With events such as the WannaCry ransomware attack of 2017, a number of silent cyber issues have developed into very public property policy coverage disputes, according to Lyndsey Bauer, partner at Paragon.
Because cyber risk is now a pervasive threat to all operating entities, it impacts practically every line of commercial insurance. Yet, it remains unaddressed in many lines of insurance.
The lack of clarity in some standard property and casualty policies can lead to confusion or misunderstanding about coverage for cyber risks. Simultaneously, an insurer covering a loss it had not contemplated can jeopardise its credit rating and/or financial solvency. We refer to these potential cyber exposures as ‘silent’ cyber or ‘non-affirmative’ cyber.
Is silence desirable or not?
Silence provides an argument for cover, but such coverage cannot be relied upon. The coverage outcome is uncertain and the situation would likely evolve into a legal dispute. An insurer, in aggregate, may pay one loss it does not believe is covered before amending its forms. Silence may provide a short-term win, but that really is only delaying the inevitable and, ultimately, too much uncertainty will no doubt be distressing when a claim is to be made.
Silence therefore leads some companies to believe that they have adequate cover for cyber risk when they do not. Non-affirmative language within a traditional insurance policy may also be subject to differing interpretation by insurers, which could lead to legal disputes.
Silent cyber is resulting in claims being made which insurers have not underwritten nor charged for. This silence is more about slow insurance product development, rather than a reflection of insurer appetite.
Potential arguments for denying cover
- The basis of insurability
For a loss to be insurable, it must relate to a definite and measurable risk. Without information, an insurance company can neither produce a reasonable benefit amount nor a premium cost. If submission materials do not address cyber risk or risk management; the risk has not been measured and would therefore not meet this requirement.
The loss must also be fortuitous – it must have occurred due to chance. It has to be the result of an unintended action and has to be unexpected in its exact timing and impact. Unless an organisation were to intentionally leave cyber risk unmanaged, cyber loss will likely meet the criteria.
An insurable loss should not be catastrophic in nature. Catastrophic loss refers to two kinds of risk. One of those is where the risk is so large that the premium would be inefficient or where no insurer could hope to pay for the loss. Silent cyber could fall into this category.
Another is where the catastrophic risk involves an unpredictably large loss of value that is not anticipated by either the insurer or the policyholder. Silent cyber has likely not been underwritten; therefore, the risk is not anticipated by the insurer and may not meet this requirement.
Exclusions can typically be found across most policies for catastrophic events such as floods, pollution, nuclear, war and terrorism. However, cyber events as triggers for loss are not explicitly included or excluded. Often, cyber exclusionary language within the policy is ambiguous or absent altogether.
- Obligations under the Insurance Act of 2015:
A loss not underwritten is not insured
The Insurance Act of 2015 affects the way in which business is underwritten and placed. It also changes the remedies of insurers for non-disclosure and misrepresentation, breach of warranty and fraudulent claims.
The assured required to make a fair presentation of the risk. This represents a fundamental shift from the doctrine of “utmost good faith” (enshrined in section 17 of the Marine Insurance Act of 1906 (MIA)). That is not a new concept – in fact, there is an element of going ‘back to the future’.
The Insurance Act of 2015 creates a positive duty of inquiry for the insurer. Also, an assured is not required to disclose information that an insurer already knows (Section 5 (1)); or information that it ought to know (Section 5 (2)); or information that it is presumed to know (Section 5 (3)). As is the case now, an insurer will also be presumed to know things that are common knowledge.
Cyber risk is a known risk – however, no one but the company itself would know better about its exposure to cyber risk. The underwriter should ask the insured about its exposures, but likewise, there is a duty on the insured to present cyber risk and risk management to the underwriters.
Why is silent cyber an issue now?
In a large part, silent cyber has become an issue recently due to events such as the WannaCry, Petya and NotPetya attacks in 2017, which has been classified as a cyber catastrophe event. Consequently, the focus of the insurance and reinsurance industry has shifted from potential large professional lines cyber-related losses to the potential impact on the property market, through both affirmative and non-affirmative cyber losses.
According to Property Claim Services (PCS), the total industry loss from the Petya/NotPetya cyber-attacks has now surpassed $3 billion (£2.3 billion). Of these losses, 90% were driven by silent cyber impacts, while the rest stemmed from affirmative losses.
A number of silent cyber issues developed into very public property policy coverage disputes, such as the case of the US food company Mondelez, which sued its insurer, alleging that it was wrongfully denied a claim under a property insurance policy for losses incurred in 2017’s NotPetya malware attack. In that case, the argument for silent cyber coverage was undermined by a war exclusion clause.
Regulators and global insurers have sought to deal with non-affirmative cyber risks and exposures within property and casualty (P&C) insurance portfolios. In the UK, the agenda on this issue has been driven by the Prudential Regulation Authority (PRA) and Lloyd’s of London.
