Think you’re covered for a malicious or non-malicious cyber attack on your business? How sure are you? When did you last look at your policy wording to check what it says? Have you consulted a broker and asked them to confirm exactly what your situation is?
These are key questions in 2022, because of the insurance industry’s recent attempts to eradicate what is known as ‘silent cyber’ or ‘non-affirmative’ cyber cover from within policy wordings. Whatever your general property, PI, marine, or liability policy may once have said, it usually would have carried no specific mention of cyberattacks in the warning, either to include cover or exclude it. This made the wording ‘silent’ as to whether cover was provided or not. Given recent changes, what it should do is clearly and categorically state whether cyber insurance protection is included or excluded.
The changes have been implemented following the Prudential Regulation Authority (PRA) becoming concerned about silent cyber within policies, back in 2016. The PRA recognised many policy wordings could be interpreted in different ways, leaving both insurers and insureds in potential financial jeopardy when claim scenarios arose.
In 2019, to attain clarity on the amount of cyber protection existing within policies, the PRA asked insurers to identify, quantify and manage their silent cyber risks and develop an action plan to tackle this issue. Shortly after this, Lloyds of London instructed its members (syndicates) to clearly state within their policies whether coverage is provided for losses caused by cyber risk in two categories: malicious acts (cyber-attacks) and non-malicious acts including accidental acts or errors. A phased approach to changes in policy wordings was taken and all policies should now have been addressed. (1)
The move was much needed. Quite simply, insurance wordings had not kept pace with the increasing sophistication of cyber criminals’ tactics. With cyber criminals able to inflict not just losses on computer hardware, software and infrastructure, but on property, manufacturing systems and global supply chains, to name but a few possibilities, it was time to cut out the ambiguity.
Fundamentally, the change should be viewed positively, as long as businesses are aware of it and take the right steps to
ensure they are covered for any cyber-related losses. It should help to better control premiums, preventing unexpected insurer losses from silent cyber wordings. It should encourage businesses to take ownership of the issue and purchase a standalone cyber insurance policy, if their general insurance covers would not compensate for cyber-related losses.
However, although 81% of UK businesses told the Cyber Security Breaches Survey 2022 that their board sees cyber security as a high priority, only 5% currently have standalone cover. Around 43% says they have ‘some form of cyber insurance’, (2) presumably being reliant on the more general types of policy within which silent cyber has been addressed and within which new exclusions may specifically apply.
Businesses need to address this situation fast but do so with an expert’s help, working with their broker to identify what the policy wording now says and what the ramifications of the wording may be.
With the changed approach to cyber within policy wording, a general property policy may no longer cover an insured in a variety of instances, for example, if fire damage resulted from a hacker’s actions – a cyber-related cause. A marine cargo policy may similarly refuse to pay out if damage to a vessel resulted from malware disrupting its GPS-guided navigation systems.
Quite simply, in some policies, if cyber is found to lurk anywhere within the chain of causation behind a loss, there could be a refusal to pay out. (3)
Businesses should note that some wordings, introduced to now exclude cyber risks, could also, unintentionally, create other gaps in cover. Reviewing your new wording is essential.
This highly complex area of risk needs a professional broker’s insight and requires a thorough examination of exposures.
Standalone cyber insurance policies come in various guises and not all will offer the comprehensive safety net that businesses require. For instance, not all provide access to IT specialists, who can quickly identify the issues caused by hackers and get systems swiftly cleansed and restored. Not all policies offer access to crisis PR specialists, who can help contain reputational damage suffered after a breach of company computer systems.
Silence was not golden when it came to silent cyber but it is essential that the wordings now existing within policies do not catch you out. Talk to your broker today and ensure you plug all the gaps in the right way.