The “Silent Cyber” Risk – Silence is not always golden

Blog Cybersecurity
Pic Source: Kristina Flour via Unsplash

Silent cyber describes a “silent” or also a so-called non-affirmative cyber risk. This means that coverage for damage resulting from a cyber attack is not explicitly included or excluded in insurance policies. So there is silence about it. This can be problematic in the event of a claim.

In recent years, interest in cyber insurance has increased. According to the GDV, small and medium-sized enterprises are increasingly protecting themselves against threats from the Internet. In 2020, as many as 35 percent of small companies (€2-10 million in sales) and 43 percent of medium-sized companies (€10-50 million in sales) said they already had cyber insurance or were planning to take out such insurance.

Conversely, however, this means that most companies have not yet recognized the benefits of cyber insurance. Yet cyber-attacks are now the biggest global business risk (according to the Allianz Risk Barometer).

Currently, many companies rely on conventional property and liability policies, which sometimes cover cyber damage. However, if these losses are not specifically included or excluded, the “silent cyber” risk exists.

In a study by rating agency Assekurata, 74 percent of cyber insurance providers surveyed said that conventional property and liability coverages include significant Silent Cyber risk (Study: “The big cyber wave is yet to come!”, 2019).

Specific risks of “Silent Cyber”

What are the consequences if cyber risks are not or insufficiently considered in a policy, i.e., are “silent” risks? Then, in the event of damage due to a cyber attack, it is not clear to what extent these losses are covered. Or whether they are covered at all.

“Silent cyber” risk affects both insurers and insureds. For example, Marsh, an international industrial insurance brokerage and risk consulting firm, explains that insurance companies with non-affirmative policy wording expose themselves to increased risk. This is because by not considering potential cyber risks, they are not calculating the increased risk to their insureds, nor are they evaluating the potential aggregation of risk in their own portfolios.

Insureds also face increased risk because many conventional property and liability policies do not cover losses incurred as a result of a cyber attack. However, for insureds to recognize this increased risk, it should be explicitly stated. Otherwise, some insureds may believe they have adequate coverage for cyber risks when they do not.

In addition, non-affirmative wording can be interpreted differently by insurance companies. This can lead to litigation in the event of a claim.

How can misunderstandings be prevented?

For insureds, it is advisable to check whether cyber damage is explicitly considered and covered in their existing property and liability policies. If this is not the case, it is advisable to make up for it. For example, with an additional, individual cyber insurance policy that, in addition to financial damage coverage, also offers useful additional services such as 24/7 emergency assistance or preventive education and training measures. After all, these measures help to contain cyberattacks or, in the best case, avert them altogether – and the best losses are always those that do not occur in the first place.

What the Perseus expert says

Milan Jarosch, Senior Channel Sales Manager and mainly responsible for insurance brokers, comments:

“The topic of silent cyber is mainly an insurer topic, since there are potential risks in the portfolio that cannot (yet) be estimated or validly calculated, and which are not reflected in the premium.

For the customer, this is basically positive for the time being, since in case of doubt they enjoy insurance protection for something they usually know nothing about and for which they are not paying. This is only negative if a customer believes that he has ‘taken out’ cyber insurance with his property/liability policy. Then, of course, there could be a rude awakening, as the coverage contents of the common cyber insurance policies (often far) exceed the coverage in this area. In practice, however, this is more of a theoretical scenario, as in most cases customers have been appropriately informed by their servicing broker and should therefore be aware of the coverage gap in the cyber area.”