Skip to main content
Marsh logo

Article

Silent cyber: how to ensure your organisation is protected

This article presents key cyber insurance policy gap considerations for businesses to consider and address the growing challenges of silent cyber risk.
man-looking-from-vantage-point
Person's name and title

By Chanel McCanna

Managing Principal, Cyber

08/09/2023 · 7 minute read

Silent cyber in insurance – the gap threatening companies

As businesses become increasingly dependent on technology and digitised data to operate, cyber risk becomes a bigger threat to companies, regardless of size, industry or sector. When it comes to making informed decisions for your company around managing cyber risk, it’s important to first understand some of the gaps that exist in some policies – in both traditional and cyber insurances.

Most traditional property and casualty insurance policies were designed to cover liability and costs arising from physical harm to persons or tangible property (eg belongings). Over the past two decades, as these insurance policies began to state that data is not tangible property, a coverage gap was created. Cyber insurance arose partially to fill that gap, and over time, cyber insurance has evolved to cover a broad spectrum of costs and liabilities arising from a cyber event. However, cyber insurance does not directly cover the value of tangible or intangible property (i.e the value of data and digital assets), and thus it only covers a fraction of the total potential impact from a cyber event.

Where an insurance policy does not expressly include cyber events as triggers for loss, or where it does not explicitly exclude it, there is an unknown or unidentified level of cyber exposure, otherwise known as ‘silent cyber risk’. This type of risk can lead to uncertainty for both the insurer and insured around payment of claims caused by cyber events.

From an insurer’s perspective, claims stemming from cyber events, which have been neither underwritten nor charged for, create unmeasured exposure within insurer portfolios. Insurance regulators have tasked insurers to identify, quantify and manage their cyber exposure, and to thereby remove the ’silence’ across all non-cyber policy lines. As insurers have acted swiftly to comply with regulatory demands, they continue to struggle with how to do this in a way that creates coverage certainty under both standalone cyber insurance as well as non-cyber policies.

This article presents some key cyber insurance coverage gap considerations for your executives to consider and address.

Cyber risk: Why it is an issue

Businesses continue to grapple with the growing challenges of cyber risk. Two key concerns include:

  • Control of operational systems: many business assets are now remotely connected and operated, and therefore potentially vulnerable to an attack from criminals who seek to damage and disrupt physical assets and connected systems remotely.
  • Supply chain: cyber attacks have moved beyond data breaches to sophisticated schemes designed to disrupt businesses and supply chains – if one of your suppliers cannot deliver because they have suffered an outage due to a cyber attack, you need to consider the impact this could have on your business. This concept can apply to both digital and physical supply chains.

Emerging ambiguity – insurer response to silent cyber

In January 2019, in the UK, the Prudential Regulation Authority issued a letter to all UK insurers stating they must have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber. In July 2019, Lloyd’s of London issued a market bulletin mandating that all property and casualty policies be clear on whether coverage is provided for losses caused by a cyber event – by either affirming or excluding coverage. Unfortunately, in their haste to comply, insurers have favoured exceedingly broad exclusions, that often overreach, potentially excluding previously covered ensuing loss simply because technology was now involved. Since then, ‘silent cyber’ exclusions have proliferated across every line of insurance in every geography around the globe.

The introduction of various exclusions on traditional property policies saw coverage either entirely removed (eg LMA 5401) or significantly limited (eg to non-malicious acts LMA 5400). While the act of endorsing a policy to address the ‘silence’ has addressed the ambiguity around cyber events, ultimately, by completely ignoring the fact that technology was, and still remains, integral to business operations, they have unintentionally introduced new coverage gaps and ambiguity.

