Whether it’s a data breach, ransomware, or phishing emails, businesses are facing a constantly evolving range of cyber threats. And with cyber crime costing up to $600 billion a year – attacks such as last year’s NotPetya and WannaCry remind us that the digital world is moving into the physical world with business interruption, legal fees and even impacts to brand and reputation at stake.

Despite the growing threat, there are still widespread misconceptions about cyber risk – and how to cover it using insurance.

Recent headlines highlight possible confusion of what is covered by an organization’s portfolio of commercial insurance lines when a cyber event occurs. Stephanie Snyder, senior vice president and commercial strategy leader, Cyber Solutions at Aon, notes that the common misconception that “cyber insurance doesn’t pay” tends to reference insurance policies that are not actually cyber insurance policies.

As cyber risk becomes more ubiquitous, its definition – from cause through to coverage – could be open to debate. Increasingly, cyber risk, as it permeates our lives with credit card swipes and seemingly innocent clicks on emails, becomes a “silent” risk – one that is there but may not be understood until after a loss occurs.

Traditional commercial insurance policies – such as property and casualty and crime, kidnap and ransom – might not have been designed to explicitly address, either to include or exclude, cyber-related losses. If a policy does not affirmatively grant or exclude cyber coverage, this is termed “silent cyber” – and there’s no guarantee that it will actually cover a loss.
Neil Harrison, Aon’s global head of claims, notes the uptick in cyber-related claims over the past few years, including those that bring “silent cyber,” also dubbed “accidental cyber,” into play. This occurs when a cyber loss is covered that may not have been expressly underwritten into the policy. The result may be “clash claims,” where more than one policy responds to the same cause of loss – for example, the traditional property or casualty policy, as well as the cyber insurance policy. “As we’ve begun to see more claims with cyber as a cause for loss, the market is shifting to accommodate cyber, so it’s written for a purpose instead of an element of coverage in an existing policy,” said Harrison.
And Snyder agrees; less than half of businesses purchase standalone cyber insurance coverage, which raises serious concern about the potential for insufficient cover in the face of increasing risk. As the industry makes moves to address these “silent cyber” gaps and ensure proper coverage more broadly for this emerging risk, what is covered and what is not?

In The Event Of A Cyber-Related Loss, Which Coverages Trigger?

Companies can often believe their existing policies adequately insure potential losses from cyber attacks. If a policy was not written to specifically include cyber, there is potential the loss might not be covered under a traditional policy.

Four scenarios highlight cyber-related events and potential coverage blind spots.

1. Social engineering loss

Examples: Spear phishing or malware putting sensitive information in jeopardy

Which policy?

• Professional liability. Professional liability only covers errors, omissions or negligent actions committed in the course of providing professional services, so coverage is unlikely.
  Property. Policies coverage for Data, where provided, is subject to a Physical Loss or Damage Trigger. There is no coverage for loss of money or securities.
• Commercial crime policy/financial institutions bond. Can cover direct losses of money or securities resulting from actions by an employee who was intentionally misled with fabricated information.
• Cyber insurance.Cyber insurance isn’t designed to cover the loss of money or securities and likely wouldn’t cover a social engineering attack.
• Directors’ and officers’ liability insurance. D&O policies may cover claims against the directors and officers arising out of a cyber breach.

2. Physical loss

Examples: A manufacturer is hacked, causing damage to machinery

Which policy?

• Commercial crime policy/financial institutions bond. Potential coverage for direct loss of money or securities from an insured computer system through entry, change or deletion of data or programs.
• Cyber insurance. Physical losses resulting from a cyber attack can be covered under a cyber insurance policy if the policy is enhanced to cover such losses.
• Property. Policies provide coverage to Policy limits or relevant “Peril” sub limits for resulting loss or damage to tangible assets. Some policies may restrict coverage to named or specified Perils and as such coverage should be reviewed relative to the circumstances of the loss.

