Silent cyber is a frequently discussed topic in the cyber insurance industry, but many organisations may not understand what it is, or how it affects them. Marsh has prepared a Frequently Asked Questions reference sheet to help educate our clients about how it may affect you, and share our recommendations to ensure your organisation has optimal coverage protection against cyber threats.
What Is Silent Cyber?
Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies which may not implicitly include or exclude cyber risk. It is sometimes also called "non-affirmative" cyber.
Unlike standalone cyber insurance, which clearly defines the parameters of cyber cover, many traditional policies (for example, property and casualty) do not specifically refer to cyber and could theoretically be assumed to pay claims for cyber losses in certain circumstances.
Why Are Insurers Concerned About Silent Cyber?
Insurers and regulators are concerned that silent cyber can represent a significant, unexpected risk to insurers' portfolios. An insurer with a non-affirmative policy wording would not have considered the potential cyber risk inadvertently covered, and thus would not have calculated the policyholder's increased exposure or adjusted the premium, or assessed potential risk aggregation in its own portfolio.
Why Is Silent Cyber a Concern for Policyholders?
The lack of clarity in some standard property and casualty policies can also lead to confusion or misunderstanding about coverage for cyber risks. Some companies may believe that they have adequate cover for cyber risk when they do not. And non-affirmative language within a traditional insurance policy may be subject to differing interpretation by insurers, which could lead to legal disputes.
What Changes Are Insurers Making?
Insurers are taking steps to address this issue, some required by regulators, to clarify their coverage intent regarding cyber. Some insurers have clarified their coverage intent by defining cyber risk and then excluding it from non-cyber policies. Some are introducing new policy language and underwriting guidelines. Others, such as Lloyd's, are requiring insurers to either expressly exclude or include cyber risk in their traditional lines policy wordings, as of January 2020.
What You Should Do
These changes may affect how cyber perils are covered – or not covered – under existing insurance programmes. You need to carefully review your current policies with Marsh or other adviser or broker, and examine any exclusion proposed by your insurers, as several silent cyber exclusions may be overly broad.
Depending upon the insurance product and the insurer, you may be able to purchase affirmative cyber coverage under a non-cyber policy. In many cases, however, a standalone cyber policy may be the best solution to ensure coverage and fill gaps resulting from a silent cyber exclusion.
Please review the Frequently Asked Questions we have prepared on this topic. Then contact Marsh to help you review and if necessary adapt your current policies to ensure you have adequate protection.