as insurers try to address silent cyber. However, as noted in an interesting January 14, 2020 memo from the Covington law firm entitled “The Noise About ‘Silent Cyber’ Insurance Coverage” (here), these initiatives have important implications for policyholders. Among other things, these initiatives potentially could result in a gap in policyholders’ coverage for cyber-related losses, as discussed below.
The possibility that insurance coverage for cyber-related losses might be found in various insurance coverages in a policyholder’s insurance program is what many insurance industry commentators have called “silent cyber,” which is usually described in contrast to “affirmative cyber.”
What is called “affirmative cyber” is the coverage available for cybersecurity-related incidents in purpose-built policies. “Silent cyber” is the possibility that insurance coverage for cyber-related losses may be found in other insurance policies, policies that the insurers would argue were not built with the possibility of coverage for cybersecurity related losses in mind.
The traditional policies that potentially might wind up covering cyber-related losses do not necessarily grant affirmative coverage for cyber-related perils, but – at least historically – they do not expressly exclude cyber perils or cyber risks, either.
The possibility that these kinds of policies might provide coverage for cyber-related losses has set off alarm bells among insurance underwriters. Insurers’ concerns in this regard are undoubtedly further stirred by several high-profile cases now pending (and discussed at length here) where policyholders are seeking to find coverage for cyber-related losses under GL and property insurance policies. As the Covington law firm’s memo notes, one particular area of concern is the possibility for property insurers of picking up losses associated with cyber-physical risks (say, for example, where property damage results from a data breach or other cyber incident).
There have been a number of initiatives in London surrounding these concerns, from the UK financial regulator, on the one hand, and from the insurance markets themselves on the other hand. (The law firm memo helpfully links to many of the primary documents related to these initiative). Among other things, the London market (that is, the non-Lloyd’s) market has released certain proposed exclusions that underwriters can use to try to shield themselves from cyber-related losses. The Lloyd’s market has told its members that they must be clear on whether their products cover or exclude cyber-related losses. Insurers in other markets in Europe and in the United States are taking similar steps.
The Law Firm Memo’s Recommendations
In light of these marketplace initiatives and the possibility for changed terms or even the addition of exclusions, the law firm memo has a number of recommendations for policyholders. As a general matter, the memo proposes that policyholders “will need to deploy even greater vigilance and expertise at policy renewal time to ensure adequate protection from cyber-related risks.” Specifically, the memo recommends the following.
First, the memo suggest that the holders of “property, general liability and marine insurance, among other traditional coverages, should carefully review their policies at renewal time, as they may reflect new terms purporting to redefine their coverage away from such risks.” An important corollary of this is the suggestion that, “to the extent practicable,” policyholders should “resist or limit the addition of new cyber exclusions in traditional property/casualty insurance policies.”
Second, as insurers move to try to exclude cyber-related losses under these other traditional coverages, and in light of the common exclusions in cyber forms for risks such as physical injury or damage, policyholders should “carefully review and harmonize their lines of coverage at renewal,” to preclude insurers from introducing an exclusion in the traditional lines that is so broad that it “opens a new gap between traditional and cyber coverages.” Policyholders will also want to ensure that “they have not potentially lost a non-cyber aspect of their traditional coverage” if an exclusion is introduced.
Third, and in the alternative, the memo suggests that policyholders consider new products “designed to fill cyber-related gaps’ (through “affirmative cover”). Examples include broader cyber insurance that expressly covers liability for physical bodily injury and property damage arising from cyber perils.
Fourth, policyholders should keep in mind that insurance should only be a part of their organization’s risk management program. Companies should consider and deploy other available risk management mechanisms, such as vendor contracts or even the use of captives for other types of risk.
The memo has further advice for policyholders that have experienced a cyber incident – that is, for policyholders to look across their entire insurance portfolio to identify all policies that might potentially provide coverage. Readers of this blog will be interested to note that among the specific types of policies that the authors suggest policyholder should consider are D&O, E&O, Crime, and K&R policies. The memo suggests further that policyholders should provide notice to all of these insurers and otherwise take steps to try to preserve potential coverage under those policies.
One final note the memo’s authors make is the suggestion that in fighting for coverage under earlier issued policies, policyholders may be able to argue that the later addition of cyber exclusions or other restrictions to later-issued policies “is effective evidence that the prior policy at issue provided ‘silent cyber’ cover for the loss.”
In my view, the authors’ suggestion that policyholders that have experienced a cyber incident provide notice to all potentially involved insurers is a sound recommendation, as policyholders should make every effort to try to preserve the possibility of coverage wherever it may be found.
The authors’ mention of the policyholders’ D&O insurance policies is interesting to me. I am frequently asked by persons outside the D&O insurance about whether D&O insurers have been trying to add terms, conditions, or exclusions to try to restrict coverage available under the policy for cyber-related losses. So far, I am not aware of any comprehensive effort by any mainstream D&O insurer to try to preclude coverage under their policies for cyber losses, even though there have been a number of high-profile D&O claims arising out of cyber incidents.
In my view, but for the fact that the cyber-related D&O claims involve cybersecurity concerns, they are otherwise plain vanilla D&O claims that by all rights ought to be covered under the D&O policy. However, given the insurance industry’s overall alarm about cyber losses and about “silent cyber,” it is important for policyholders and those that counsel them to be vigilant for insurer efforts to restrict coverage for D&O claims arising out of cyber-related incidents.
Of all of the specific points in the authors’ memo, the one of greatest concern to me is their point about the possibility for a “gap” in coverage to emerge as traditional property and casualty insurers try to add restrictions or exclusions to eliminate the possibility for “silent cyber” coverage under their policies.
The reason this is of concern to me is that, in our world of specialization, the insurance advisor that is counseling companies about their cyber insurance may be unaware of changes in their client’s traditional property or casualty insurance program. Given the possibility for what the authors called a “gap,” it will be important for everyone involved in assessing a company’s insurance for cyber risks to understand what limitations are being added elsewhere in a policyholder’s insurance program.