Silent Cyber

Test and Target As the situation in Ukraine evolves, businesses should be mindful of potential risks to their people, assets, operations, or supply chains in the region and globally. Marsh, as part of the Marsh McLennan family of companies, has created a page with information, tools, and resources related to the Russia-Ukraine conflict. Please visit the page for the latest information.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut lectus arcu bibendum at. Aliquam vestibulum morbi blandit cursus risus at. Libero enim sed faucibus turpis. Feugiat nisl pretium fusce id velit ut. Vel facilisis volutpat est velit egestas dui id. Vitae suscipit tellus mauris a diam maecenas sed enim ut. Magna etiam tempor orci eu lobortis elementum nibh. Ut pharetra sit amet aliquam id diam maecenas ultricies. In dictum non consectetur a. Placerat orci nulla pellentesque dignissim enim. Justo eget magna fermentum iaculis eu non. Lectus sit amet est placerat. Mi sit amet mauris commodo quis imperdiet. Faucibus nisl tincidunt eget nullam non. Augue lacus viverra vitae congue eu consequat. Vel elit scelerisque mauris pellentesque pulvinar pellentesque habitant morbi. Dictumst vestibulum rhoncus est pellentesque. Tellus orci ac auctor augue mauris augue neque gravida in. Enim eu turpis egestas pretium aenean.

Id velit ut tortor pretium viverra suspendisse potenti nullam ac.

Velit egestas dui id ornare arcu odio ut sem nulla. Tempus imperdiet nulla malesuada pellentesque elit eget gravida. Neque convallis a cras semper. Consectetur adipiscing elit ut aliquam purus sit. Purus ut faucibus pulvinar elementum integer enim neque volutpat. Non quam lacus suspendisse faucibus interdum posuere lorem ipsum dolor. Ullamcorper velit sed ullamcorper morbi tincidunt ornare. Sed euismod nisi porta lorem mollis aliquam. Quis risus sed vulputate odio.

Eget mauris pharetra et ultrices neque. Ac turpis egestas maecenas pharetra convallis posuere morbi. Elementum nisi quis eleifend quam. Turpis cursus in hac habitasse. Ut aliquam purus sit amet luctus venenatis lectus magna fringilla. Viverra nibh cras pulvinar mattis. Bibendum ut tristique et egestas quis ipsum. Adipiscing enim eu turpis egestas pretium. In ornare quam viverra orci sagittis eu volutpat odio facilisis. Nisl vel pretium lectus quam id leo in vitae turpis. Facilisi nullam vehicula ipsum a. Augue ut lectus arcu bibendum at varius. Rhoncus mattis rhoncus urna neque viverra justo nec ultrices. Viverra maecenas accumsan lacus vel. Tortor posuere ac ut consequat semper viverra nam. Vulputate dignissim suspendisse in est ante in.

Senectus et netus et malesuada fames. Ullamcorper sit amet risus nullam. Cursus mattis molestie a iaculis at erat pellentesque adipiscing commodo. Diam sollicitudin tempor id eu nisl. Enim neque volutpat ac tincidunt vitae semper quis. Fames ac turpis egestas integer eget. Enim ut sem viverra aliquet eget. Quis hendrerit dolor magna eget est. Varius morbi enim nunc faucibus a pellentesque sit amet. Elementum tempus egestas sed sed risus pretium quam vulputate. Eget lorem dolor sed viverra ipsum nunc. Ultrices vitae auctor eu augue ut lectus arcu. Tortor at auctor urna nunc id. Montes nascetur ridiculus mus mauris vitae ultricies leo. Vitae tortor condimentum lacinia quis vel eros donec. Aliquam eleifend mi in nulla posuere sollicitudin. Mi proin sed libero enim sed faucibus turpis in.

