Skip to Main Content

When addressing non-affirmative cyber: silence is not golden

"Silent cyber"—known as policies that do not clearly state whether cyber risk coverage is included—has become a growing area of concern in the insurance industry. 

By Kara Owens, Global Executive Underwriting Officer for Cyber and ESG for Markel

Introduction: the need for concerted action on “silent cyber”

For the insurance industry, cyber risk is both a major opportunity and a significant threat. High-profile cyberattacks such as NotPetya and WannaCry have led to uncovered losses, unforeseen covered losses, and court battles. The potential for even greater losses is vast. A joint report by Lloyd’s of London and cyber risk analytics firm Cyence found that a hypothetical cyberattack against a cloud service provider could generate losses of up to $121 billion, greater than the total losses from Hurricanes Katrina and Sandy.

All of these developments are stimulating increased interest in “affirmative cyber” policies. But for many in the industry, the most urgent area of concern is “silent cyber”—also referred to as “non-affirmative cyber”—meaning policies that do not explicitly include or exclude coverage for cyber risk, or where gaps in current wording may create contract uncertainty.

Here, contract ambiguities have the potential to create significant impacts across multiple product lines, ranging from property to general and product liability to crime, terrorism, recall, directors and officers, kidnap and ransom, and many others. There is also significant potential for overlapping coverage between stand-alone cyber risk policies and traditional policies.

Regulators, rating agencies, and reinsurers have called on insurers to manage the “silent cyber” issue. Lloyd’s Bulletin Y5258 stipulated that all first-party property damage policies starting on or after January 1, 2020, must provide clarity regarding whether cyber coverage exists or is excluded. Lloyd’s Bulletin Y5277 subsequently outlined a number of additional classes needing to address cyber.

A consensus has emerged that there needs to be concerted action to identify and eradicate “silent cyber” risks, both at individual insurers and across the industry. In response, multiple syndicates and other players have affirmed their commitment to identify and address exposures.

"Regulators, rating agencies, and reinsurers have called on insurers to manage the “silent cyber” issue."

How should insurers proceed?

Insurers have multiple incentives to eradicate silent cyber, remove coverage ambiguity, and gain a greater understanding of the evolving risks and opportunities. Yet given the dynamic nature of the market, the path forward is not linear, but dynamic. Ongoing industry dialogue on this topic is essential to understand and limit the industry’s risk.

Markel, along with other carriers, is now working to address silent cyber on a holistic, company-wide basis. Markel has been assessing cyber exposure across policies for a number of years.

In 2018, the company established a Cyber Center of Excellence, including the launch of a formal project committed to evaluating every product line across its insurance and reinsurance operations, as part of a formal strategy to eliminate silent or non-affirmative cyber exposure.

Additional factors contributing to undervaluation

While catastrophes account for the most dramatic examples, the valuation gap goes beyond catastrophes alone. A 2016 study carried out by the Building Cost Information Service in the UK found that 80% of commercial properties are underinsured. That’s also true for residential properties. According to a 2015 study by the research firm Marshall & Swift/Boeckh, some 60% of homes in the US are undervalued for insurance purposes by an average of 17%.

Many factors are contributing to this chronic lack of appropriate property valuation. Insurance renewals are often resubmitted with the same property values year-over-year. This practice erodes the exposure base used by the reinsurance industry to calibrate the underlying portfolio risk. For the insured, it also distorts the enterprise view of their underlying organizational exposure both at the location level and in areas where accumulation risk could deliver exposures above the limit(s) being purchased.

Management of risk through appropriate operational tools

Once exposure risks are identified and quantified, there are numerous means of managing this exposure. Insurers can update policies to address exposure concerns in various ways, including the application of exclusionary language, sub-limits or explicit full limit coverage.

Implementation of appropriate pricing, referral and authority controls must be applied. Insurers must be able to quantify the risk, including capturing appropriate pricing for risks. Cyber risks must then be managed through a number of operational steps, including revising policy forms and updating systems for data capture; aggregation monitoring and reporting; and training underwriters specifically on cyber risk. Risk transfer options such as the use of traditional reinsurance and alternative capital should also be considered.

