Silent cyber describes a “silent” or a so-called non-affirmative cyber risk. This means that coverage for damage incurred as a result of a cyber attack is not explicitly included or excluded in insurance policies. So it will be silent about it. This can be problematic in the event of damage.

In recent years, there has been an increase in interest in cyber insurance. According to the GDV, small and medium-sized enterprises are increasingly protecting themselves against threats from the Internet. In 2020, 35 percent of small companies (€2-10 million in sales) and 43 percent of medium-sized companies (€10-50 million in sales) said they already had cyber insurance or were planning to take it out.

Conversely, however, this means that most companies have not yet recognized the benefits of cyber insurance. Cyber attacks now represent the greatest global business risk (according to the Allianz Risk Barometer).

Currently, many companies rely on conventional property and liability policies, which sometimes also cover cyber damage. However, if these damages are not expressly included or excluded, the “silent cyber” risk exists.

In a study by the rating agency Assekurata, 74 percent of the cyber insurance providers surveyed stated that conventional property and liability covers involve a significant “silent cyber” risk (study: “The big cyber wave is still coming!”, 2019).

Concrete risks of “Silent Cyber”

What are the consequences if cyber risks are not or only insufficiently taken into account in a policy, i.e. are “silent” risks? In this case, in the case of damage due to a cyberattack, it is not clear to what extent this damage is covered. Or whether they are covered at all.

The “silent cyber” risk affects both insurance companies and insured persons. For example, Marsh, an international industrial insurance brokerage and risk consulting firm, explains that insurance companies with non-affirmative policy wording expose themselves to increased risk. This is because the failure to take potential cyber risks into account does not calculate the increased risk of the insured, nor does it assess the potential risk aggregation in one’s own portfolio.

The insured also bear an increased risk, as many conventional property and liability policies do not cover damage incurred as a result of a cyberattack. However, in order for the insured to recognize this increased risk, it should be formulated explicitly. Otherwise, some policyholders believe they have adequate coverage for cyber risks, when they don’t.

In addition, non-affirmative formulations can be interpreted differently by insurance companies. In the event of damage, this can lead to legal disputes.

How can misunderstandings be prevented?

It is advisable for policyholders to check whether cyber losses are explicitly considered and covered in their existing property and liability policies. If this is not the case, it is advisable to do so later. For example, with additional, individual cyber insurance that, in addition to financial damage coverage, also offers useful additional services such as 24/7 emergency assistance or preventive education and training measures. After all, these measures help to contain cyber attacks or, in the best case, avert them altogether – and the best damage is always the damage that does not occur in the first place.

What the Perseus expert says

Milan Jarosch, Senior Channel Sales Manager and mainly responsible for insurance brokers, says:

“The topic of silent cyber is mainly an insurer issue, as there are potential risks in the portfolio that on the one hand cannot (yet) be assessed or validly calculated and, on the other hand, are not reflected in the premium.

For the customers, this is basically positive at first, because in case of doubt they enjoy insurance cover for something they usually don’t know about and for which they don’t pay. This is only negative if a customer believes that he has ‘taken out’ cyber insurance with his property/liability policy. Then, of course, there could be a rude awakening, as the coverage contents of the common cyber insurance policies (often far) go far beyond the coverage in this area. In practice, however, this is more of a theoretical scenario, as in most cases the customers have been informed accordingly by their supervising broker and should therefore be aware of the coverage gap in the cyber sector.”