Options for managing cyber risk

When seeking to understand and manage the new coverage gaps that have emerged, it is advisable to examine the exclusions listed under non-cyber policies. Where these exclusions limit or fully remove cover, your options may include:

  1. Resisting the attachment of a cyber exclusion where possible. You could negotiate to include cover for cyber-triggered events under your traditional insurance policy, although this option is increasingly unlikely because these exclusions have become standard across most lines of insurance.
  2. Revise the wording of the exclusion to make it less onerous for the underlying coverage. In combined general liability policies, it is often possible to obtain a write-back of bodily injury or property damage claims that ensue from a cyber event.
  3. Replace the insurer with another insurer that is offering a less restrictive exclusion. For certain property exposures, consider the purchase of a standalone cyber property damage policy to fill the cover gap (eg for property damage) created by the cyber exclusion under the property insurance policy. Cyber property damage policies can also be combined with traditional cyber coverage to round out the cyber program to include coverage for non-physical cyber impacts.

Ultimately, the decision around which of these options to pursue should be reviewed in line with your organisation’s overall risk tolerance and profile.

Standalone cyber-physical damage cover – initial considerations for businesses

If your company is considering a standalone cyber-physical damage policy as an option to fill the insurance gap, it is important to first examine the policy and understand the implications before committing to the purchase. Cyber-physical damage policies are a blended product that provide affirmative cover for non-physical losses incurred to respond to a cyber event, as well as ripple effects from the cyber event that result in tangible loss (i.e property damage or bodily harm).

  • First and foremost, it is important to be aware of the industry or sector in which your company operates, as this can determine an insurer’s capacity to cover all of your risk. For example, even though the cyber-physical damage market has grown in recent years, it’s still in early stages of development, and is gathering traction amongst a narrow range of insurers. In terms of cyber property damage, Marsh estimates that while there is approximately $500 million of global capacity for any one insured, there is only an ability to build individual policies of up to $250 million with confidence.
  • Consider your deductibles. Cyber-physical policies are designed to cover the gap that emerges from cyber-specific exclusions on a property policy. For this reason, clients often elect to have deductibles that directly mirror the property policy, although alternative options may be available.
  • Understand the limits that may apply. For example, cyber-physical damage cover can be purchased either as a standalone program or in conjunction with a traditional cyber policy. Generally, unless requested or otherwise, a limit for cyber property damage would be provided on an each and every occurrence basis, without an aggregate cap.

Be prepared to support your insurance application by supplying additional underwriting materials such as:

  • Property asset schedule
  • Business interruption calculation (if you require cover)
  • Detail around which site/location has the highest accumulation of assets and the likely maximum foreseeable loss at this location
  • Copy of the property insurance policy to establish the level of cyber exclusion that applies
  • Completion of the Marsh Online Cyber Self-Assessment (if you are also seeking traditional cyber insurance).

While insurers have taken steps to clarify coverage parameters, the broad exclusions favoured in many traditional property and casualty policies have ignored the essential role of technology in businesses. Although there are options for addressing cyber property damage risk, these solutions may not be suitable for all businesses in every instance.

By taking proactive steps to address cyber risk, companies can protect themselves from the potential financial and operational consequences of cyber events.

Talk to our cyber specialists

Marsh’s Cyber Practice is the most experienced and largest dedicated cyber team in the market. Our 200+ cyber experts worldwide support clients across the broad spectrum of industries, offering you the best insights and risk management solutions to support your company’s journey at every stage of its evolution. 

Contact our advisors for an obligation-free discussion or quote today.

Silent cyber: how to ensure your organisation is protected

Download PDF

Related insights

Aerial view of crowd connected by lines

Article

Solving the cyber risk financial dilemma

04/18/2024
In Technology Research Facility: Female Project Manager Talks With Chief Engineer, they Consult Tablet Computer. Team of Industrial Engineers, Developers Work on Engine Design Using Computers

Article

2023-2030 Australian Cyber Security Strategy

11/27/2023
Placeholder Image

Webcast

Generative AI risks and insurance considerations

07/26/2023
Aerial image in summertime Finland showing a road with automobiles between a green forest and a turquoise lake.

Article

Generative AI: Understanding the risks and opportunities

07/26/2023
View more

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 23/297

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”