The silent enemy

To download the full Spring 2020 issue in PDF format, please click here. 

It sounds obvious and the solution to it simple. As cyber risks mount, with the interconnectedness of devices and networks, the growth in cloud technology and the increased sophistication of criminal gangs, carriers are piling up exposures. That applies even if they don’t protect the intangible assets associated with this specialist line and, unlike dedicated cyber underwriters, they are probably doing so unknowingly. 

“Silent” cyber has been in the purview of regulators including the Prudential Regulation Authority (PRA), the European Insurance and Occupational Pensions Authority and quasi-supervisor Lloyd’s for several years now. 

But tackling silent cyber is complex. It raises questions about where the risk should have its home, and risks upending the original intention of policies. Many carriers complain they’re being forced to act too fast, while insureds are finding themselves deprived of cover they thought was included, and with no concomitant reduction in premium.  

“You can’t name a line of business where a cyber peril could not impact an underwriter’s loss ratio,” says Keoghs partner Andrew Schutte.  

“But it’s not a question of putting a badge on the front and saying cyber is excluded or included. We are beginning to unpack problems of detail that may not be the same in every policy you approach.” 

Brokers are concerned that UK property underwriters are erring on the side of broad-brush cyber exclusions, emboldened by the hardening market. They also worry that efforts to endorse or affirm cyber have sowed confusion and exposed grey areas in coverage. 

As Marsh JLT Specialty head of cyber, international, Sarah Stephens says: “Clients absolutely are on the same page as regulators and Lloyd’s about wanting clarity. There’s a desire to have a simpler, clearer solution. The big area of debate is how we achieve that clarity.” 

Mounting dangers 

A PRA survey suggested that silent cyber exposure could lead to a loss on a par with a major US natural catastrophe. 

The problem has evolved with the morphing nature of the cyber threat. It’s well known now that a cyber incident can cause physical damage, implicating property policies that wouldn’t have necessarily priced for the risk.  

Though such incidents are still relatively rare, a notable example of a cyber event causing physical damage was the December 2015 malware attack on three power utilities in western Ukraine, which caused a supply shutdown affecting an estimated 230,000 people. 

The NotPetya attack in 2017 was another landmark event in the industry’s – and the regulators’ – awakening to the silent cyber problem, with litigation between drugs giant Merck and its insurers, and between foodmaker Mondelez and Zurich, arising from coverage disputes. 

Estimates of the (re)insurance industry’s NotPetya losses put up to 90 percent of them as non-affirmative.  

Industry response 

In the power sector, an early response to the reality that cyber attacks can cause physical damage was full or partial write-backs of the standard CL380 cyber property policy exclusion for malicious events. 

At carrier level, Allianz was early out of the blocks in 2018 when it embarked on a mammoth wordings review to tackle silent cyber. And AIG said last September it would affirmatively cover or explicitly exclude cyber exposures across virtually all of its global commercial P&C portfolio by this January. 

On the regulatory side, last year the PRA ordered UK carriers to develop action plans to address silent, or non-affirmative, cyber exposure. Lloyd’s went further in July and called on syndicates to either affirm or exclude cyber through a rolling programme of coverage changes starting with first-party property classes in January. 

But confusion persists. As Marsh JLT’s Stephens says: “We’ve ended up with 30-plus potential clauses – some gave clarity, many were exclusionary rather than affirmative and a lot ended up unfortunately removing coverage for technology that is inherent in any business.” 

Underwriters, meanwhile, have struggled with Lloyd’s timetable. In response, the Corporation said in January that carriers writing third-party liability classes, including general liability and financial and professional risks, would have until 1 January next year to affirm or exclude cyber.  

Lloyd’s head of underwriting Caroline Dunn says: “One of the learnings of the process was to give time for the wordings to be developed and launched well in advance. Third-party lines of business have their unique challenges and whilst we want to achieve clarity we want to do it in a planned way.” 

Minding the language 

The Lloyd’s Market Association (LMA) has been working hard on cyber endorsement or exclusion language and within four months of Lloyd’s July edict had produced wordings for property direct and facultative (5400 and 5401) and marine cyber (5402 and 5403).  

But Lloyd’s timetable for the roll-out remains challenging. According to the LMA’s deputy director of underwriting, Patrick Davison: “The principle of what they are doing is absolutely right but based on the feedback that we’ve been providing them and that they’ve got directly from market, they’ve acknowledged that without very careful thought you might actually be muddying the waters.” 

