The status of ‘silent cyber’ in the insurance industry

Silent cyber has long been a thorn in the side of some insurers, and it doesn’t look like the issue will be resolved any time soon.

Part of the issue is that the cyber market doesn’t exist to cater to traditional assets being compromised by new technologies, said James Burns, cyber product leader with CFC Underwriting. The industry still needs clarity around the purpose of standalone cyber policies, which cover situations in which a non-physical cyber attack triggers damage to a company’s intangible assets.

Silent cyber refers to potential cyber-related losses arising from coverage under insurance policies not specifically designed to cover cyber risk, according to Willis Towers Watson. While Willis Re said in its 2019 Silent Cyber Risk Outlook last August that the insurance industry is considerably less concerned about silent cyber exposures than it was in 2018, that doesn’t mean the industry is out of the woods.

“This might be because there were no wide-scale cyber events that impacted the prior 12 months, unlike at the time of the 2018 survey, when the NotPetya and WannaCry malware events of the previous year were still fresh in everyone’s collective memory,” said the report, released last August. “It might also reflect progress made by insurers in mitigating their silent cyber exposures.”

Canadian Underwriter recently spoke with Burns about where the industry is at with silent cyber, and if it’s becoming clearer what is and isn’t considered “cyber.”

“It feels like things are starting to move a little bit when it comes to silent cyber,” Burns said. “You’re starting to see Lloyd’s, for example, put some guidance out around what it expects syndicates and insurers to do when it comes to making it clear where cyber cover is and isn’t being given in more traditional policies.”

This change is needed to help clients know where cyber cover exists within their policies, Burns said. But it’s also sorely needed on the part of insurers to make sure cyber risk is traced and addressed within insurance portfolios. “Where the challenge still remains is that it’s still not entirely clear that people are making a distinction between cyber as an asset-based policy and cyber as a trigger,” he said. “I think where we need to get to is a stage where we recognize what the standalone cyber insurance market is there for.”

The standalone cyber insurance market exists to provide cover for a company’s intangible assets against non-physical risks and exposures, Burns explained. “We’re there to deal with the company’s data networks’ electronic funds. What the cyber market isn’t necessarily there to cater to is traditional assets being compromised by new technologies.”

An example would be the automotive industry. “Is it right that a non-physical attack against the car that leads to the car crashing is picked up by the cyber market?” Burns asked. “That level of nuance is what we haven’t addressed yet. To me, the automotive market needs to be updated. If cars crash on the street, that tends to be a risk or scenario that insureds expect their motor and auto policies to pick up. So [insurer]s shouldn’t necessarily be excluding cyber for that eventual scenario.”

However, someone hacking in and stealing a load of data is something someone expects their non-physical asset markets to pick, Burns said, referring to the standalone cyber market.

“So, there’s movement happening and the discussion is moving on and we’re addressing silent cyber, but I still think there’s a lot more discussion to be held until we get to the optimal outcome for our clients.”