By Chanel McCanna ,
Managing Principal, Cyber
08/09/2023 · 7 minute read
As businesses become increasingly dependent on technology and digitised data to operate, cyber risk becomes a bigger threat to companies, regardless of size, industry or sector. When it comes to making informed decisions for your company around managing cyber risk, it’s important to first understand some of the gaps that exist in some policies – in both traditional and cyber insurances.
Most traditional property and casualty insurance policies were designed to cover liability and costs arising from physical harm to persons or tangible property (eg belongings). Over the past two decades, as these insurance policies began to state that data is not tangible property, a coverage gap was created. Cyber insurance arose partially to fill that gap, and over time, cyber insurance has evolved to cover a broad spectrum of costs and liabilities arising from a cyber event. However, cyber insurance does not directly cover the value of tangible or intangible property (i.e the value of data and digital assets), and thus it only covers a fraction of the total potential impact from a cyber event.
Where an insurance policy does not expressly include cyber events as triggers for loss, or where it does not explicitly exclude it, there is an unknown or unidentified level of cyber exposure, otherwise known as ‘silent cyber risk’. This type of risk can lead to uncertainty for both the insurer and insured around payment of claims caused by cyber events.
From an insurer’s perspective, claims stemming from cyber events, which have been neither underwritten nor charged for, create unmeasured exposure within insurer portfolios. Insurance regulators have tasked insurers to identify, quantify and manage their cyber exposure, and to thereby remove the ’silence’ across all non-cyber policy lines. As insurers have acted swiftly to comply with regulatory demands, they continue to struggle with how to do this in a way that creates coverage certainty under both standalone cyber insurance as well as non-cyber policies.
This article presents some key cyber insurance coverage gap considerations for your executives to consider and address.
Businesses continue to grapple with the growing challenges of cyber risk. Two key concerns include:
In January 2019, in the UK, the Prudential Regulation Authority issued a letter to all UK insurers stating they must have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber. In July 2019, Lloyd’s of London issued a market bulletin mandating that all property and casualty policies be clear on whether coverage is provided for losses caused by a cyber event – by either affirming or excluding coverage. Unfortunately, in their haste to comply, insurers have favoured exceedingly broad exclusions, that often overreach, potentially excluding previously covered ensuing loss simply because technology was now involved. Since then, ‘silent cyber’ exclusions have proliferated across every line of insurance in every geography around the globe.
The introduction of various exclusions on traditional property policies saw coverage either entirely removed (eg LMA 5401) or significantly limited (eg to non-malicious acts LMA 5400). While the act of endorsing a policy to address the ‘silence’ has addressed the ambiguity around cyber events, ultimately, by completely ignoring the fact that technology was, and still remains, integral to business operations, they have unintentionally introduced new coverage gaps and ambiguity.
When seeking to understand and manage the new coverage gaps that have emerged, it is advisable to examine the exclusions listed under non-cyber policies. Where these exclusions limit or fully remove cover, your options may include:
Ultimately, the decision around which of these options to pursue should be reviewed in line with your organisation’s overall risk tolerance and profile.
If your company is considering a standalone cyber-physical damage policy as an option to fill the insurance gap, it is important to first examine the policy and understand the implications before committing to the purchase. Cyber-physical damage policies are a blended product that provide affirmative cover for non-physical losses incurred to respond to a cyber event, as well as ripple effects from the cyber event that result in tangible loss (i.e property damage or bodily harm).
Be prepared to support your insurance application by supplying additional underwriting materials such as:
While insurers have taken steps to clarify coverage parameters, the broad exclusions favoured in many traditional property and casualty policies have ignored the essential role of technology in businesses. Although there are options for addressing cyber property damage risk, these solutions may not be suitable for all businesses in every instance.
By taking proactive steps to address cyber risk, companies can protect themselves from the potential financial and operational consequences of cyber events.
Marsh’s Cyber Practice is the most experienced and largest dedicated cyber team in the market. Our 200+ cyber experts worldwide support clients across the broad spectrum of industries, offering you the best insights and risk management solutions to support your company’s journey at every stage of its evolution.
Contact our advisors for an obligation-free discussion or quote today.
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 23/297