Skip to main content
Article

Silent Cyber: What you need to know

Corporate Risk Tools and Technology|Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Andrew Hill | February 1, 2021

What is silent cyber, how might it affect your business and what are the options?

What is silent cyber?

What is silent cyber?

Silent cyber, otherwise known as non-affirmative cyber, describes cyber risk that is neither expressly covered nor excluded in insurance policies.

Why does silent cyber matter for policyholders?

In simple terms, it gives rise to coverage uncertainty.

What are the potential implications of relying upon silent cyber cover?

There is a risk you might not be covered for a cyber loss.

If I already have one or more cyber exclusions in my existing insurance policy, do I still have a silent cyber issue?

Potentially. There are a variety of cyber exclusions in circulation. Therefore, the scope of the exclusion will depend upon the specific language used. Certain cyber exclusions may not adequately exclude all cyber exposures, meaning there is potentially residual silent cyber cover, which in turn gives rise to the uncertainty outlined above.

Are there any other coverage issues connected to these cyber exclusions I need to be aware of?

Yes. Many of the cyber exclusions that have recently been put into circulation potentially exclude events that would not ordinarily be treated as cyber events for the purposes of a typical cyber policy, thereby leaving potential gaps in cover.


Why are we seeing so many new cyber exclusions?

Why have we seen so many new cyber exclusions in the last 12 months?

This development has largely come about as a result of insurance regulators raising concerns about the scope of silent cyber cover in traditional policies. The consensus is that silent cover on what has emerged as a prevalent area of risk is not in the best interests of policyholders and insurers alike.

What then are regulators doing about silent cyber?

This varies from one jurisdiction to the next. In the UK, for example, the Prudential Regulation Authority (PRA) has requested that insurers it regulates expressly state in the policies they issue whether cover is provided for (1) malicious cyber acts and (2) non-malicious cyber incidents.

Have there been any notable developments in the insurance market in response to this?

Yes. Lloyd’s of London, for example, has requested its members (i.e. syndicates) comply with the PRA’s requirements. This is being done on a phased basis, with two of the four phases completed and the final phase due for completion on 1 July 20211.

Does compliance with the PRA requirements on silent cyber mean that insurers are required to exclude cyber risk altogether?

Absolutely not. Clarity is key. Provided the policy language is clear about the coverage position in respect of malicious cyber acts and non-malicious cyber incidents that insurer is free to affirmatively cover or exclude cyber perils, subject to compliance with internal underwriting criteria.

What have we seen so far from Lloyds?

From the first phase, which impacts markets underwriting property damage, four notable exclusions have emerged from the Lloyd’s Market Association: the LMA5400 and LMA5401 (for the property market) and the LMA5402 and LMA5403 (for the marine market).


The property and marine cyber exclusions – a case study

What are the notable features of the ‘property’ exclusions?

The LMA5400 excludes losses arising from both malicious cyber acts and non-malicious cyber incidents. It does, however, contain a limited carve back for loss arising from named physical perils ensuing from a non-malicious cyber incident. The LMA5401 is an absolute cyber exclusion, (i.e. it excludes malicious cyber acts and non-malicious cyber incidents, with no carve back for ensuing physical perils).

What are the notable features of the ‘marine’ exclusions?

The LMA5402 is an absolute cyber exclusion (i.e. it excludes malicious cyber acts and non-malicious cyber incidents). The LMA5403 excludes malicious cyber acts only. It also states that non-malicious cyber incidents are not excluded.

Are any of these exclusions being used more widely than others?

It would appear the LMA5400 is being more widely adopted in the property market (which is, perhaps, unsurprising given its similarity to the NMA2914/2915). Meanwhile, in the marine market, the LMA5403 seems to the preferred exclusion (again, not entirely unsurprising, given its similarities with the CL380).

Do the LMA5400 series of exclusions eradicate silent cyber?

Not entirely (as will be discussed in greater detail on Day 4), although each of the exclusions does largely fulfil the PRA’s primary objective in terms of clarifying the coverage position on malicious and non-malicious cyber.


The property and marine cyber exclusions – a case study (part 2)

Are there any other coverage issues in the LMA5400 series of exclusions I should be aware of?

In summary, yes. Focusing on the two most widely used exclusions (LMA5400 for property and LMA5403 for marine), due to the choice of language, there are several potential coverage consequences that emerge.

What coverage issues are present on the LMA5400 (property)?