3. Data breaches

Examples: Exposure of customer records or personal information

Which policy?

• Commercial crime policy/financial institutions bond. Does not provide coverage for stolen data, personal information or other sensitive information, trade secrets for example.
• Cyber insurance. Cyber insurance is designed to cover businesses’ electronic activity. Policies can be written to cover a broad variety of exposures, including data breach liability.
• Directors’ and officers’ liability insurance. D&O policies may cover claims against the directors and officers arising out of a cyber breach.
• Property. Policies are subject to a Physical Loss or Damage Trigger. Physical Loss or Damage to Data, where coverage is provided, is not designed to provide coverage for the exposure of or theft of personal data.

4. Business disruption

Which policy?

Examples: 2017 WannaCry and NotPetya attacks, 2018 SamSam ransomware attacks causing business operations to halt

• Directors’ and officers’ liability insurance. D&O policies may cover claims against the directors and officers arising out of a cyber breach.
• Cyber insurance. Cyber insurance can cover cyber attack business disruptions and associated business interruption losses related to supply chain partners, as well as ransoms in ransomware attacks.
• Kidnap, ransom and extortion. The KR&E market is in the process of clarifying this coverage; for example, some policies provide coverage for ransom paid in response to cyber extortion.

Where Property Policies provide coverage for Loss or Damage to Data and or Denial of Service attacks, Business Interruption/Time Element coverage is provided subject always to any combined Property Damage/Business Interruption combined sub limit. Business Interruption as a result of loss or damage to tangible insured assets is covered subject to Policy Limits or applicable peril sub limits as may apply.

Takeaways

• Break down silos and escalate the cyber risk assessment conversation beyond the CISO or CRO to involve the entire C-suite.
• Review all existing policies to confirm which ones apply to identified cyber exposures and whether additional cyber coverage is needed. Ask additional questions where policies remain silent relative to cyber exposures.
• Ensure any cyber policy is written to explicitly cover identified risks.
• Reassess cyber exposures and insurance coverages on a regular basis as cyber risks evolve.

Among the threats businesses face from cyber attacks are financial losses or exposure of data through social engineering or “phishing” scams, physical damage to property resulting from cyber attacks, data breaches that expose customer information and – most impactful – business disruption. Businesses could be burned by relying on silent cyber coverage in their existing property and casualty portfolio, rather than seeking affirmative coverage grants for cyber loss or a standalone cyber insurance policy to cover such losses.

“When faced with a loss, businesses will seek indemnification anywhere it is available,” Snyder said. “If their policies have not been constructed to specifically address a breach-related loss, then there’s a chance that there may not be coverage.”

Holistically Understanding Cyber Vulnerabilities And Crafting Appropriate Coverage

Relying on silent cyber coverage isn’t enough. “Businesses really have to understand the coverage they have and the coverage they need,” Snyder said.

For example, a cyber assessment and quantification analysis can review potential vulnerabilities as well as various cyber attack scenarios, modeling the potential financial impact of each tested instance. Coupled with a review of existing insurance coverages, understanding what vulnerabilities exist and the financial implications can better guide the cyber insurance purchasing decision. After a comprehensive review of coverages, cyber insurance can help fill gaps in an organization’s overall cyber protection program.

Insurers too, are playing a role. For example, modeling and scenario creation can help not only the insurance industry prepare for cyber-related losses but broader organizations as well. Jon Laux, Aon’s head of cyber analytics in the Reinsurance Solutions business states, “By using various scenarios, insurers have the ability to stress test their portfolios against new and emerging perils created by cyber risk. With that knowledge, insurers can take steps to mitigate risk, through reinsurance as well as working with businesses to increase their resilience.”

Recognizing there is no one-size-fits-all approach to cyber risk, organizations and insurers will continue to evolve how they think about the risk. From modeling and scenario creation all the way through to crafting better coverage, various stakeholders will continue to address the evolving risk concerns.

Disclaimer: All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.