By Robert Pizarro, AVP, AmTrust Financial Services
Every 39 seconds.
That’s how often a hacker unleashes an attack on a computer with online access, according to a
University of Maryland study.
Ranging from data theft to corporate espionage, cyber risk can disrupt, damage and even destroy a business. A very real threat, cyber risk can touch any business in any industry. Just ask eBay, Target, Equifax and Uber, all victims of a major cyberattack in the last 10 years.
As cyber risk continues to grow, so does the potential for silent cyber losses. This realization has insurers across the industry rethinking how they write their insurance policies.
Understanding Silent Cyber Risks
Insurance Business America defines silent cyber as “potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk.” Some experts correlate the term with any situation in which cyber coverage is implied to be provided, unbeknownst to the insurer providing the coverage. No matter the intent, if a policy does not contain language that specifically includes or excludes cyber risk, the insurer could be on the hook for any cyber-related claims.
With technology driving businesses worldwide, there are significant cyber exposures across multiple commercial coverage lines. Some of the more vulnerable include property, casualty, marine and transport. Despite the risks, affirmative protection is in place for only a fraction of these policies. Besides the known risks, there is significant unanticipated cyber risk across many commercial insurance and reinsurance portfolios.
Silent Cyber Risk Insurance
When it comes to
cyber coverage, ambiguity can be an insurer’s biggest enemy. When evaluating a business’s risks, underwriters must determine what, if any, cyber-related exposures exist and how to account for them. Cyber policies are typically written by exclusion first and inclusion second. Any lack of clarity over whether coverage exists could create a mess for the insured and the insurer. Here’s one such scenario:
A hotel’s computer system is hacked and infested with malware, activating the emergency sprinkler system and causing substantial water damage to the main lobby. During the mishap, a patron slips and is injured.
In this scenario, let’s assume the hotel’s insurance policy doesn’t specifically exclude cyberattacks. Does that mean the hotel can file a claim to cover the damage to its lobby? And who would be responsible for the damages if the injured patron were to sue the hotel? This hypothetical example illustrates the danger of a silent cyber scenario pushing up the loss ratio on a policy not specifically meant to cover cyber risk.
Phishing for Answers
In July of 2018, a New York federal appeals court ruled that a commercial crime insurance policy did in fact cover wire transfer losses stemming from an email spoofing attack against a large technology company. The company’s employees were “spoofed” into wiring $5 million to an account by fraudulent emails supposedly sent by an outside attorney and the company’s president. The court had to determine whether the $5 million was a direct loss caused by the spear phishing attack. The court determined it was, and the insurance company was ordered to pay the claim.
Devoid of Data
Although the insurance industry’s ability to price and place cyber risk is evolving, there is still an overall lack of reliable data regarding cybercrimes. Consequently, insurers and reinsurers are at a big disadvantage when it comes to building out their frequency and severity models. This challenge has spurred the emergence of companies like Kovrr, an Israel-based business that specializes in developing predictive cyber-risk modeling solutions.
Adopting a Proactive Policy against Silent Cyber
When it comes to addressing silent cyber, the best way is to own it. That’s why more and more carriers are affirmatively adding cyber coverage to non-cyber lines of business or offering stand-alone coverage. While riskier, another option is to remain silent. In this scenario, carriers will continue to write policies without language that clearly includes or excludes cyber-related exposures.
Be Clear About Your Cyber Coverage
Don’t let ambiguity put you and your policyholders at risk. Spelling out a cyber-related exclusion or an affirmation will eliminate a potentially costly gray area in the coverage. It’s important for insurers to identify and close any silent cyber risk gaps in their policies. Working with colleagues across different coverage lines can help insurers identify crossover areas where hidden cyber risk may lurk.
Robert Pizarro is an Assistant Vice President of Professional Lines Underwriting specializing in Management Liability and Professional Liability at AmTrust Financial Services, a multinational property and casualty insurer headquartered in New York City.