Silent cyber: how to ensure your organisation is protected

By Chanel McCanna ,

Managing Principal, Cyber

18/07/2023 · 7 minute read

Silent cyber in insurance – the gap threatening companies

Traditional insurance policies written prior to the recent boom of cybercrime incidents can present significant exposure for all companies, regardless of size, industry or sector. Where an insurance policy doesn’t include cyber protection, or where it doesn’t explicitly exclude it, the policy generates an unknown or unquantifiable level of cyber exposure, otherwise known as silent cyber risk. This type of risk can lead to uncertainty for both the insurer and insured around payment of claims caused by cyber events.

As businesses rely more on technology to operate, silent cyber issues continue to become a key consideration as insurers grapple with how best to manage this exposure with traditional insurance programs and products. For this reason, insurers and regulators have acted swiftly to create coverage certainty under both standalone cyber insurance as well as non-cyber policies.

This article presents some key cyber insurance policy gap considerations for your executives to consider and address.

Silent cyber: why it’s an issue

Businesses continue to grapple with growing challenges in the face of silent cyber risk. Two key concerns include:

Retaining control of operational systems: many business assets are now remotely connected and operated, and therefore potentially vulnerable to an attack from criminals who seek to damage and disrupt physical assets remotely.
Suffering damage or loss, even when your company isn’t the direct target: cyber attacks have moved beyond data breaches to sophisticated schemes designed to disrupt businesses and supply chains – if one of your suppliers can’t deliver, you need to consider the impact this could have on your business.

And from an insurer’s perspective, claims stemming from cyber events, which have neither been underwritten nor charged for, create unmeasured exposure within insurer portfolios.

Insurer response to silent cyber gap

Insurers have taken swift action in an effort to address the silent cyber gap and clarify coverage parameters. However, in their haste to address the ambiguity, they have favoured exceedingly broad exclusions over affirming cyber as an inclusion.

In July 2019, Lloyd’s became the first to mandate that all policies would clearly articulate coverage for losses caused by a cyber event – either by including coverage or by excluding it. Since this action was taken, other insurers have followed suit.

The introduction of various exclusions on traditional policies saw cyber linked coverage either entirely removed (eg LMA 5401^[1]) or significantly limited (eg to non-malicious acts LMA 5400^[1]). While the act of endorsing a policy to address the ‘silence’ has removed the ambiguity around cyber-related events, ultimately, the exclusions, which prevailed in the market, completely ignored the fact that technology was and still remains integral to business operations.

Options for managing cyber risk

In an effort to manage the cyber gap that has emerged, your company or business ought to examine the exclusions listed under non-cyber policies. Where these exclusions limit or fully remove cover, your options to manage exposure may include:

Negotiate to include cover for cyber triggered events under your general insurance policy. This removes onerous exclusions in full, and works for combined general liability policies, where cyber property damage (see 3 below) is not available as a solution.
Modify the exclusions on your general insurance policy to one which is not a complete exclusion, mainly via a dedicated write-back offered by the insurer.
Purchase a standalone policy (eg a cyber property damage policy) to fill the cover gap (eg for property damage) created by the general exclusion under the general insurance policy. This can also be combined with traditional cyber coverage for non-physical events.

Ultimately, your decision around which of these options to proceed with should be reviewed in line with your organisation’s overall risk tolerance and profile.

Standalone cyber cover – initial considerations for businesses

If your company is considering a standalone cover as an option to fill the insurance gap, it’s important to first examine the policy and understand the implications before committing to the purchase.

First and foremost it’s important to pay attention to the insurance market of the industry or sector in which your company operate, as this can determine an insurer’s capacity to cover all of your risk. For example, even though it’s still in early stages of development, the cyber property damage market has grown in recent years and is gathering traction amongst a wide range of markets. In terms of cyber property damage, Marsh estimates that while there is approximately $500 million of capacity for any one risk globally, there is an ability to build individual policies of up to $250 million with confidence.

Consider your deductibles. For example, cyber property damage policies are designed to cover the gap that emerges from cyber-specific exclusions on a property policy. For this reason, clients generally elect to have deductibles directly mirror the property policy, although alternative options are available.

Understand the limits that may apply. For example, cyber property damage cover can be purchased either as a standalone program or in conjunction with a traditional cyber policy. Generally, unless requested or otherwise, a limit for cyber property damage would be provided on an each and every occurrence basis, without an aggregate cap.

You should also be prepared to support your insurance application by supplying additional underwriting materials such as:

Property asset schedule
Business interruption calculation (if you require cover)
Detail around which site/location has the highest accumulation of assets and the likely maximum foreseeable loss (MFL) at this location
Copy of the property insurance policy to establish the level of cyber exclusion which applies
Completion of the Marsh Cyber Self-Assessment Portal (if you are also seeking traditional cyber insurance).

As technology becomes increasingly integral to business operations, insurers and regulators have recognised the need to address a silent cyber gap that has emerged in insurance policies. While insurers have taken steps to clarify coverage parameters, the broad exclusions favoured in many policies have ignored the essential role of technology in businesses. Although there are options for managing cyber risk, these should be carefully examined alongside a company’s overall risk profile and the market in which a company operates, amongst other policy considerations.

By taking proactive steps to address silent cyber risk, companies can protect themselves from the potential financial and operational consequences of cyber events.

Talk to our cyber specialists

Marsh’s Cyber Practice is the most experienced and largest dedicated cyber team in the market. Our 200+ cyber experts worldwide support clients across the broad spectrum of industries, offering you the best insights and risk management solutions to support your company’s journey at every stage of its evolution.

Contact our advisors for an obligation-free discussion or quote today.

^[1] - https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA19-031-PD.aspx

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 23/297

Article

Silent cyber: how to ensure your organisation is protected