Silent Cyber: Counting the Cost

Silent Cyber, or non-affirmative cyber, occurs in insurance policies which neither expressly include nor exclude cyber risk.

Elements of cyber cover have traditionally been found under non-cyber specific policies, such as property, kidnap and ransom, general liability and professional indemnity. Many of these forms were in existence before the technological era and did not consider the risks arising out of the use of digital technology. This has now put insurers on the hook for cyber losses which weren’t accounted for in their underwriting processes, and has created a significant aggregation issue for insurers.

The lack of clarity in traditional insurances creates uncertainty for insureds – if cover is not affirmative, it cannot be guaranteed. This can lead to both coverage and claim reporting issues.

Merck (pharmaceutical) and Mondelez (food and beverage) were two of many companies impacted by the NotPeta attack in 2017 (opens a new window). The attack cost each company almost US$1Bn (opens a new window) and US$150M (opens a new window) respectively, losses which were notified to their respective property insurers. Unfortunately, insurers denied coverage on the basis that the policies contain War exclusions, which were interpreted to consider NotPetya as a “hostile or warlike action” given NotPetya was widely regarded as a Russian state-sponsored attack.

The denial of the claim came as a particular surprise to Mondelez, whose policy included cover for physical loss or damage to property including electronic data, programs or software even where caused by the malicious introduction of a machine code or instruction. This demonstrates that insureds should not rely on such extensions within their non-cyber specific policies, given other terms and conditions may also impact perceived coverage.

Traditional Cyber-related Exclusions

Historically, insurers have most commonly relied on the NMA 2914, NMA 2915, and CL380 exclusions to limit their cyber risk exposure under property policies. The suitability of these exclusions (which were drafted almost 20 years ago) was questioned by the Prudential Regulation Authority (PRA) in 2016, in light of the rapidly developing cyber risk environment. Consequently, the PRA issued a supervisory statement which outlined that insurers were expected to robustly assess and actively manage their insurance products in respect of cyber risk. The mandate required Lloyd’s underwriters either to affirm or exclude cyber cover in various lines of insurance, but either way, cyber should no longer remain ‘silent’.

The insurance markets are responding to the Lloyd’s mandate in a variety of ways. Several exclusions were subsequently released in 2019 which Lloyd’s syndicates must impose to clarify whether coverage is or is not provided for malicious or non-malicious cyber risks, and we have seen non-Lloyd’s markets also introduce their own exclusions to address silent cyber exposures.

1 January 2021 marked the next round of insurance policies to be impacted by the mandate, with Lloyd’s property, casualty, and financial lines policies now being required to affirm or exclude cyber exposures.*

How can Lockton help?

There are subtleties associated with many of the cyber endorsements which must be understood in order to make fully informed decisions on cyber risk. It is possible that certain coverages you have previously enjoyed will no longer be available.

As indicated above, the purchase of cyber insurance may be a consideration, as may be a reassessment of limits for any existing cyber cover. Every scenario is different and each situation should be assessed on its facts.

Lockton can provide the following services to assist you in informing, improving, and insuring cyber risk:

  • Insurance analysis to determine the presence or absence of cyber coverage.

  • Assessing your cyber risk posture and maturity.

  • Quantifying potential financial losses arising due to data breaches and/or network interruption incidents.

  • Conduct incident response and scenario exercises.

  • Review Disaster Recovery Plans and Incident Response Plans.

  • Craft a bespoke insurance solution to address your identified unique risks.

  • Provide claims advocacy support in the event of a cyber-incident to ensure your business responds and recovers quickly.

Contact your Lockton advisor to review and adapt your current policies to ensure you have adequate protection.


* For a full list of insurances impacted, please refer to Lloyd’s Bulletin Y5277 - (opens a new window)