Why even cyber policies might not cover cyber losses

Policies that don’t specifically include or exclude cyber losses (“silent cyber”) have long been a concern of insurers, but you’d think a data breach loss would be covered by a cyber policy, right?

Not always. The devil is sometimes in the details.

Elena Jelmini Cellerini, Swiss Re director, at Insurance Bureau of Canada’s Commercial Insurance Symposium.

Even cyber-specific policies are not always clear in their wordings, Swiss Re director Elena Jelmini Cellerini told attendees at Insurance Bureau of Canada’s (IBC) recent inaugural Commercial Insurance Symposium.

In one instance, Swiss Re found out through a forensic report that the insured knew about a vulnerability before the hack happened; there was an exclusion in the cyber policy for prior known acts.

“Yet when we looked at the wording of the exclusion, it said that for us to be able to use this exclusion, we had to prove that they knew about the vulnerability prior to the first policy… for this risk,” Cellerini said. “This had been a continuously renewed policy, so the first policy accepted for that risk was 2012. So, we couldn’t prove they knew about it before [then]; we could prove they knew about it before our policy.”

In fact, when Cellerini looked at 37 different cyber claims from the reinsurer, only 14 were notified to the “cyber tech” line. All others were notified to “traditional” policies, such as property. This, of course, falls in the realm of silent cyber – potential cyber-related losses from polices not specifically designed to cover or exclude cyber risk.

Swiss Re’s own analysis found that something like “data restoration/loss of documents” would be covered (or not) under different policies:

• yes, under a cyber policy
• no, under a general liability (GL) policy
• possibly, under a professional indemnity (PI) policy
• possibly, under a property policy
• no, under a D&O policy

Craig Duncan, head of claims at Munich Re.

“Probably for insureds who do not have a specific policy,” Cellerini speculated, “when they are faced with a cyber claim, they… see if the policies they have will actually pay for it, or for some of it.”

In another example, four Swiss Re clients were affected by the NotPetya cyberattack, notifying different policies for the same type of loss. Two law firms notified their lawyers’ PI policies, while a pharmaceutical company and a food company both notified their property policies.

For airlines that suffered system glitches and failure (similar facts and issues), two notified their property policy and one notified their cyber policy. A medical centre that also suffered system glitches and failure (but not similar facts and issues as the airlines) notified their healthcare PI/GL policy.

Craig Duncan, head of claims for Munich Re in Toronto, said during the presentation that most insurers are excluding cyber on basic CGL and property coverages and have introduced standalone cyber coverages.

“The [global insurance] industry is currently only paying 1% of total cyber losses and policyholders are unsure of the role that insurance can play,” Duncan said. “So we have a long way to go.”

Editor’s Note: Craig Duncan was initially misidentified in the above photo. Canadian Underwriter apologizes for the error.