Collaboration is key

Given the complexities of this issue, leaders of different product lines must look beyond management of their own profit and loss statements and dedicate attention to concerted risk management. Accordingly, Markel’s cyber exposure project is focused on collaboration, cooperation, and coordination across multiple divisions, specialty areas, and disciplines.

From an underwriting perspective, participants in the project are drawn from a number of product lines where cyber exposure may exist on either an explicit or silent basis. This includes but is not limited to cyber, professional and management liability, casualty, and property. Participating disciplines include claims, actuarial, catastrophe modeling, enterprise risk management, ceded reinsurance, product development and regulatory division, IT, information management, underwriting, and strategy. In short, a holistic approach is required by insurance companies engaging in a silent cyber project as described.

Collaboration across these multiple areas is of critical importance, including training and education around scenarios and how to underwrite for cyber risk by product line. Projects usually flow best with one executive driving collaboration across product lines, offsetting the traditional separation of different product groups into property, casualty and today, cyber.

Alignment with reinsurance is critical

In addition, the insurance industry must include reinsurance as well as primary insurance. While boundary walls are often necessary, it’s important to ensure that assessment of aggregation risks for cyber is taking place across the organization and not just within those individual divisions. Communication on this issue needs to take place among all divisions, with the goal of assessing interconnections on a company-wide basis

Cyber coverage options are likely to differ widely by carrier

Just as with exclusionary language, there is no “one size fits all” strategy for affirmative cyber coverage across traditional product lines that will work for the industry as a whole.

An individual insurer may know a great deal about cyber exposure within a certain type of property policy, and may feel comfortable accepting that risk, affirming coverage, and pricing for it. Meanwhile, another insurer may not be comfortable with that same set of exposures, and so will want to exclude it.

Once again, identification and elimination of silent cyber must be addressed before the industry can proceed with complete confidence.

“One size fits all” exclusionary language is not an option

There are limits to a company’s ability to establish a uniform cyber strategy across product lines. For example, application of exclusionary language is one opportunity of interest to many lines. However, based on the widely differing types of exposure in different product lines, it is not feasible to identify “one size fits all” exclusionary language that can apply to all product lines.

In some cases, bespoke exclusionary language is an option; however, for the most part, industry market wording is the most widely accepted, and as exposure varies by product line, wording will vary by product line as well.

The project team ultimately creates recommendations for how best to convert silent cyber exposure to either affirmative or excluded. Other important steps included drafting cyber-specific technical underwriting guides and establishing extensive underwriter training.

Cyber as a peril” coverage may be premature

In addition, without evaluating silent cyber in order to gain a more detailed knowledge of cyber risks, it will likely be difficult for any carrier to press ahead with comprehensive product offerings at this time.

For example, one potentially appealing product opportunity is the further development of comprehensive “cyber as a peril” coverage that identifies specific exposures and attempts to underwrite to them. (Note: There are currently a few offerings in the market that try to accomplish this, but they have not been widely adopted.)

Such coverage could include the typical coverages offered in a stand-alone cyber policy, but then might also add physical damage, cyber terrorism, product liability, and bodily injury—in other words, a wide range of cyber-related casualty and property coverages—all on the same policy form. However, its net impact at this time may be to aggregate cyber risk, since coverage of cyber perils may well still exist on the insured’s existing property policies or other traditional policies.

If “cyber as a peril” policies become more widely adopted in the future, it will be necessary for a number of underwriters to get involved in order to properly assess the exposures present. For example, property underwriters will need to become engaged in the physical damage portion of the risk, and casualty underwriters in the bodily injury aspect.

Conclusion: the case for sharing insights

Initiatives like these are worth sharing, because all carriers have a mutual interest in preserving the industry’s viability in the face of potentially staggering exposures.

It is imperative that the industry addresses non-affirmative cyber exposure across product lines. The nature of the industry is to take risk, but also to be paid appropriately for that risk, and to track and underwrite to the exposures it assumes. Otherwise, the industry will not be able to provide the protection that companies and consumers require, and may be putting itself at substantial risk.

By systematically seeking to understand silent cyber, and sharing learnings on this point, the industry and its players can better limit their own exposure to aggregation risk; prevent losses associated with claims that were not priced for in the products; and provide transparent coverage to insureds, while making sure they are in fact protected.