Cyber insurers are now deliberately addressing silent cyber coverage in insurance policies, a Marsh executive said Wednesday at NetDiligence’s Cyber Risk Summit in Toronto.
“With property [insurance policies]…I’m not seeing silent cyber anymore. I’m seeing very purposeful underwriting,” Karen Continenza, senior vice president at Marsh, said during the Cyber and Other Lines panel discussion.
Silent (or non-affirmative) cyber means neither expressively confirming nor excluding cyber insurance coverage in a policy. Continenza was discussing trends in standalone cyber, kidnap and ransom (K&R) and property policies in light of concerns in recent years regarding the need to expressly affirm or disclaim cyber coverage in policies.
Looking back to 2020, Marsh was seeing a large uptick of cyber claim volume coming through, Continenza told delegates. Many clients were exposed to ransomware or mega multi-vector attacks, a lot of which was correlated to organizations making the shift to work-from-home in response to COVID-19.
“I do recall getting my first few couple of claims and kind of flying back in my seat going, ‘What is this? Where did it come from and where is its natural home?’”
Through the analysis of many pages of policies, Continenza found cyber fell into three distinct buckets: standalone cyber, K&R and property. So, what is she seeing today in comparison to 2020?
From a K&R perspective, many policies are now containing absolute exclusions, or the removal of cyber in totality (in these policies, the word ‘extortion’ could sometimes been seen as covered and extended to cyber).
“Some K&R policies I have in my hands today are intentionally covering for cyber losses, and their covering for cyber losses via extensions of coverage,” Continenza reported. “We’ll see it in an endorsement or an extension. But the caveat to that is very small, very condensed, very controlled limits, the limits you’re not seeing reflected in a standalone policy.
“Secondary to that is other insurance clauses have changed as well, where policies like your K&R or your property [policy] no longer want to respond as a first respondent to any of these events.”
Policies will also sometimes not share primary limits, “so it’s a re-modification of that wording,” Continenza explained.
Panel moderator David Mackenzie, a partner with Blaney McMurtry LLP, noted part of the double-edged sword with cyber can come during policy drafting.
“When I work with underwriters on wordings, there’s always been resistance to using defined terms,” he said. “Because it makes the policy longer and you have to think really hard about whether you’re defining it well or not. And once you define it, you’ve got to live with it.
“So, defining terms is hard but not defining terms leaves everything ambiguous. You’re essentially creating ambiguity in the policy that you also have to live with.”
Property policy trends are “very similar in terms of absolute exclusions being applied,” Continenza said, and added that some carriers are willing to absorb the risk.
“These policies are attempting to strip the cyber exposure out in totality. We’re seeing…a re-introduction of cyber via extension or endorsement but again, the limits within these are very minimal, very condensed, very controlled, and very small in comparison to the size or magnitude of severity or cost perspective of what these cyber claims bring in.”
Cyber coverage within a property policy is typically still being offered as a smaller sublimit. But carriers need to be mindful that they are not excluding ‘resulting physical damage’ in totality, she warned. Think of a cyberattack where a malicious actor takes over an HVAC or refrigeration unit and there’s a degrading of the product that can no longer be sold.
“So, there’s certainly a home for it,” she said of covering resulting physical damage in a property policy.
Feature image by iStock.com/Suebsiri