Whilst some of the issues are particularly nuanced and cannot be easily summarised, examples of some of the issues that should be taken into consideration include:

  1. uncertainty as to whether the carve back for “physical loss or physical damage to property” caused by fire or explosion resulting from a non-malicious cyber incident extends to any ensuing business interruption loss cover in the policy;
  2. losses arising from “failures to access … any Computer System” are excluded. Therefore, if an engineer were physically unable to access the computer system to undertake essential repair for any reason (legitimate or otherwise)2, which ultimately leads to property damage, the loss would, on the face of it, be excluded unless arising from fire or explosion. It is difficult to see how on any level this scenario could be categorized as a cyber risk; and
  3. the exclusion states it applies to losses caused directly or indirectly from malicious and non-malicious cyber events, meaning the insurer need only prove that the cyber incident features somewhere in the chain of causation.

What coverage issues are present on the LMA5403 (marine)?

In many respects, this exclusion is a more straight-forward affair than the LMA5400 (because, in simple terms, the LMA5403 excludes malicious cyber acts but not non-malicious cyber incidents). The exclusion, like the LMA5400, is framed as applying to loss caused both directly and indirectly from malicious cyber acts. This has potentially significant coverage consequences3.

A further issue is, owing to the specific language in the LMA5403, in the event a laptop or some other item of computer hardware is used as a physical object to inflict property damage, the exclusion would, on the face of it, apply (because the computer hardware is, literally speaking, being used to inflict harm). This is surely not the intent of the exclusion.


What are the options?

What therefore are the practical implications of having one of these exclusions in my insurance policy?

In simple terms, while these exclusions have undoubtedly provided greater clarity on the silent cyber issue than the first generation of cyber exclusions, gaps in cover for cyber risk remain with some of those gaps being more subtle than others.

What are my options in terms of filling those gaps?

As a starting position, the suitability of any solution can only be contemplated once the problem has been properly understood. Understanding the breadth of any cyber exclusion is an essential building block in allowing an informed decision to be made on next steps.

Are there solutions currently available in the insurance market to fill the gaps left behind in these exclusions?

Yes, there are. ‘Traditional’ markets and cyber markets have been offering ‘buy-backs’ for several years, which until recently had emerged as almost the default option for organisations wanting to ‘fill the cyber gap’. However, buying back cyber exclusions which, upon closer inspection, may be unclear, could have unforeseen consequences for insurers and policyholders. More recently, affirmative solutions whereby a standalone cyber policy covers property damage arising from a malicious cyber act (and in a more limited sense, non-malicious cyber incidents), have started to emerge.

Which option is right for my business?

Getting the right advice is key in what is a complex area of risk. There are no shortcuts to the undertaking of a thorough assessment of the policyholder’s exposure to cyber risk. For example, there may be occasions where, if developed correctly, the buy-back solution is advantageous for the policyholder due to the setup of their particular insurance program. The affirmative approach, on the other hand, can provide greater certainty because it is neither tied back to the actions of another insurer nor is the cover reliant upon being interpreted through an exclusion which may contain ambiguities as is the case with buy-back.


Footnotes

1 For a full list of classes see Lloyd’s Market Bulletin Y5277: https://www.lloyds.com/market-resources/market-communications/market-bulletins

2 For example, a wind turbine at sea that temporarily cannot be accessed due to bad weather.

3 For example, a computer system on board a ship is compromised by ransomware (i.e. a malicious cyber act), which does not give rise to any physical loss or damage. The vulnerability in that computer system is remediated by a computer engineer, but it is done so incorrectly (i.e. a non-malicious cyber incident) which a few days later leads to the ship colliding with another vessel causing physical damage. The earlier ‘indirect’ malicious cyber act could lead to insurers applying the exclusion.

Author

Executive Director, Product Innovation/Complex Claims Counsel

Andrew joined Willis Towers Watson’s Cyber and TMT team in February 2018 having spent several years practising as an insurance lawyer at a leading law firm in the City of London, during which time he advised insurers and their policyholders on cyber risk.

Prior to joining Willis Towers Watson, Andrew was listed in Legal 500 as a ‘Next Generation Lawyer’ where he was commended for his expertise in the field of cyber insurance.

Andrew is now responsible for advising clients their cyber risk and developing solutions for their specific requirements. He is the co-author of WTW’s proprietary wording, CyCore, and recently drafted CyNav, a sector specific insurance policy for organisations in the marine sector, which was successfully launch in April 2020.


Contact


Contact Us