It may be called “silent cyber,” but the topic is generating a lot of noise in the commercial insurance sector.
What is silent cyber?
Silent or “non-affirmative” cyber refers to potential cyber-related insurance losses arising from insurance policies that weren’t specifically designed to cover cyber risks. The policies don’t explicitly include or exclude cyber risk, which creates ambiguity and can leave coverage open to interpretation. A standalone cyber insurance policy, on the other hand, clearly outlines what is covered (aka affirmative coverage), such as privacy, business interruption and extortion coverage, to name a few.
Why is silent cyber a rising concern?
While silent cyber isn’t a new concept, it’s getting more attention with the rise of cybercrime and the cost of attacks. Simply put, businesses can’t afford to have inadequate or ambiguous cyber protection.
According to the 2019 “Cost of Cybercrime” study by Accenture and the Ponemon Institute, the average cost of cybercrime to a Canadian company was $12.1 million in 2018.1 Globally, six in seven companies (85%) experienced phishing and social engineering cyber attacks in 2018, and three-quarters (76%) suffered web-based attacks. Cybersecurity Ventures projects that the global cost of cybercrime will hit $6 trillion by 2021, up from $3 trillion in 2015.2
Furthermore, PwC’s latest Global Economic Crime and Fraud Survey found that cybercrime features in the top three most disruptive crimes experienced in almost all industries reported in the survey.3
“Within the last 10 years, we’ve seen a massive upsurge of cyber events and losses,” says Al Recio, Regional Manager, Technology & Cyber, Quebec & Atlantic Canada, at Sovereign Insurance. “In the beginning, attacks centered on obtaining personal information on a company’s client database. Now, the attacks are more sophisticated and create major disruptions and economic issues for businesses as well as other sectors within our community. We all need to understand what’s on the horizon and how we can mitigate these issues that may arise from cyber events.”
As the frequency, scale and cost of attacks continue to rise, so too does the concern around silent cyber. It’s more important than ever that policyholders understand their coverage so they’re not stuck in a position of believing they have adequate coverage when in reality, they may not. A stand-alone cyber policy helps ensure that they reduce possible gaps in protection.
Are there regulations around silent cyber?
The U.K. was the first major market to take a tough stand on silent cyber. Last year, the Prudential Regulation Authority (part of the Bank of England) called on Lloyd’s of London and the wider insurance sector to ensure the management of affirmative and non-affirmative cyber risk exposures. Following that, Lloyd’s announced that it’s mandating that all non-affirmative policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.
“A mandate like Lloyd’s is beneficial to clients because it puts an end to the ambiguity and uncertainty regarding what’s covered and what’s not,” says Al. “As an industry, we need to do more to be clear and have affirmative language with regards to cyber risks. Within the last 6 months, we are now experiencing a market trend where certain insurers are placing cyber related exclusions on their non-cyber policy forms.”
Similarly, on the policyholder side, global ratings agency A.M. Best announced it “expects companies to be proactive and forthcoming with their own evaluation and measurement of the exposure and accumulation of their cyber liability exposure.”4
While regulations in Canada have yet to be tabled, insurers, including Sovereign Insurance, are reviewing how coverages can be placed through all policies—not just dedicated cyber policies.
What can an insurance company do to prevent potential gaps in coverage?
Both brokers and commercial property underwriters need to become more aware of the issues relating to cyber events. That starts with detailed risk assessments to clearly understand the specific cyber vulnerabilities of an organization.
For example, an industrial plant might be aware of its risk of a boiler explosion, but this type of event could also happen in a cyber-attack. A plant could be targeted by a cyber virus that disables the critical safety control systems relating to a boiler’s operational procedure, exposing the plant to a possible explosion. This could result in a major disruption in the plant’s daily operations – not to mention a serious public safety risk.
“The cost of the disruption will play heavily on the economic outlook for the plant,” says Al. “The property damage and the business interruption loss will be costly. A property underwriter may not contemplate the additional cyber exposures relating to this risk.”
Education is a key factor for all brokers and underwriters, whether they specialize in property liability, or other risks ranging from D&O, crime, environmental and other commercial divisions.
“There should be communication between the various departments and the cyber specialist, so underwriters are aware of these new exposures that were not common in the past,” says Al. “For brokers, education is the primary goal. They need to understand where the coverages lie as it relates to cyber and ensure clients are adequately protected.”
As cyber risks continue to rise, so too does the need for explicit coverage. Stand-alone cyber policies help reduce possible gaps in protection. If you’re unsure as to whether your operations are fully covered, contact your broker today.
1The Ninth Annual Cost of Cybercrime Study 2019 by Accenture and Ponemon Institute
22020 Official Annual Cybercrime Report by Cybersecurity Ventures, sponsored by Herjavec Group
3PWC’s Global Economic Crime and Fraud Survey 2020
4Moorcraft, B. (2018, November 26). What is silent cyber risk? Retrieved May 19, 2020,