Silent (or non-affirmative) cyber refers to cyber-related exposure within many all-risk general insurance products. If no explicit cyber exclusion applies, coverage for losses caused by cyber perils may apply. This underlying exposure’s potential for aggregated loss is currently one of the major issues being considered by the (re)insurance industry, according to Siobhan O’Brien, International Cyber Center of Excellence Leader, Guy Carpenter, and Erica Davis, North America Cyber Center of Excellence Leader, Guy Carpenter.
The 2017 NotPetya and WannaCry cyber events demonstrated the very real existence of cyber exposure, with economic losses exceeding USD 8 billion and insured losses estimated at USD 3.6 billion on both affirmative and non-affirmative (silent) covers globally (1).
In 2016, (2) the U.K. Prudential Regulatory Authority (PRA) carried out a thematic review involving a range of stakeholders including insurance and reinsurance firms, re/insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators. The results of that review were an expression of concerns about the materiality of silent cyber as a risk to re/insurance companies and a recommendation that firms needed to identify clear ways of managing “silent” cyber risk, set clear appetites and strategies that would be owned by boards and invest in cyber expertise. Subsequently in 2017, the PRA issued their Supervisory Statement SS4/17 setting out their expectations of firms regarding cyber insurance underwriting risk.
In January 2019, all U.K.-regulated insurers received a further letter from the PRA confirming that they “should have action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover.” In July 2019, Lloyd’s issued its Market Bulletin Y5258, and updated this in January 2020 with the follow up Market Bulletin Y5277. The update required all syndicates to provide clarity on the cyber exposure in all their policies, giving clients contract certainty. This approach, which will be phased in over the course of 2020 and 2021, is particularly focused on driving the eradication of silent cyber from traditional lines of insurance by encouraging insurers to identify the exposure and either clearly exclude or affirmatively include it.
This initiative is further explained in the 2019 publication Lloyd’s Cyber Risk Strategy. Here are highlights of its requirements:
- Customers have a clear understanding of the coverage provided by their policies.
- Cyber risks and accumulations are understood by all relevant stakeholders, from boards of directors to junior underwriters, pricing and capital actuaries and exposure analysts.
- Risk is appropriately quantified on an expected basis for pricing, and the potential for attritional and extreme events and accumulations is understood.
Reduce the potential for silent cyber claims accumulation by:
- Identifying classes of business and policy types that are particularly vulnerable to residual silent cyber loss leakage.
- Developing approaches to pricing and capital setting for silent cyber risk.
Globally, we have seen regulators issue similar statements on managing silent cyber risks, including the European Insurance and Occupational Pensions Authority and the National Association of Insurance Commissioners in the United States issuing their guidelines to help firms manage this risk.
- PCS EVENT SERIAL NO. 1717 bulletin dated April 3, 2020.
- PRA Dear CEO letter dated November 14, 2016.