Cyber risk impacts practically every line of commercial insurance, yet it remains unaddressed in many lines of insurance. The lack of clarity in some standard property and casualty policies has led to confusion or misunderstanding about coverage for cyber risks. Simultaneously, an insurer covering losses they have not contemplated jeopardizes their credit rating and/or financial solvency.
What does it mean for policyholders that insurers and their regulators have taken action to address silent cyber risk?
Policy language is evolving
Silence provides an argument for cover, but such coverage cannot be relied upon. It may lead policyholders to believe that they have adequate cover for cyber risk when they do not. Ultimately, the coverage outcome is uncertain, and the situation would likely evolve into a legal dispute.
Renewal and placement challenges
There is no market standard appetite nor language, insureds need to review and evaluate:
- Inconsistent response from primary insurers
- Inconsistent language throughout excess towers
- Coverage gaps.
Drafted language could overreach, leading to inadvertent loss of intended coverage.
- Overly broad exclusions. An exclusion, such as one for loss “arising out of” or “in connection with the use of computers”, needs to be balanced with the reality of the prevalent use of technology in the modern economy.
- Affirmative language that is limiting by triggering coverage on how the event happened, e.g. malicious or not-malicious?
- Drafting can result in an internal logic problem for the policy. Losses affirmatively addressed as covered may be inadvertently undermined by the new language.
Need to re-evaluate unamended coverage
The starting point for assessing the endorsements is to understand the parameters of each base policy before the label for “cyber” became prevalent. To understand where coverage begins and ends, start with a focus on the impact of an event to current insurances. A way to think about it would be to consider three questions:
What is the injury or harm insured?
Broadly speaking, the injury or harm can be tangible or financial, physical or non-physical. Because policies cover different injuries or harms, it is unlikely that every impact from one event will be covered by one policy. It is far more likely multiple policies will respond to different aspects of the loss. How many policies were impacted by asbestos damage?
What is the coverage trigger?
Some policies trigger when the insured receives notification of a claim (alleging they have violated a regulation or are responsible for injuries or damage to a third party) arising from a specified act. Some trigger on the insured’s own loss (loss of income, loss of assets) arising from a specific peril.
What is the Act or Peril / proximate cause of the loss?
Proximate cause in insurance is the act from which an injury results as a natural, direct, uninterrupted consequence and without which the injury would not have occurred. It’s also important to understand whether coverage is for internal acts or external acts; unintentional acts or intentional acts; physical or non-physical event.
Prepare for renewal not as expiring! Develop a strategy.
Many insurers across product lines are currently pushing for premium rate adequacy and renewals are taking longer to complete. But even without the hardening market, it would have been very unlikely that you will be able to secure “coverage as expiring” at “premium as expiring” with respect to cyber risk.
The most important thing you can do is give yourself time.
You’ll need time to identify renewal priorities, compile the submission and presenting the risk to market or markets will also take time. Standard renewals are taking longer, in part because underwriters are requiring more information and because the market is hardening, more market feedback is sought and therefore needs to be reviewed.
Identify renewal priorities. Is the priority program limits, premium spend, or coverage?
Living with an exclusion will be the path of least resistance, enabling least pressure on available limits or renewal pricing but will highlight coverages you do not have.
The good news and the bad news is that cyber risk, silent or otherwise, is not addressed consistently in the broader P&C market – including within cyber insurance. This means if there is coverage your firm has identified as a priority it may be found amongst competitors, or it may be negotiated or created for a premium and depending on the submission materials made available.
Compile a thorough submission. Cyber risk is a known risk factor, but no one but the company itself will know better about its exposure to cyber risk. Without sufficient information, an insurance company can neither produce a reasonable benefit amount nor premium cost.
Approach the market(s) with high level support.
- There are many cyber risk stakeholders in your organization whose feedback will be required in order to make a fair presentation of risk as is required under the Insurance Act of 2015. You may need to lock in availability of C Suite members to present to market.
- Discuss with insurers to clarify the extent of their appetite under each policy for cyber risk.
- Review feedback.
Paragon’s industry leading Cyber practice, which has a wealth of technical and broking experience, places some of the largest and most complex cyber, technology and media programmes globally. They develop proprietary products and partner with recognised legal and IT specialists to offer risk identification and risk management services to a worldwide client base, from ‘’start-ups’’ through to multinational businesses.
For more information, please contact: Lyndsey Bauer (Partner) email@example.com