By Loretta Worters, Vice President, Media Relations, Triple-I
Despite the prevalence of cyber threats and the increasing number and severity of incidents, directors, officers, and C-suite executives remain too much in the dark when it comes to cyber risk and insurance, Risk & Insurance writer Alex Wright describes in this month’s cover story, Vigilance Demanded.
While specific policies are available to cover the risk, many policyholders still expect to be covered under their property and liability policies — but are not. Risk & Insurance, an affiliate of the Institutes and the Triple-I’s sister organization, notes that commercial insurance policies still suffer from a lack of clarity regarding damage from cybercrimes.
Confusion around coverage can lead policyholders to experience unexpected coverage gaps.
“In a best-case scenario, a cyber incident may trigger coverage under multiple insurance policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple insurance policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”
Of particular concern to insurers is silent – or “non-affirmative” – cyber risk, in which potential cyber-related events or losses are not expressly covered or excluded within traditional policies. In such cases, insurers can end up having to pay unexpected claims for which the policies weren’t adequately priced.
“Cyber risk is present in just about every insurance policy now,” said Tracie Grella, AIG’s global head of cyber insurance. “But because it hasn’t been factored into the underwriting of standard policies such as property, or properly identified, assessed, priced for and put into the aggregation model, it presents a huge systemic risk that can’t simply be ignored.”
Silent cyber first manifested in the WannaCry, Petya and NotPetya cyber-attacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms, the article explains. The resulting losses from the encryption of master files and subsequent Bitcoin ransom demands for restoring access were the costliest on record, surpassing $3 billion.
Underwriters, brokers, and policyholders need to understand how ever-evolving risks and legal frameworks will affect their policies. They also need to keep themselves appraised of the scale of the problem and understand the most common misconceptions and coverage disputes around silent cyber.
More on cyber from Risk & Insurance
5 Tips to Get the Board Invested in Cyber Risk Management
Why Every Company Needs a Cyber Attack Response Plan No Matter Their Size — and Helpful Tips to Get Started
No One’s Safe from Cyber Threats. Train Your Employees to Defend Your Company Now or Risk Millions
Managing Cyber Risk for Mid- and Large-Sized Companies: Why Each Requires a Specialized Approach
More from the Triple-I Blog
Cyber Risk Gets Real, Demands New Approaches
Businesses Large and Small Need to Be Cyber Resilient in a COVID-19 World
Victimized Twice? Firms Paying Cyber Ransom Could Face U.S. Penalties