In a world that is increasingly reliant on digital technology, it’s hard to think of a line of business that isn’t impacted in some way by cyber as a peril. To put this in context, Munich Re recently assessed that cyber as a line of business currently accounts for around $6 billion in premium worldwide. That is around 0.2% of total worldwide non-life premium, which is around $3 trillion, according to Swiss Re.
Leaving aside cyber as a specific line of business, cyber as a peril in other lines is sometimes underwritten and priced by insurers, but more often it is not. This is partly because most policy forms were written in the pre-digital era and have not been updated to specifically address emerging exposures arising out of the use of digital technology.
This leads to a huge grey area where cyber coverage may be available under policies that were not originally designed for this exposure. This is the so-called ‘silent cyber’ coverage.
For example, under property forms, does data constitute ‘property’? And does an unattributed malware attack trigger the War Exclusion? The nine-figure Merck and Mondelez coverage disputes arising out of the 2017 NotPetya malware attack reveal how potentially costly this grey area can be.
Market responses to address silent cyber
The problems presented by silent cyber risk accumulation have been known for some time. As long ago as November 2016, before the WannaCry and NotPetya cyberattacks, the Prudential Regulatory Authority (PRA), the UK regulator responsible for insurance, sent out a directive that proved prescient. It warned: “The PRA’s view is that the potential for a significant ‘silent’ cyber insurance loss is increasing with time. As both ‘silent’ cyber insurance awareness and the frequency of cyber attacks grow, so does the potential from ‘silent’ cyber exposures. Insurance firms may find it increasingly challenging to argue that all risks or other liability policies did not intend to cover this type of risk, given the publicity and awareness of the issue.”
Other regulators and the rating agencies have been less vocal about the issue and, until recently, efforts to address silent cyber have been limited. Some insurers, most notably in the speciality mutual sector, updated their policies in the mid-2010s to provide clarity of coverage on cyber. But movement elsewhere has been sporadic, at least until recently. Lloyd’s, ISO and individual insurers have crafted their own exclusions that have been applied for a number of years to varying degrees on individual lines of business, and cyber sub-limits have been applied as another way to limit exposure. However, in a competitive market environment, most insurers have been reluctant to be first movers for fear of losing business to competitors.
This started to change in 2019 when Allianz became the first commercial insurer to adopt a broader-scale approach to addressing silent cyber. In November 2018, its Global Corporate and Speciality unit advised that it was updating coverage in 2019 to provide clarity so that physical damage and bodily injury arising from cyber events would generally continue to be covered under corporate, commercial and speciality policies whereas cyber-related “pure financial loss” without physical damage or injury would be covered under specific cyber policies only.
Other insurers have started to follow suit. In a follow-up to its earlier directives on silent cyber, the PRA sent a letter in January 2019 to insurers requiring them to develop an action plan to reduce exposure to silent cyber by mid-year, with clear milestones by which action would be taken.
As a response, in July 2019, Lloyd’s announced that “all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.” Lloyd’s made clear that this announcement was applicable to all first-party property damage policies (including cargo, marine war and marine hull) incepting on or after 1 January 2020 and to all liability and treaty reinsurance to be phased in throughout 2020/2021.
In September 2019, AIG added its voice and stated that property and casualty policies globally should be clear about the cyber coverage they provide. “For the most part, across the industry, typical P&C policies have not been written to adequately deal with cyber exposure,” said Tracie Grella, Global Head of Cyber Insurance. As a response, the company announced a shift to affirmative cyber coverages and exclusions.
Other insurers have started to follow the lead of Allianz, AIG and Lloyd’s, indicating a growing momentum among insurers to address the issue, at least in some commercial lines of business. But there is still a long way to go. It takes a lot to achieve clarity on $3 trillion of non-life premium across multiple lines. For the time being at least, the jury is out on how effective the measures will be to clarify coverage for silent cyber.
In the meantime, cyber exposures continue to grow. Expenditure on cloud computing is projected to increase to $331 billion in 2022, up from $182 billion in 2018, according to Gartner, the research firm. The number of Internet of Things (IoT) devices doubled from 15 billion to 30 billion between 2015 and 2020 and is expected to grow to 75 billion by 2025, based on research by Statista. This explosive growth in the use of digital technology has significant exposure implications for commercial insurers as well as personal lines insurers of homes and cars. It is therefore in the interest of the insurance industry to be clear on how its policies address these exposures before a major cyber event forces its hand.
Over time, silent cyber coverage will become affirmative and specifically priced cyber coverage, either by way of separate coverage grants or sub-limits under traditional insurance lines of business or under stand-alone cyber policies. The proactive approach taken by major carriers and insurance markets such as Allianz, AIG and Lloyd’s over the past year indicates there is a growing momentum to do this. However, silent cyber represents a deeply pervasive issue that will require an extensive shift in approach if clarity of coverage is to be achieved more broadly across the market.
However, silent cyber represents a deeply pervasive issue that will require an extensive shift in approach if clarity of coverage is to be achieved more broadly across the market.
Willis Re Global Cyber Practice Group Leader
Head of FINEX and Casualty, Leader for Financial and Services Sector
Willis Towers Watson Polska