“Silent Cyber” Threat to Insurers & Policyholders Alike
The risk is substantial. Losses could overwhelm a small business, and wreak havoc on a large one. The largest data breach settlement in history recently saw Equifax pay $650 million after a data breach. Some insurers offer products to specifically address and cover a hack; other carriers exclude cyber in certain products. Even a covered loss may involve a cyber-only sublimit. The Association of British Insurers recently announced that 89% percent of businesses do not have cyber insurance. This is especially surprising, given that the Association also announced that 99% of claims made on ABI-member cyber insurance policies were paid in 2018!
As cyber risk continues to evolve and emerge, certain insurers have chosen these alternatives:
- Stay silent.
Insurers can, and often do, chose to stay silent as to cyber. Many policies were designed, drafted and underwritten, prior to the emergence of cyber as a substantial risk. Personal lines policies could tolerate a cyber exclusion, but some carriers have chosen not to exclude.
- Affirmatively provide coverage.
This creates its own set of problems for underwriters. Pricing the risk may be challenging. Underwriters will consider the policyholder’s cyber hygiene, i.e. how protected is that user? What steps have the policyholder taken to protect its systems, such as updated security patches and the use of up-to-date software. Underwriters will also assess how cyber resilient a policyholder is: how well a user can/will respond to — and recover from — a cyber-attack. This translates into a lower risk of sustained business income losses, or the sheer ability to remain a going concern. The underwriting challenges are significant and detailed. Even where coverage is afforded, lines can blur where other exclusions may apply. For example, if Russian hackers –arguably state-sponsored—hack a company’s software, can that be excluded under the common war exclusion? The terrorism endorsement? An Illinois court is currently grappling with this issue in the context of a $100 million dollar loss.
- Expressly exclude coverage.
Insurers can use endorsements to specifically exclude coverage of losses. “Electronic data” exclusions can be written broadly to exclude any type of loss involving data corruption, loss of data, the inability to access or use data, etc.
Silent cyber is screaming – we here at the TK Insurance Industry Group are prepared to address the risk with you. Please contact any member of our group with questions or concerns.