Johannesburg, 13 Dec 2023
As businesses become increasingly dependent on technology and digitised data to operate, cyber risk becomes a bigger threat to companies, regardless of size, industry or sector. When it comes to making informed decisions for your company around managing cyber risk, it is important to first understand some of the gaps that exist in some policies – in both traditional and cyber insurances.
Most traditional property and casualty insurance policies were designed to cover liability and costs arising from physical harm to persons or tangible property (eg, belongings). “Over the past two decades, as these insurance policies began to state that data is not tangible property, a coverage gap was created. Cyber insurance arose partially to fill that gap and, over time, cyber insurance has evolved to cover a broad spectrum of costs and liabilities arising from a cyber event,” says Spiros Fatouros, CEO of Marsh McLennan Africa. However, cyber insurance does not directly cover the value of tangible or intangible property (ie, the value of data and digital assets), and thus it only covers a fraction of the total potential impact from a cyber event.
Where an insurance policy does not expressly include cyber events as triggers for loss, or where it does not explicitly exclude it, there is an unknown or unidentified level of cyber exposure, otherwise known as ‘silent cyber risk’. This type of risk can lead to uncertainty for both the insurer and insured around payment of claims caused by cyber events.
From an insurer’s perspective, claims stemming from cyber events, which have been neither underwritten nor charged for, create unmeasured exposure within insurer portfolios. Insurance regulators have tasked insurers to identify, quantify and manage their cyber exposure, and to thereby remove the ’silence’ across all non-cyber policy lines. As insurers have acted swiftly to comply with regulatory demands, they continue to struggle with how to do this in a way that creates coverage certainty under both standalone cyber insurance as well as non-cyber policies.
This press release presents some key cyber insurance coverage gap considerations for your executives to consider and address.
Cyber risk: Why it is an issue
Businesses continue to grapple with the growing challenges of cyber risk. Two key concerns include:
- Control of operational systems: many business assets are now remotely connected and operated, and therefore potentially vulnerable to an attack from criminals who seek to damage and disrupt physical assets and connected systems remotely.
- Supply chain: cyber-attacks have moved beyond data breaches to sophisticated schemes designed to disrupt businesses and supply chains – if one of your suppliers cannot deliver because they have suffered an outage due to a cyber-attack, you need to consider the impact this could have on your business. This concept can apply to both digital and physical supply chains.
Options for managing cyber risk
When seeking to understand and manage the new coverage gaps that have emerged, it is advisable to examine the exclusions listed under non-cyber policies. Where these exclusions limit or fully remove cover, your options may include:
- Resisting the attachment of a cyber exclusion where possible. You could negotiate to include cover for cyber-triggered events under your traditional insurance policy, although this option is increasingly unlikely because these exclusions have become standard across most lines of insurance.
- Revise the wording of the exclusion to make it less onerous for the underlying coverage. In combined general liability policies, it is often possible to obtain a write-back of bodily injury or property damage claims that ensue from a cyber event.
- Replace the insurer with another insurer that is offering a less restrictive exclusion. For certain property exposures, consider the purchase of a standalone cyber property damage policy to fill the cover gap (eg, for property damage) created by the cyber exclusion under the property insurance policy. Cyber property damage policies can also be combined with traditional cyber coverage to round out the cyber programme to include coverage for non-physical cyber impacts. Ultimately, the decision around which of these options to pursue should be reviewed in line with your organisation’s overall risk tolerance and profile.
Standalone cyber-physical damage cover – initial considerations for businesses
If your company is considering a standalone cyber-physical damage policy as an option to fill the insurance gap, it is important to first examine the policy and understand the implications before committing to the purchase. Cyber-physical damage policies are a blended product that provide affirmative cover for non-physical losses incurred to respond to a cyber event, as well as ripple effects from the cyber event that result in tangible loss (ie, property damage or bodily harm).
- First and foremost, it is important to be aware of the industry or sector in which your company operates, as this can determine an insurer’s capacity to cover all of your risk. For example, even though the cyber-physical damage market has grown in recent years, it is still in early stages of development and is gathering traction amongst a narrow range of insurers. In terms of cyber property damage, Marsh estimates that while there is approximately $500 million of global capacity for any one insured, there is only an ability to build individual policies of up to $250 million with confidence.
- Consider your deductibles. Cyber-physical policies are designed to cover the gap that emerges from cyber-specific exclusions on a property policy. For this reason, clients often elect to have deductibles that directly mirror the property policy, although alternative options may be available.
- Understand the limits that may apply. For example, cyber-physical damage cover can be purchased either as a standalone program or in conjunction with a traditional cyber policy. Generally, unless requested or otherwise, a limit for cyber property damage would be provided on an each and every occurrence basis, without an aggregate cap.
Be prepared to support your insurance application by supplying additional underwriting materials such as:
- Property asset schedule;
- Business interruption calculation (if you require cover);
- Detail around which site/location has the highest accumulation of assets and the likely maximum foreseeable loss at this location; and
- Copy of the property insurance policy to establish the level of cyber exclusion that applies.
While insurers have taken steps to clarify coverage parameters, the broad exclusions favoured in many traditional property and casualty policies have ignored the essential role of technology in businesses. Although there are options for addressing cyber property damage risk, these solutions may not be suitable for all businesses in every instance.
“By taking proactive steps to address cyber risk, companies can protect themselves from the potential financial and operational consequences of cyber events,” concludes Fatouros.