In a letter to all UK insurers issued in January 2019, the PRA stated that they must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. Later that year, Lloyd’s issued a market bulletin mandating that all policies need to be clear on whether coverage is provided for losses caused by a cyber event, in order to eliminate silent cyber exposure. This was to be achieved by either excluding from or affirmatively covering the exposure in all P&C policies by 1 January 2020, commencing with First Party Property Insurance in this initial phase of the mandate.
The move to address silent cyber has resulted in two trends that the risk manager needs to navigate:
- Overly broad exclusions
- Affirmative language that is limiting by triggering coverage on how the event happened – that is, was it malicious or not malicious?
Obviously, the acceptance of an exclusion highlights that something is not covered. But silence is not certainty of coverage.
The good news and the bad news is that cyber risk – silent or otherwise – is not addressed consistently in the broader P&C market, including within cyber insurance. This means that if there is coverage that your firm has identified as a priority, you can likely find coverage for it. It may be negotiated with existing insurers or can be created for a premium, and will depend on the submission materials made available.
We saw this when Employment Practices Liability (EPL) cover was excluded from D&O policies and a new product was developed to cover the risk. The market has always evolved and still does.
Each organisation needs to identify whether the loss of uncertain cover flags an issue for it and whether it needs to seek certainty of coverage.
What is cyber insurance?
Cyber insurance is available to cover organisations for certain first-party and third-party exposures arising from various cyber perils, therefore, offering affirmative cover. But there is no standard cyber policy.
It is very important to note that some policies are written to respond to DATA DISCLOSURE (privacy) Injury only. This type of cover may be less expensive than the alternatives but would not suit a business that is not responsible for the confidentiality of personal information.
Many will respond more broadly to damage arising from NETWORK EVENTS (security). There are variations on this, which can have a malicious act trigger (internal or external), a negligent systems operations trigger and, in some cases, also a “unplanned system outage trigger”.
All will respond to the insured’s privacy liability, whether or not that arises from third-party vendors. Some will provide business interruption cover when this is caused to the insured by third-party vendors.
What can the policyholder do?
Understand that your coverage will change. What that means to each insured will vary.
Fortunately, there are insurers who are willing to offer significant coverage. You may be able to negotiate affirmative cover with insurers or seek alternative risk transfer products, as in the cyber market, and there is always a market willing to develop manuscript policies to address specific gaps.
What you need to do is give yourself as much time as you can and to think conservatively – think of these renewals less in terms of ‘what you can get’ and more in terms of ‘what you can keep’.
This is happening in an already challenging marketplace. Many insurers across product lines are pushing for premium rate adequacy, and renewals
Incident response: To determine what happened, how to repair the damage, to reduce downtime and to meet privacy regulatory requirements.
Lawsuits and Private regulatory investigations: This includes legal fees associated with a breach of confidentiality, legal settlements and also regulatory fines where insurable.
Extortion: Costs such as ransom payments and IT forensic expenses.
Business losses: Monetary losses experienced by network downtime
or cyber incident, data loss recovery, cyber ransom payments and costs involved in managing a crisis, including PR services.
Your organisation will need to determine its own specific renewal priority – whether that is programme limits, premium spend or coverage. Living with an exclusion will be the path of least resistance, enabling least pressure on available limits or renewal pricing, but will highlight coverages you do not have. You can almost certainly find a way to address any gaps with underwriting information and for premium.
Insureds and their brokers will need to work closely together to identify coverage at risk and plan from there.
If coverage is the priority, you and your broker will need a strategy to align coverage across your portfolio. This will add yet more time to the process, especially due to the prevalence of inconsistent definitions and inconsistent triggers (event versus consequence).
Whichever is your priority, collecting the information required by the underwriters will take time. There are many cyber risk stakeholders in your organisation whose feedback will be required in order to make a fair presentation of risk. You may need to lock in the availability of the C-suite members to present to the market.
Presenting the risk to the market or markets will also take time. Standard renewals are taking longer, in part due to Covid-19, but also because underwriters are requiring more information and because the market is hardening, and more market feedback is being sought and therefore needs to be reviewed.
Insurers and regulators are taking action to address the risk of silent cyber. Policy language is evolving and that is impacting coverage. Insureds can lose the argument for coverage. Besides being untested, the drafted language could also overreach.
Policyholders face the challenges of getting inconsistent responses from their insurers, inadvertent loss of intended coverage and programme gaps.
Finally, insureds should prepare for renewal –they should develop a strategy, identify renewal priorities, approach the market with C-suite support and always review feedback.
To access the full paper, produced jointly by the UK’s risk management association Airmic and Paragon, click here.