Do you know how much risk a cyber insurance applicant could pass along to you? Security Ratings give you the verifiable data you need.
Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But many times, companies like this assume that their insurance will cover them—but this may not always be the case.
This is when a “silent cyber” situation can begin.
“Silent cyber” is the term given to a situation in which cyber coverage is implied to be provided to an insured, unbeknownst to the insurer providing the coverage. In other words, silent cyber strikes when a court’s findings are in favor of a policy owner because the policy does not clearly exclude cyber coverage.
Insurance carriers have three options for how to address silent cyber exposure on their policies:
- They can own it by affirmatively providing cyber coverage. In doing this, it provides an opportunity to market this as a differentiator; however, this isn’t a very common approach. Many companies are providing cyber insurance as stand-alone coverage—not necessarily as coverable under another line of insurance.
- They can stay silent. Silence is what you may call the status quo when it comes to silent cyber. Many companies choose not to affirmatively come out and say their policy is meant to provide cyber-related exposure—but in not making the language certain, they don’t deny it either.
- They note a clear exclusion for cyber in their policies. This is something more and more insurance companies are doing today. In doing so, they use language that makes it clear they will not cover cyber through a particular program.
These three options seem straightforward enough—but of course, nothing in insurance is without its complexities. For instance, you may have written thousands of policies 10-15 years ago that renew each year—but the language may not have ever been updated to meet your current policy wording. Some carriers are simply unaware of this, while others are hesitant to risk frustrating brokers and customers with a change in policy wording and having them seek out another insurance carrier.
These silent cyber situations come up in a number of insurance coverage areas:
- Property and/or commercial general liability coverages may cover damage to property as a result of storms, natural disasters, or acts of God. But many insureds believe cyber events should be covered, too, if a cyber event leads to property damage (or a third party’s property damage) or bodily injury. This extends to coverage as it relates to a supply chain incident.
- Commercial crime or fidelity insurance often covers situations where banks and enterprises unknowingly make financial transfers as a result of fraud. Either the location to which the funds are being transferred is not correct or the instructions themselves are fradulet—often times both. This type of fraud is often perpetrated by a hacker that gains access to or impersonates the email authorization of a CEO or another executive in the organization that the hacker then uses to request the transfer. Traditionally, stand-alone cyber insurance policies don’t intend to cover this kind of situation (though some are beginning to)—but while some commercial crime or fidelity insurance policies don’t intend to cover it, they may find themselves in a silent cyber situation where, ultimately, they must.
3 Critical Takeaways Regarding Silent Cyber
#1: Be aware that the ambiguity regarding cyber coverage could trigger silent cyber when you least expect it. It’s ideal to be pronounced about your coverage. This means spelling out an exclusion or an affirmation—don’t stay quiet about it. The lack of clarity makes things far more difficult for your customers and for the brokers trying to place the business.
#2: Have conversations across the organization if you’re a multiline carrier. As a cyber insurance underwriter, you probably don’t know enough about what your colleagues in property or general liability are underwriting—and vice versa. We strongly suggest holding internal meetings in order to learn from one another. You can get a better understanding of each other’s policies and coverages, identify where coverage gaps are, and use that information to better educate your customers on what they’re buying from you.
#3: Finally, use BitSight Security Ratings and BitSight Discover as the common language to unify your organization. The BitSight platform is extremely valuable in helping you understand what your applicants’ cyber capabilities are, which makes your underwriting and portfolio risk management process smarter, faster, and less risky. Request a demo to discover a better way to manage them both.