Protecting Your Business from “Silent Cyber” Coverage Exclusions
August 12, 2021
You’ve invested heavily in automating your production facility and count on computer-controlled robotic equipment to handle many of your processes. This afternoon, a hacker in Belgrade managed to access the controls for one of your robots and swung it in the wrong direction, where it slammed into and destroyed a half-million-dollar piece of equipment.
You’re upset but confident your plant is well-insured. That is, until you discover your property insurance carrier refuses to pay the claim. You didn’t notice, but when you approved the last renewal, the carrier added an exclusion for any cyber-related losses. Because the damage sequence began with a hacker’s action, the carrier considers this a cyber-related loss and believes it’s off the hook.
What Cyber Insurers Want to Know … and Why
It’s a fictional scenario, but it illustrates a situation that should concern every business. Some insurance carriers have begun to protect themselves by quietly inserting cyber exclusions into their property and liability policies. The trend is a response to what’s become known as “silent cyber” losses.
What Is Silent Cyber?
In simple terms, silent cyber refers to losses caused by cyber events where coverage is found in non-cyber liability insurance policies.
Cyber insurance policies are intended to protect organizations from financial losses, whether those losses are suffered directly by the organization or by a third party that blames the organization for its own losses. But when the loss results in property damage, bodily injury or a business interruption, businesses look past their cyber coverage and assume that their property or liability insurance will protect them. That becomes a dangerous assumption.
The reason some insurers are weaving exclusions for silent cyber losses into property and liability policies is a concern about what kinds of losses might potentially exist—even if the insurer has never encountered a claim that’s remotely close to those potential losses.
Put another way, carriers are comfortable with underwriting a risk when it’s a risk they understand, have encountered and for which they can confidently provide loss control. They know buildings burn down, they know what they’re worth and they can mandate protective measures like alarms or sprinklers, so they can reasonably estimate their exposure and calculate an actuarially sound premium.
But when those carriers think about silent cyber issues, they imagine all sorts of nightmare scenarios they can’t quantify or underwrite with any degree of certainty. They realize they have already been covering those risks on a de facto basis. So instead of leaving themselves open to what might be a catastrophic payout, they block anything that has any connection to cyber—and these days, that’s a lot. Sometimes, they offer to remove the exclusion if the company is willing to pay an exorbitant additional premium.
At the same time, most cyber insurance is not structured to cover losses from these cyber-related perils. That means companies could face events that are not covered by any of their policies.
What Is in Your Policy?
So does this response to silent cyber leave companies with an unacceptable degree of exposure? Not necessarily. Not all carriers have adopted these exclusions.
It’s important to review your current coverage to see if your insurer has slipped similar exclusions into your policy. If so, it may be time to move your coverage to a carrier without those exclusions. It’s possible that the marketplace eventually will put pressure on carriers to abandon or limit such exclusions, because they’ll start losing business to their competitors.
When a carrier expects additional premiums to remove or reduce the exclusions, demand to know how those premiums were determined and what loss experiences formed the basis for their decision. If there isn’t a loss history to support the amount of extra premium, you have an opportunity to negotiate.
Regardless of whether your carrier insists upon such exclusions, the silent cyber issue is a clear reminder of the importance of having a comprehensive risk management and loss control strategy, as well as developing a clear understanding of every page of your insurance policies. You need a thorough grasp of coverage triggers and the specific perils covered under policies. If you determine your company has exposures that aren’t protected, you need to obtain coverage or add an allowance for the potential loss to your balance sheet.
To learn even more about “silent cyber” coverage risks, contact an expert at Hylant.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.
The Illinois Biometric Information Privacy Act (“BIPA”)
September 11, 2023
For Boards, the Best Cybersecurity Defense Is a Good Offense
September 8, 2023
Hylant Launches Cyber JumpStart Portal to Help Organizations Reduce Cyber Risk
August 2, 2023