Counting the cost of silent cyber

[5 Minute Read]

What is silent cyber?

The term ‘silent’ or ‘non-affirmative’ cyber is used to describe cyber risk that isn’t expressly or specifically covered in a property or liability insurance policy. But it’s not specifically excluded either. Given that the function of insurance is to reduce uncertainty, the grey area caused by this approach causes problems for both insureds and insurers following cyber related incidents or losses.

The reality of cyber

Although every now and then a high-profile claim makes the news (last year Marriott International Inc. was fined GBP18.4m by the Information Commissioner’s Office for failing to keep its customers’ data secure), any business that uses the internet is vulnerable to cyber related incidents.

According to the Office for National Statistics’ Cyber Security Breaches Survey 2021 ‘four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months’[1]. Although this in fact represent a slight reduction on 2020 (due in part to reduced trading during the pandemic) overall cyber risk is perceived to have increased as businesses grapple with the tech and security implications of having a more remote workforce.

Cyber risk ranges from a third party illegally accessing data or preventing access to business-critical systems, through to the accidental or unintended disclosure of information by an employee.  Its impact can include significant disruption to normal operations, financial loss and reputational damage.

Against this backdrop, the ability to buy and rely on adequate insurance protection is increasingly important.

The impact of silent cyber on insurers

When cyber risk first emerged, the commercial insurance market was, for the most part, highly competitive; prices were low, cover wide and cyber claims were occasionally picked up under professional indemnity or general property and liability policy.

But as cyber losses began to grow in size and frequency, insurers’ appetite to cover this risk (either explicitly or by implication) reduced, causing growing uncertainty about where insureds and their brokers should look for the protection they need.

Cyber and Professional Indemnity – a grey area

The primary intent of a Professional Indemnity policy is to protect an insured from claims from a third party (usually a client) arising out of their professional activities. Cover, therefore, is in respect of the losses those third parties incur. Stand-alone cyber cover, by contrast, is intended to protect against first party losses arising from the use of - and dependence on - the internet.

However, cyber-related incidents can prevent a business from going about its normal activities and this can have a knock-on effect on its ability to carry out professional activities for clients – especially where these are time sensitive. Many professions also hold money on account for their clients which is vulnerable to cyber-crime and both first and third party losses.

The trend during the soft market towards ‘full’ or ‘broad’ civil liability policies for many professions arguably extended cover to include an element of cyber and any ambiguity around cyber for professions with mandatory or minimum terms and conditions was generally interpreted in the insured’s favour.

Cyber becomes clearer

Taking a silent cyber approach meant insurers could be facing a potentially significant but unquantified exposure that hadn’t been accounted for in their rates. Multiply this over multiple lines of business and hundreds of thousands of policies and the risk became systemic, threatening the financial security not just of individual insurers but potentially a whole swathe of the market.

And then the regulator stepped in.

The Prudential Regulation Authority Review

In 2019 the Prudential Regulation Authority (PRA) in 2019 sought to address the uncertainty surrounding silent cyber in a letter that requested insurers to develop action plans to reduce the unintended exposure caused by non-affirmative cyber cover. 

Soon after, Lloyds has required its underwriters to provide clarity on cover in a series of phases since January 2020, with changes to Professional Indemnity policies being implemented from January this year. The process saw the development of two market endorsements: IUA04-017 and LMA 5531.

The overall impact of the review on Professional Indemnity and Directors & Officers policies is largely to clarify the intention not to respond to first party losses and to outline the cyber-related circumstance in which they will respond to third party losses. For example, failure to provide professional services due to a cyber loss where it is reasonable to expect adequate protections were in place. It is worth checking that any cyber related exclusion doesn’t have the unintended effect of writing out core Professional Indemnity coverage, for example where cyber is merely a contributory factor.

The impact of silent cyber on the insured  

In general, as the insurance market adjusts to the increasing risk posed by cyber, insureds may experience premium increases or exclusion or restrictions to the cover they are offered by insurers.  

For those wordings where cyber isn’t explicitly defined and excluded, insureds should not assume cover is provided – certainly to the degree they might need it. There have been numerous disputes between insureds and insurers in the past as a result of the ambiguity caused by silent cyber.

Using a specialist broker who understands the difference between the range of policies available on the market, not only helps reduce the initial uncertainty but can navigate any issues with insurers should cover be disputed in the event of a claim.

Regulated professions

The regulators of professional service firms including the SRA, ICAEW and RICS have been considering how cyber risks should be addressed within their Minimum Terms broadly speaking to ensure clients aren’t left without adequate protections – by ensuring there is no or limited cyber carve out. Each profession has dealt with the issue of silent cyber differently and the advices of a specialist Professional Indemnity broker should be sought for these professions.

We recommend all businesses undertake a specific review of both their cyber exposure and insurance protection alongside their other property, liability and financial lines policies.

Some insurers do offer reasonably priced standalone cyber products (within certain risk selection criteria) and these are worth considering not just because of their clear intention to pick up first party losses for incidents like cyber extortion, the cost of recovering data and regulatory investigation defence costs, the insurers that provide them offer specialist cyber loss management teams who have the knowledge and expertise to respond quickly to avert major loss or reputational damage. [2]

Champion Professional Risks specialise in Professional Indemnity, Medical Malpractice, Directors and Officers, Cyber and Crime Insurance for a range of professions, construction sector firms, technology companies and financial institutions.




[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021

[2] Subject to specific policy terms and conditions

 

If you would like to discuss any of the topics raised in this article please contact the author, John Jones.

John Jones
Managing Director
Champion Professional Risks Limited
T: 0330 128 9828
M: 07769 823 483
E: john.jones@championpi.co.uk