Lloyd’s Moves to Address Silent Cyber Risk

Mandating that all non-affirmative policies provide clarity regarding cyber coverage
By Rob Boyce

We highlighted Willis Towers Watson’s 2018 Silent Cyber Risk Outlook, which showed that concerns about silent cyber, or non-affirmative cyber risk—“potential cyber-related losses due to silent coverage under insurance policies not specifically designed to cover cyber risk”—were industry-wide. Again in November, we featured a Leader’s Edge interview with Prashant Pai, vice president of cyber offerings at Verisk, in which he discussed how Verisk was planning to partner with Capsicum Re in order to better model the unique threat.

Now Lloyd’s of London, the specialist insurance and reinsurance market, is also taking steps to mitigate silent cyber. According to a recent Lloyd’s market bulletin, “Lloyd’s is mandating that all non-affirmative policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.” Here, Lloyd’s defines cyber risk as “any risk where the losses are cyber-related, arising from either malicious (e.g., cyberattack, infection of an IT system with malicious code) or non-malicious acts (e.g., loss of data, accidental acts or omissions) involving either tangible or intangible assets.” Non-affirmative policies is defined as policies “where no [cyber] exclusion exists and there is no express grant of cyber coverage.”

This mandate follows guidance from the Prudential Regulation Authority (PRA), the UK’s financial services watchdog. The PRA wrote to insurers in January 2019 regarding the results of their follow-up survey of insurance firms under their purview and industry associations about silent cyber.  Survey results showed there were “areas where firms can do more to ensure the prudent management of cyber risk exposures,” and the PRA made clear that it expected insurers to have action plans targeted at reducing the exposure caused by non-affirmative cyber coverage.

Lloyd’s will require that all first-party property damage policies written on or after January 1, 2020, conform to the new mandate. Additionally, for liability lines and treaty reinsurance, the requirements will come into effect during 2020/2021.

Rob Boyce Director, Market Intelligence & Insights Read More

More in P&C

Don't Make Dangerous Decisions
P&C Don't Make Dangerous Decisions
Knowing what to look for when developing your internal cyber-security reporting ...
P&C Swiss Re Identifies Large Nat Cat Insurance Gap
While man-made disasters are largely covered, the gap between natural catastroph...
The Impact of “California’s GDPR” from Cyber Insurance Industry Perspective
P&C The Impact of “California’s GDPR” from Cyber Insurance Industry Perspective
We found two key takeaways to help brokers better prepare for the new year.
Silent No More
P&C Silent No More
Cyber claims made under traditional P&C policies that may be silent on the subje...
Warring Factions
P&C Warring Factions
Citing war and terrorism exclusions for cyber claims could g...
Trade Credit Digital Market
P&C Trade Credit Digital Market
Trade credit insurance is seeing growth via an online market...