For the last few years, “silent cyber” has been a hot topic in the insurance industry. It is the cyber risk that lies within non-cyber policies that it was not considered when pricing these policies. Most cyber risk is covered by an affirmative cyber policy, meaning that cyber risk is specifically covered via a standalone policy or an endorsement to a policy. Typical perils covered in an affirmative cyber policy include data compromise and service provider outage (e.g., cloud, email, payment processor). But what happens when the peril isn’t a typical cyber peril? What if the peril was fire or water damage caused by a cyber event? How would it be covered? That’s when the potential for silent cyber risk can arise.
Non-cyber policies are often silent on cyber
Perils that cause physical damage, such as fire or water leakage, are typically covered in property policies, e.g., a Homeowner’s Policy (HO-3) or a Businessowner’s Policy (BOP). When these policy forms were first written, cyber risk wasn’t even conceived of. In many cases even today, cyber risk isn’t mentioned. In other words, non-cyber policies are often non-affirmative or “silent” on cyber.
A policy that doesn’t state that a peril caused by cyber is covered may not explicitly state that it’s excluded. So, whether losses from cyber-induced physical perils, such as fire and water, are covered is still unknown. If a policy has open perils coverage, as opposed to named perils coverage, anything not explicitly excluded is covered. Given the lack of precedent for these types of cases, however, it is possible for an insurer to try to deny the claim.
Disputes regarding insurance policies typically become protacted legal battles eventually decided by the courts, so the verdict is out on some of these cases. For example, Mondelez and Zurich are in court to determine whether NotPetya (a type of malware that was first seen worldwide in 2017) meets the definition of war; if it is deemed to, this would exclude losses from being paid out for NotPetya under the war exclusion in Mondelez’s insurance contract.
Losses can be large
Silent cyber exposes insurers to huge amounts of risk and can result in claims costing billions of dollars in loss. For example, NotPetya was estimated to have resulted in USD 3.3 billion of loss, approximately 90% of which was paid out under property policies; Merck & Co. alone paid out USD 1.75 billion.
Typically, malware is covered by a standalone cyber policy or cyber endorsement; however, some companies that didn’t have either of these traditional forms of affirmative cyber coverage were able to successfully file claims on their property policies due to the business interruption that resulted from the NotPetya virus wiping their computers.
If the cyber risk that exists in a non-cyber policy is accounted for in the pricing of the policy, it is not considered silent cyber. Many of the insurers who paid out claims on property policies from NotPetya did account for cyber risk in their pricing; for those who did not, this event illustrates just how large silent cyber losses can be.
Many policy types overlap with cyber risk
Personal property, such as the computers damaged by NotPetya, is just one example of property that can be impacted by silent cyber. Another is real property, such as a commercial office building, for which AIR has developed a Silent Cyber Commercial Property Fire scenario. Our scenario simulates losses from an office widget (printer, copier, laptop) being hacked into and set on fire. Although this scenario might seem improbable, proof-of-concept comes from a 2010 paper by a Columbia University professor who successfully hacked into an HP Laserjet printer and increased its temperature to 400° Fahrenheit. AIR’s scenario accounts for the probability of a given severity of damage, the strength of a building’s fire suppression system, physical building characteristics, and the vulnerability of the widget when calculating a range of return period losses (100- to 250-year).
Property, personal or real, is just one of eight different families of traditional, standalone policies that overlap with cyber risk according to the Organisation for Economic Co-operation and Development (OECD):
- Terrorism: Cyber-terrorism
- Property: Physical asset damage, data & software loss, business interruption, contingent business interruption
- Crime/Fidelity: Financial theft and fraud
- Kidnap & Ransom: Cyber ransom and extortion
- Workers’ Compensation: Bodily injury
- Directors & Officers: Directors and officers
- Professional Indemnity/Errors and Omissions: Professional indemnity, technology errors and omissions
- General liability: Breach of privacy compensation, communication and media liability, fines and penalties, incident response costs, network security failure
Insurers may have to pay claims for cyber losses under policies not designed for that purpose. The unquantified exposures inherent in silent cyber are what makes it such a pressing concern for the insurance industry.