Facing cyber risk exclusions at renewals

Businesses are increasingly finding cyber risk exclusions in their policies at renewal time as carriers are pressed to reduce the volume of policies which don’t clearly define the extent to which they cover cyber risk, commonly referred to as “silent cyber”. For clients this might be a positive development as it forces an opportunity to analyse their true cyber risk and think about the range of cover and support services available that address their specific needs.

Traditional property and liability insurance policies often don’t specifically mention cyber risk, and if and to what extent it covers cyber is therefore unclear. With businesses’ cyber risk exposure increasing due to ongoing digitisation, risk perception has also changed due to the consequences of ransomware like NotPetya which ravaged businesses globally, halting production facilities and causing significant costs and revenue losses.

Regulators are worried that insurers may be carrying too much risk on their balance sheets from policies that do not specifically clarify the cyber risk coverage. In a January 30, 2019 letter (opens a new window) the UK’s Prudential Regulation Authority (PRA) reiterated that insurers need to do more to manage non-affirmative cyber risk. The regulator pointed to a survey (opens a new window) where almost all carriers agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk.

Casualty, financial, motor and accident & health (A&H) lines were mentioned as having the largest non-affirmative exposure. Insurers may therefore likely focus on these areas when reducing non-affirmative cyber risk and introducing cyber exclusions to policies. Property underwriters have been introducing cyber exclusions to policies for some time.

“Cyber is becoming a more specialised cover and the cyber market seems to be spreading across all lines rather than each line picking up cyber,” says Peter Erceg, Senior Vice President Global Cyber and Technology at Lockton.

“Cyber is becoming a more specialised cover and the cyber market seems to be spreading across all lines rather than each line picking up cyber”. 

Carriers’ stress test results suggest that a cyber-event could have widespread impact on a number of different lines of business, with some firms assessing the potential risk of loss from cyber events as being comparable with major natural catastrophes in the US, the PRA notes in its letter.

A concerted global cyber-attack propagated via malicious email could cause economic losses in the range of between $85 billion to $193 billion, according to the CyRiM Report 2019 (opens a new window). Many sectors would be affected across the world with the largest losses in retail, healthcare, manufacturing, and banking, the report notes.

The report also analyses the impact of such a scenario on ‘affirmative’ and ‘non-affirmative’ cyber insurance losses. The insurance industry would face total claims in this scenario of between $10 billion and $27 billion, according to the estimates. It concluded that business interruption coverage would be the main driver of the insured losses.

While underwriters have been excluding the cyber risk from many property policies, contingency insurance might be the next one to see such a change.

“So far, cyber is silent within the contingency policy wordings, which makes it hard for underwriters to quantify their aggregate exposure,” says Andy Thompson, Senior Vice President Accident, Health, Sports & Contingency at Lockton. “The PRA review may result in cyber risks being excluded from contingency policies and as such will become a separate product,” Thompson explains. 

A business’s cyber insurance policy may not cover everything it needs to – for example, an event it is organising could create significant risk for the firm. “Processes at live events such as concerts or conferences are often completely run on digital platforms, offering a number of touch points that cyber criminals can access,” Thompson says.

In the marine market, cyber risk has been excluded for some time, but buyers can opt for a cyber policy covering cyber extortion, loss of employee data/personal information, business interruption or breach event costs for example. A policy may also cover third party exposures such as privacy regulatory investigations or a network security failure.

“We are constantly re-mapping the risk businesses face against existing products, particularly when technology is adding new threats. We define gaps in the cover and build new products to close these gaps,” Erceg says.

If a ship suffers a cyber-attack in the middle of the Mediterranean, a traditional marine policy might cover any physical damage to the hull. However, if a malware stops the IT on board and leaves the ship adrift in the middle of the ocean the policy won’t cover that, Erceg explains. A traditional marine policy would also not provide access to cyber specialists during a breach, which can be included in a specialist product.

“For clients, having cyber explicitly covered in their policies is broadly a better solution,” Erceg says.  As the cyber market matures it becomes easier to define the specific protection clients need, he explains. In addition, clients get access to professional breach response support as part of a specialised cyber cover.

Cyber products can include cyber incident response services, helping to repair a company’s reputation, breach coaching and any breach of information notification and monitoring costs. It can also include data restoration, recollection and recreation following a security breach or data leak.

Products may also include pre-event services such as training for employees, network vulnerability scan, response readiness and phishing simulations tests.

“Getting the right vendors and support services in when you have an issue is an important component of cyber protection which clients may not have in non-affirmative traditional policies,” Erceg explains.