Spotlight on Emerging Issues: Silent Cyber

What is Silent Cyber?

Silent Cyber refers to potential cyber-related losses contained within traditional insurance policy wordings, which insurers argue were not originally intended to cover cyber risk.   It is also known as ‘non-affirmative’ cyber.

Unlike specialised cyber insurance solutions available today, traditional property and liability policy wordings were developed at a time when cyber risk was unknown and consequently not intended to include, or exclude, cyber risk.  This leads to ambiguity on what is covered, and can result in a “silent cyber” scenario where insurers may (or may not) pay claims for the cyber loss.

One of the challenges is a lack of consistency across the industry on how to address Silent Cyber. Insurer responses vary greatly.  Marsh continues to work closely with insurers and global colleagues to ensure the most beneficial position for its clients.

What are the potential risks?

Cyber claims and liabilities are commonly assumed to involve the exposure or compromise of personally identifiable information.  However as businesses become more dependent on digital technology and cyber hackers become more sophisticated, the growing concern is that cyber risk will increasingly cause bodily injury or property damage.

The following examples demonstrate that many devices or controls which are commonplace are vulnerable to compromise:

• Factories operating computer automation and programmable logic controls. An attack could cause malfunctions resulting in both bodily injury and property damage;
• Security systems that are controlled by smartphones or computers.  If compromised could result with burglaries or assaults;
  
• Implanted medical devices being accessed remotely, with the obvious risk of bodily injury.
  

As businesses become increasingly reliant on technology, the potential impact of cyber-related incidents will continue to grow.  Cyber risk can have far-reaching implications for all businesses as this is a constantly shifting risk landscape.

Why do I need to be concerned?

As a consequence of increasing regulatory requirements, the immediate concern, as it relates to traditional insurance wordings is the lack of clarity and inconsistent approach of insurers.  

There is no standard language in either traditional or cyber policies, and as the risk continues to evolve, non-affirmative language within a traditional insurance policy will be subject to interpretation by insurers and ultimately courts.

Which policies contain silent or non-affirmative cyber?

Silent Cyber arises across varying insurance policy wordings because technology is present in all aspects of everyday life.

Whilst property and liability are the most likely to contain non-affirmative language, this also exists within directors and officers, professional indemnity, aviation, marine, motor, transport (including autonomous vehicles) and householders (smart house technology) policy wordings.

What options are available to ensure cover?

The treatment of this risk varies across the insurance industry.  Insurer responses include the following options:

• Remaining silent by choosing not to affirm that their policy does, or does not cover cyber-related exposure. This is the most common approach and may lead to cover ambiguity e.g. the recent case of Mondelez v Zurich Insurance demonstrates the considerable legal costs involved in clarifying this cover due to lack of clarity;
• Affirming cyber coverage within traditional policies, to varying degrees of re-dressing the exposure.  This affirmative language provides a full exclusion with small amounts of write-back for affirmative cover.
  
• Data Breach exclusions within liability policies with no write-back for personal injury (including mental anguish);
  
• Providing a stand-alone cyber cover option and imposing clear cyber exclusions on traditional policies.
  

To date, insurers have largely been driven by prudential regulations in the UK, which require insurers to manage and identify their silent cyber underwriting exposure.  As other regions catch up, the noise around silent cyber will intensify.

What can I do?

• Ensure that cyber risk management is  embedded within business strategies and operations;
• Contact your Marsh representative to discuss policies that may contain Silent Cyber. 
  

Marsh has a dedicated Cyber Team that can assist clients to better understand and manage their cyber risk and exposures.