It may be called “silent cyber,” but the topic is generating a lot of noise in the commercial insurance sector.
What is silent cyber?
Silent or “non-affirmative” cyber refers to potential cyber-related insurance losses arising from insurance policies that weren’t specifically designed to cover cyber risks. The policies don’t explicitly include or exclude cyber risk, which creates ambiguity and can leave coverage open to interpretation. A standalone cyber insurance policy, on the other hand, clearly outlines what is covered (aka affirmative coverage), such as privacy, business interruption and extortion coverage, to name a few.
Why is silent cyber a rising concern?
While silent cyber isn’t a new concept, it’s getting more attention with the rise of cybercrime and the cost of attacks. Simply put, businesses can’t afford to have inadequate or ambiguous cyber protection.
According to the 2019 “Cost of Cybercrime” study by Accenture and the Ponemon Institute, the average cost of cybercrime to a Canadian company was $12.1 million in 2018.1 Globally, six in seven companies (85%) experienced phishing and social engineering cyber attacks in 2018, and three-quarters (76%) suffered web-based attacks. Cybersecurity Ventures projects that the global cost of cybercrime will hit $6 trillion by 2021, up from $3 trillion in 2015.2
Furthermore, PwC’s latest Global Economic Crime and Fraud Survey found that cybercrime features in the top three most disruptive crimes experienced in almost all industries reported in the survey.3
As the frequency, scale and cost of attacks continue to rise, so too does the concern around silent cyber. It’s more important than ever that policyholders understand their coverage so they’re not stuck in a position of believing they have adequate coverage when in reality, they may not. A stand-alone cyber policy helps ensure that they reduce possible gaps in protection.
Are there regulations around silent cyber?
The U.K. was the first major market to take a tough stand on silent cyber. Last year, the Prudential Regulation Authority (part of the Bank of England) called on Lloyd’s of London and the wider insurance sector to ensure the management of affirmative and non-affirmative cyber risk exposures. Following that, Lloyd’s announced that it’s mandating that all non-affirmative policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.
Similarly, on the policyholder side, global ratings agency A.M. Best announced it “expects companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and accumulation of their cyber liability exposure.”4
While regulations in Canada have yet to be tabled, insurers are reviewing how coverages can be placed through all policies—not just dedicated cyber policies.
What can an insurance company do to prevent potential gaps in coverage?
Both brokers and commercial property underwriters need to become more aware of the issues relating to cyber events. That starts with detailed risk assessments to clearly understand the specific cyber vulnerabilities of an organization.
For example, an industrial plant might be aware of its risk of a boiler explosion, but this type of event could also happen in a cyber-attack. A plant could be targeted by a cyber virus that disables the critical safety control systems relating to a boiler’s operational procedure, exposing the plant to a possible explosion. This could result in a major disruption in the plant’s daily operations – not to mention a serious public safety risk.
Education is a key factor for all brokers and underwriters, whether they specialize in property liability, or other risks ranging from D&O, crime, environmental and other commercial divisions.
As cyber risks continue to rise, so too does the need for explicit coverage. Stand-alone cyber policies help reduce possible gaps in protection. If you’re unsure as to whether your operations are fully covered, contact your broker today.
Sources
1The Ninth Annual Cost of Cybercrime Study 2019 by Accenture and Ponemon Institute
22020 Official Annual Cybercrime Report by Cybersecurity Ventures, sponsored by Herjavec Group
3PWC’s Global Economic Crime and Fraud Survey 2020
4Moorcraft, B. (2018, November 26). What is silent cyber risk? Retrieved May 19, 2020
