As the world continues to advance technologically, the number of cyber-attacks has increased at an alarming rate. A study done by Accenture and the Ponemon Institute, which researched 355 companies in 16 different industries, revealed that between 2014-2018 security breaches have increased by 67%, with an 11% increase in 2018 alone. On their third annual state of cyber resilience, Accenture and the Pnemone institute, found that 10.9% of organizations’ IT budget spent on cyber security, only 60% of the business ecosystem is protected by the cybersecurity program and 40% breaches reached out via this tour. 69% of the organizations in the study agree staying ahead of attackers is constant battle and the cost is unsustainable. Since 2013, companies such as Yahoo!, Marriot, MySpace, Under Armour, Equifax, Ebay, Target, and LinkedIn have each suffered data breaches of at least 100 million user accounts, with Yahoo! being the highest, at 3.5 billion accounts. 

 

Costs incurred by victims of cyber-attacks have increased exponentially. The average cost of a single cyber-attack now exceeds $1 million, and the average cost of a malware attack is $2.4 million. Total damages for cyber-crime are projected to reach $6 trillion annually by 2021. In a report by the Global Application & Network Security, 78% of businesses reported that they experienced a cyber-attack that either caused service degradation or a complete network outage. These network interferences can have significant negative impacts on a company’s balance sheet, which present in the form of business interruption losses due to employees’ inability to perform work.

Expenditure on cloud computing is projected to increase to $331 billion in 2022, up from $182 billion in 2018, according to Gartner. The number of Internet of Things (IoT) devices doubled from 15 billion to 30 billion between 2015 and 2020 and is expected to grow to 75 billion by 2025, based on research by Statista. This explosive growth in the use of digital technology has significant exposure implications for commercial insurers as well as personal lines insurers of homes and autos.

Cyber security facts in a glance

Cyber coverage – “affirmative” and “non-affirmative”

So, after we saw the thread and its impact and meaning, I think the next question should be:  can companies obtain insurance coverage for cyber-related losses? 

The answer is yes, but the way that an insured obtains such coverage could be complicated.

Cyber insurance comes in two forms:  affirmative cyber liability coverage and non-affirmative or “silent” cyber” coverage.

 Affirmative cyber coverage is for cyber perils delineated either in a stand-alone network security and privacy policy or in an endorsement covering data breach or network security failure/attack costs. Such coverage could be:

  • Forensic, public relations and credit monitoring costs associated with a breach 
  • Business interruption
  • Cyber extortion/ransomware payments
  • Replacement, restoration, or re-creation of damaged or lost data.

Affirmative coverage could also be found in third party liabilities policies. Coverage, as part of this party liability could be through:

  • Privacy liabilities, such as liabilities and defense costs, fines and penalties
  • Network security liability  
  • Regulatory defense costs.

 

Non-affirmative, or “silent” cyber coverage refers to cyber losses stemming from traditional property and liability policies. Insureds argue that their policies provide “silent” coverage in different ways, depending on the particular language. Cyber coverage may exist even when a policy does not expressly grant it, when an “all risk” policy does not specifically exclude it, or when an exclusion is ambiguous. As the variety of cyber-attacks continues to grow and develop, so too does the uncertainty surrounding “silent” cyber coverage, leaving the potential for many insureds and other victims of cyber-attacks to seek coverage under a variety of diverse insurance policies. 

 One of the biggest barriers to the provision of affirmative cover for cyber is the lack of data, models and experience. Insurers are faced with the uncertainty that comes with an emerging risk and the challenges presented by the speed at which the risks are evolving - given that so much of our everyday life is ‘cyber-related’, many losses under a policy will inevitably have some form of cyber involvement. This is further complicated by the varied and unpredictable nature and motivation behind cyber-attacks.

This difficulty in determining, defining and quantifying potential exposure has led to gaps in coverage. In the absence of traditional methods appropriate for analyzing cyber risk, insurers should look to experts and white hat hackers – ethical hackers who use their skills to improve security by exposing vulnerabilities – to help identify and evaluate potential cyber exposure buried within non-cyber policies.

