There’s growing concern about “silent cyber” coverage in commercial policies. Agents and brokers can be of two minds regarding initiatives to clarify the coverage. Where do you stand, and why?
IS IT TIME TO STOP BEING SILENT ABOUT CYBER?
Concerns about losses under older policy provisions are growing across all lines of business and industry groups
By Joseph C. Harrington, CPCU
“What you don’t say can’t hurt you.”
That’s sound legal advice for someone who is facing criminal charges or a civil suit. But apparently it doesn’t hold for insurers trying to avoid expansive and unintended exposure to “cyber” losses.
Over the past few years, there has been steadily growing concern among insurers about what’s called “silent cyber” coverage in commercial property and liability policies. The term “silent cyber coverage” refers to coverage for cyber-related losses under policy provisions developed long before cyber property and loss exposures were contemplated.
Today, many businesses have as much if not more value in their intangible data—things like customer information, operating systems, intellectual property, and so on—as they do in tangible assets like buildings and equipment. Depending on the vintage of a commercial property policy, an open perils or “all risks” causes of loss coverage part might respond to a massive loss to data, provided it was not caused by an excluded peril.
Ultimately, carriers will make the decision for producers, but agents and brokers will probably be relieved if they are no longer required to “read between the lines” regarding coverage for important exposures.
The threat is arguably greater under management and professional liability policies, “D&O” and “E&O,” respectively. Insureds in these lines have been sued for failing to safeguard an organization’s electronic assets, and for failing to protect customers and business partners from a loss to their information or operations.
Growing concern
In a 2018 survey report on silent cyber risk, Willis Re found that “market concerns about silent cyber are growing across all lines of business and all industry groups.” According to the report, nearly a third of the insurers responding to the survey estimated there would be 10 or more cyber-related claims for every 100 non-cyber claims under their property, D&O E&O, and other liability policies. The overall results showed a sharp increase from a 2017 survey in the percentage of respondents predicting greater frequency of cyber-related claims under non-cyber policies.
The concern was echoed by the Bank of England’s Prudential Regulatory Authority (PRA), which exercises solvency regulation for insurers in the United Kingdom.
In a January 2019 letter to insurers, Anna Sweeney, the PRA’s director of insurance supervision, wrote that a PRA survey on cyber exposures found that “firms almost all agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk.” (The term “non-affirmative” refers to the potential for coverage even if it is not explicitly provided in affirmative terms.)
“Some firms assessed the potential risk of loss from cyber events as being comparable with major natural catastrophes in the US,” she wrote. “This reinforces our concern about the large exposure potential and the need for firms [carriers] to take action to manage the unintended exposure to non-affirmative cyber risk.”
Lloyd’s speaks
Prodded by the PRA letter, Lloyd’s of London issued a market bulletin in July 2019 mandating that cyber coverage be explicitly excluded or provided. The mandate takes effect Jan. 1, 2020 for all primary policies and reinsurance contracts covering first-party property losses; it will take effect in two phases over 2020 and 2021 for liability policies and treaties.
The mandate applies to both new and renewal policies where relevant coverage is provided on a standalone basis or packaged with other coverages. The bulletin states that Lloyd’s will monitor compliance by its syndicates with the mandate through its regular oversight activities.
Lloyd’s, of course, doesn’t dictate what U.S. insurers must do, but it’s reasonable to anticipate that its latest mandate will be influential across the Atlantic, at least in surplus lines.
U.S. carriers and their (mostly European) reinsurers share Lloyd’s concern over silent cyber exposure, especially its potential for being open-ended. It’s not clear how quickly admitted U.S. companies can revise their policies, however, as they will have to convince state regulators that the corresponding rating plans reflect any changes in wording, especially for policies covering small businesses.
Producers dilemma?
Agents and brokers can easily be of two minds regarding initiatives to clarify cyber coverage.
On one hand, affirmative and unambiguous statements of what’s covered and not covered are certainly easier to present to buyers and avoid any misunderstanding that could lead to an errors and omissions claim.
On the other hand, the trend toward “clarifying” cyber coverage will, more often than not, result in eliminating any coverage for a cyber-related loss under a non-cyber policy, unless it is endorsed to provide cyber coverage.
In particular, the elimination of silent cyber coverage from D&O and E&O policies would leave insureds under them without coverage for a major area of management and professional responsibility.
Ultimately, carriers will make the decision for producers, but agents and brokers will probably be relieved if they are no longer required to “read between the lines” regarding coverage for important exposures.