Silent cyber, also known as unintended or non-affirmative coverage, refers to the potential cyber exposures contained within traditional property and casualty insurance policies, which may not implicitly include or exclude cyber risks. Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber coverage, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber, or the language remains untested to the exposure, and could theoretically pay claims for cyber losses in certain circumstances, according to Erica Davis, Cyber Center of Excellence, Guy Carpenter.
As a result of the uncertainties around these potential exposures, insurers face challenges around the lack of uniformity in the industry, risk accumulation and lack of cyber expertise. The general scarcity of available and historical data creates complexities with the modeling and quantification of silent cyber exposures.
In the last year, various stakeholders have responded to the industry’s silent cyber challenges to ensure that safeguards exist for potential insurer exposure identification and protection.
“Regulators are concerned with the extent to which insurers may not have adequate reinsurance support and/or capital to be able to sustain a systemic silent cyber event on their insurance portfolios,” Davis says. “In response, global regulators are enhancing supervision, coordinating efforts to develop a comprehensive approach by requiring firms to have clear strategies and stated risk appetites, encouraging board-level awareness, and establishing issuance of supervisory statements that set out regulators’ expectations of firms.”
The UK Prudential Regulatory Authority (PRA) stated on January 30, 2019: “Firms reported challenging market conditions, broker pressure, and lack of historical data, models, and expertise as the main impediments for the prudential management of cyber underwriting risk. We appreciate these challenges but do not believe they are insurmountable.” In addition, in January 2019 the PRA issued a “Dear CEO” letter indicating that all (re)insurers should develop Silent Cyber Action Plans to evaluate, model and quantify risks.
“Since the silent cyber issue came to light in 2016, the industry has been making various advancements,” Siobhan O’Brien, Cyber Center of Excellence, Guy Carpenter, explains. “Insurers Allianz and AIG, and the Lloyd’s of London insurance market, for example, have all announced commitments to explicitly clarify how cyber risks are covered or excluded in traditional policies and to identify when a dedicated cyber insurance solution is needed.”
Cyber modeling for non-affirmative risks is still in its infancy but improving. It is anticipated that specific cyber risk quantification models will be able to consider tail risk for multiple consequences.
Companies with a lack of focus on addressing their silent cyber exposures may face ratings downgrades. Guy Carpenter’s International Cyber Center of Excellence, our team of dedicated specialists in broking and analytics focused on providing enhanced solutions to our clients, collaborates with our Ratings Advisory team, delivering a strategic consultative approach and comprehensive advisory services. “Through our ongoing dialogue with the rating agencies, we ensure clients stay ahead of changing views, criteria, requirements and expectations related to managing non-affirmative cyber risk, allowing companies to be proactive to changing views that impact ratings,” Davis adds.
With the new oversight from regulators and the recent Lloyd’s of London requirement for more clarity around the extent of cyber coverage under policies, the (re)insurance market is receiving more exposure information and asking questions about underlying portfolios. These developments enable industry stakeholders to make more informed decisions and allow the availability of reinsurance capacity.
O’Brien continues: “Guy Carpenter’s Global Cyber Center of Excellence works with clients to provide silent cyber quantification capabilities and risk transfer solutions. We partner with clients to migrate them from a non-affirmative position to an affirmative one where cyber is either excluded or affirmatively placed and priced. We bring a multi-step framework to help clients manage group exposure.”