Getting things into order

So far, we saw that the cyber security industry has been developed and grew with security solutions, but also faced security incidents that caused significant losses , but more than that, created uncertainty of whether a policy should react for a cyber  event and indemnify the insured or not.

The UK regulators identified “non-affirmative cyber” loss under traditional P&C insurance as a threat to insurer solvency. 

In November 2018, Allianz’s Global Corporate and Specialty unit advised that it was updating coverage in 2019 to provide clarity so that physical damage and bodily injury arising from cyber events would generally continue to be covered under corporate, commercial and specialty policies whereas cyber-related “pure financial loss” without physical damage or injury would be covered under specific cyber policies only.

In September 2019, AIG stated that property and casualty policies should be clear about the cyber coverage they provide, and the company announced a shift to affirmative cyber coverages and exclusions.

In a letter published on 30 January 2019, the Prudential Regulation Authority (PRA) called on Lloyd’s and the insurance industry to act on the issue of ‘silent cyber’.

Lloyd’s announced its response on 4 July 2019, stating that “It is the PRA’s view that the potential for a significant ‘silent’ cyber insurance loss is increasing with time. As both ‘silent’ cyber insurance awareness and the frequency of cyber-attacks grow, so does the potential from ‘silent’ cyber exposures. Insurance firms may find it increasingly challenging to argue that all risks or other liability policies did not intend to cover this type of risk given the publicity and awareness of the issue_ … Lloyd’s view is that it is in the best interests of customers, brokers, and syndicates for all policies to be clear on whether coverage is provided for losses caused by a cyber event. This clarity should be provided by either excluding coverage or by providing affirmative coverage in the (re)insurance policy_.” The Lloyd’s letter also mandating that “all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage”.

The first deadlines covers the property market only, and there were numbers of new clauses issued by the market bodies, which includes the LMS for Lloyds and the IUA for the companies market and other committees.

The concern of the new clause is that they mainly exclude cyber risk. They distinguish between different types cyber risk, like distinguish between cyber-attack on insured or on a third party which effect on insured and might be different outcome . 

In addition, some of the clauses are very hard to follow and are going to lead to confusion, like policies who excludes cyber coverage and then write back specific cyber incident but curve out malicious cyber-attacks.

The challenges of the policy holders

With this change of environment and during the transition period, policy holders, might face new challenges such as:

  • No consistent approach among the markets across traditional lines regarding affirming/excluding/sub-limiting cover.
  • Lack of consistency and market capacity among cyber product solutions in accordance with exclusion introduces.
  • Addressing the gaps in cover that may be created by exclusionary language/sub-limits.
  • Limitations in cover introduced by non-cyber insurers.

Due to the reasons mentioned above, insured should review their policy terms in-depth, and look for locations where exclusions create gaps in coverage, insureds should consider purchasing cyber cover and look at insurer-created solutions where a cyber policy cannot cover what is excluded.

Policy holders would consider the following options when they will review the policies provided to them by insurers and might include “silent Cyber” exclusions:

  • Reject the exclusion – by doing so, the insured will lose Lloyds capacity but at least will have more coverage. So, assume an insured reached the required market capacity in an expected cost, rejection could be an option that the insureds should consider.
  • Request a less restrictive version – this will provide the insured better coverage certainty and retain coverage for some resultant physical perils. From the other hand this choice will put the insured in a situation that some resultants physical perils will still not be covered, and, in most cases, it won’t include coverage for malicious cyber events.
  • Accept the exclusion – it is probable that an insured will choose this path in cases it will seek for the easiest way to get all required capacity in a reasonable/expected cost. This alternative will likely to exclude more resultant of physical loss then expiated.
  • Accept the exclusion and purchased “gap filler” policy – this might be the perfect choice for an insured who looks for the perfect available coverage but, it might come with a costly component.

It looks like, that looking a bit behind the horizon, additional changes must happen in the market to provide more clarity and order for insurers and insureds. The remain holes by mean of uncertainty are:

  • Cyber risk definition
  • Cyber risk scope of coverage - malicious intense vs non-malicious.
  • Avoid coverage overlap as in cyber policies and property damage policies.