Egestas sed tempus urna et pharetra pharetra massa massa. Dis parturient montes nascetur ridiculus mus mauris vitae. Sit amet dictum sit amet justo donec enim. Morbi tristique senectus et netus et malesuada fames ac turpis. Et malesuada fames ac turpis egestas sed tempus. Scelerisque fermentum dui faucibus in ornare quam. Tristique senectus et netus et malesuada. Commodo elit at imperdiet dui. Amet luctus venenatis lectus magna fringilla urna. Porttitor rhoncus dolor purus non. Mi quis hendrerit dolor magna. Laoreet suspendisse interdum consectetur libero id faucibus nisl tincidunt. Adipiscing bibendum est ultricies integer quis auctor elit sed. Suspendisse sed nisi lacus sed viverra tellus in hac habitasse. Massa tempor nec feugiat nisl. Id aliquet risus feugiat in ante metus dictum at.

Put Content Author Name here

Cyber risk has been a factor since the dawn of the digital age. However, several recent high-profile incidents have placed cybersecurity in the spotlight for countless people and organizations. Because of this, many may be left wondering what their “traditional” policies—or those that don’t specifically focus on cyber risk—may cover, as they may not have a standalone cyber program in place. To begin to find an answer to this question, it’s crucial to understand the difference between affirmative and non-affirmative coverage. Affirmative coverage means having specific coverage for some cyber risks within your insurance policy—either through stand-alone network security and privacy policies or endorsements added to property and casualty policies. Non-affirmative coverage, or “silent cyber,” refers to the use of traditional insurance policies to potentially cover cyber risks that were not explicitly referred to within the policy. In theory, cyber losses may be paid under these traditional policies, as they were not specifically excluded from coverage.

It’s worth asking at this point, “If cyber exposures can be covered under traditional insurance, why bother with a standalone cyber policy?” While the answer to this question is multi-faceted, it’s important to remember that having proper cyber coverage is always a good thing—and there’s no single silver bullet. However, a more detailed answer to this question can be found by exploring the evolution of coverage itself. While traditional insurance policies have evolved, cyber risk was once not the vital consideration it is today as businesses were not as reliant on technology and cyber-attacks were not as advanced or prevalent. Therefore, the parameters of coverage for cyber exposures were not defined as they are in modern standalone cyber policies. As a result, businesses may incorrectly assume they are covered for cyber risks, making the “in theory” aspect of coverage even more pertinent. Alternatively, the market could end up paying for losses it wasn’t prepared to cover. This, in turn, could affect the sustainability of the cyber and non-cyber insurance markets and these unfulfilled promises could result in expensive court cases. Insurance is always evolving, and so are the efforts in making cyber coverage less “theoretical” and more defined. The Prudential Regulation Authority has urged London market underwriters to employ more robust wordings and exclusions, which feature specific limits and ratings to avoid these silent exposures. Fitch Ratings Agency echoed this sentiment by highlighting the pressure non-affirmative coverage has on insurer earnings, capital, and ratings when ill-managed. Lloyd’s of London also raised concerns about the assembly of cyber risk in non-cyber policies, you can read more about that here.

So, with all of this in mind, what role do “traditional” coverages versus those specific to cyber play when it comes to understanding and managing cyber risk?

A patchwork of policies

First and foremost, you need to have a clear understanding of how the elements of their current insurance portfolio interlock to cover their cyber risk exposures. This knowledge will provide you with a roadmap to plan an effective risk transfer strategy. This could involve either expanding the boundaries of their existing policies or purchasing a new standalone insurance product to address any gaps in coverage. Some current programs may insure the same cyber triggers but only pay for specific financial impacts, whereas other elements of cyber risk may prove more difficult to insure at all. Typically, all risk property policies—including directors and officers liability (D&O), professional indemnity (PI), financial institutions (FI), and general liability (GL) insurance lines—are likely to cover silent cyber exposures, as they don’t often feature specific cyber exclusions, although this has been rapidly changing with carriers moving to more affirmative exclusions for these lines of coverage. This is particularly relevant for businesses in the marine, aviation, and transport industries. However, the same cannot always be said of other, more specific policies.