Third-party casualty lines have historically tended to be silent on cyber. The policies insure against third-party damage to tangible property and third-party personal injury rather than computer data. And as there are so many other causes of third-party liability, suddenly affirming cyber risks limiting the cover if losses are caused by triggers that aren’t expressly named. 

The LMA’s Davison says he hopes Lloyd’s will adjust the roll-out once more if wordings for some of the most problematic lines aren’t ready later this year.  

“It’s not to anyone’s benefit to force the market to move if something isn’t fit for purpose,” he says. 

The company market has been carrying out similar work to the LMA on changing wordings but without the same gun to its head.  

The International Underwriting Association (IUA) has established a new non-affirmative cyber risks committee, which recently met for the first time. 

The IUA’s Tom Hughes, who is secretary of the committee, says: “Our work is doing far more than looking at wordings, it’s about understanding. Every one of our underwriting companies is having very detailed conversations about the implications of silent cyber. Cyber risk itself has changed – technology has changed – it’s about making sure the understanding is there.” 

Similarly to the LMA, affirming cyber cover on all risks policies is one of the challenges the IUA has encountered. 

Other challenges underwriters have found include the fact that adding affirmative cyber language on all risks policies could negate deliberate exclusions, including war and terrorism cover. Placing of exclusions or affirmations in multi-line policies is also problematic. 

Keoghs’ Schutte also warns that in some regulated areas wordings can’t be changed willy-nilly. That applies in certain US states and also to UK solicitors’ professional indemnity insurance, where the wording is agreed with the Solicitors Regulation Authority.  

Questions of intent 

Both the PRA and Lloyd’s have adopted the definition of cyber risk as being insurance contracts exposed to cyber-related losses resulting from malicious acts and non-malicious acts. But this is also an area of discord between brokers and underwriters. 

Marsh says the distinction between malicious and non-malicious cyber damage introduced in the LMA’s clause 5400 for direct property direct and facultative business is problematic since in the clause a non-malicious computer incident is covered only if fire and explosion results, whereas a “malicious” cyber event is always excluded. The definition of “malicious” is broad and includes any unauthorised use of a computer, the broker argues. 

A thornier debate still is how non-malicious cyber should be covered. One high-profile example of a non-malicious cyber event was the IT failure at British Airways in August 2019, the second in little more than two years, which left tens of thousands of passengers stranded. Part of the problem is the Pandora’s box of causes for a company’s systems meltdown. 

Keoghs’ Schutte says: “An operator’s error policy might cover a problem with an insured’s own system, but will it cover problems with someone else’s – like a cloud service provider? Some would, some wouldn’t – and some would want an agreement with the cloud service provider in order to try to focus on the systemic risk.” 

But Marsh JLT’s Stephens says the problem goes beyond underwriters’ ability to evaluate the non-malicious cyber risk. 

“Some underwriters do not appreciate how fundamental technology is to business operations of all types and therefore how integral a failure of technology could be to a subsequent property damage loss,” she says.  

“Our view is that underwriters should focus much more on the ensuing damage versus the underlying trigger; i.e. the property market should cover property damage however occasioned and the cyber market should cover the intangible consequences of a malicious or non-malicious cyber incident.” 

The future 

A big question as underwriters affirm or exclude is whether their actions are being accompanied by appropriate adjustments to pricing. 

Throwing affirmations in for free could be highly dangerous, but excluding without any rate concession is hardly a recipe for customer loyalty. 

Some fear that Lloyd’s hawkish stance on silent cyber could force insureds into other markets for their cyber needs as exclusions multiply, but Lloyd’s head of underwriting Dunn says she’s seen no evidence that that has happened.  

What looks more likely is that the carrier clampdown will strengthen and vindicate the standalone cyber market.  

There are, of course, specialist cyber products out there that expressly plug the property damage deficit. Brit Cyber Attack Plus is one example, and Tokio Marine Kiln’s new Cyber Ctrl PD+ is another. 

But some cyber specialists remain purists. CFC Underwriting cyber product leader James Burns says: “There’s a difference between cyber as an asset-based policy and cyber as a trigger – it’s not entirely clear that people are making the distinction.” 

He adds: “I’d like to think we will get to a stage where we’ve taken big steps forward as an industry at getting a handle on the nuances that exist and we’ll be able to have insurance products with the right homes.” 

Keoghs’ Schutte says that in addition to pursuing contract certainty and clarity through wordings overhauls, a massive education process is still required. 

“The market needs to engage in the necessary detail and really understand what the product is there for,” he says. “We need a general improvement and upskilling in the market among underwriters across different classes of business.” 

Related articles