While not an exhaustive list, the below are examples of “traditional” policies and how they may respond to cyber events.

Crime policies may cover manipulation of data in SWIFT or CHAPS systems (bank hacks), employee dishonesty, forgery or alteration (rogue employees), third-party computer fraud (social engineering), unlawful taking of money resulting from a computer violation (ransomware), and funds transfer fraud. The impact covered in a crime policy is usually limited to the actual theft of money, rather than the wider implications covered in affirmative cyber coverage.

Kidnap and ransom (K&R) policies, also known as special crime or extortion, may offer extortion cover when property damage threats are made. This property includes computer hardware and software. Cyber extensions can also be added to indemnify ransom payments, legal liability, crisis response, business interruption, and customer identity threat. Following the widespread global ransomware incidents of 2017, K&R insurers have significantly scaled back ancillary cyber coverage, and now only cover investigation of a ransom demand and payment of ransom arising from an electronic threat.

D&O insurance may cover legal fees and personal losses if a company director is sued because of a cyber attack that reduces the company’s share value. Directors and officers generally have a duty to protect confidential information and implement an adequate security culture within the business. When they fail to do so, class action lawsuits may be filed, and regulatory fines may be imposed. Criminal activity, fraud, and misrepresentation are often excluded.

PI policies, also known as errors and omissions (E&O) insurance, cover professional negligence, data breach/loss, defamation or libel, loss of money under your responsibility (client accounts), and legal fees/compensation. The missing cyber coverage in these policies is a first-party loss. This includes investigation costs, crisis response, notification costs, data restoration, credit and ID monitoring services, business interruption (loss of revenue), and cyber extortion.

Property policies typically pay for business interruption and property damage involving a listed peril that damages electronic data (including computer viruses). These programs generally exclude cyber-triggered bodily injury, physical damage, and other cyber-specific elements. Many industry-specific carve backs to cyber exclusions exist in property policies, but companies should be very wary of the specific limitations of these extensions, as they are usually more restrictive than purpose-built cyber coverage.

Some existing programs may insure the same cyber triggers but only pay for certain financial impacts, whereas other elements of cyber risk may prove more difficult to insure at all.

Looking ahead

The insurance market’s approach to silent cyber exposures will directly affect the coverage available to businesses and how those policies respond to large, systemic losses. As this issue receives more attention, the cyber market will continue to evolve, requiring specialist advice, relevant policy wraps and extensions, and coordination with other coverage specialists. Companies of all sizes continue to turn to standalone cyber programs, as traditional policies often explicitly exclude cyber and limit the amount of coverage available for cyber exposures. This shift to standalone cyber may have several indirect effects, including:

More premiums entering the cyber market
Improved access to evolving claims data
Risk modeling tools proving more effective
More reinsurance capacity being required to fulfil capacity requirements

This evolution could also improve the sustainability of the insurance market, enabling it to evaluate and price risks more accurately, and subsequently, make various forms of cyber coverage more affirmative for buyers. However, some risks may still be considered so systemic that the industry responds with a public or private pool approach to supplement the traditional commercial insurance market. This will be important to monitor as the overall cyber insurance marketplace is still recovering from unprecedented loss frequency and severity, which could further limit coverage extensions.

Cyber risk is widely accepted across all industries as one of the top business risks. Technology is constantly evolving, and corporate networks and the information they hold play a more integral role than ever in an organization’s ability to offer products and services, interact with customers and employees, and generate revenue. Finding the right cyber risk solution for your business can make all the difference to your balance sheet.

MMA is here to help. Contact us today to discuss your cyber risk and let us help you prepare for whatever comes next.

Silent Cyber

Featured Insights

Cybersecurity Playbook

Cyber risk is more prevalent than ever in agriculture—are you prepared?

The state of cyber resilience