Silent No More
In the aftermath of major cyber attacks like NotPetya, policyholders have filed claims under property and liability insurance policies that remained silent on whether coverage included cyber attacks.
These so-called non-affirmative policies have become big news across the global insurance industry as “silent cyber” exposures have been revealed. In effect, such policies neither confirm nor deny that coverage is available to address property damage and business interruption losses caused by a cyber attack, thus leaving the matter open to interpretation.
Now the issue has landed in the courts and in the line of sight of regulators. If insureds lose their fight, will brokers be their next target? And as insurers start peeling back the onion on their cyber exposure, will the market respond effectively in the future to cover this massive and constantly changing risk?
NotPetya, which struck in 2017 and became the most devastating cyber attack in history, was a virus embedded into a Ukrainian tax-software program. The virus reportedly shut down 10% of the country’s computers and vital infrastructure. The contagion then spread to networks worldwide, infecting more than 2,000 companies in 65 countries, among them shipping company Maersk and FedEx, each reporting $300 million in related losses.
Assuming more frequent and severe cyber attacks, insurers and reinsurers could be on the hook for billions of dollars in claims that no company anticipated.
“Without statistics on these settlements, we can’t say for sure how much the industry has paid out in cyber claims on non-affirmative policies, but we do know that claims have been paid,” says Philip Edmundson, founder and CEO of Corvus Insurance, which describes itself as a broker-friendly insurtech managing general agent.
Those payments of claims may be a problem for other insurers that have sold non-affirmative policies and have no intention of covering cyber risks. If insureds file claims against these insurers, some industry parties believe, the insurers will point out that a variety of stand-alone cyber insurance policies addressing first-party and third-party losses from cyber attacks have been available since the 1990s but companies neglected to buy coverage.
Some insureds have filed claims for cyber attacks against more than one policy, Edmundson notes, resulting in what insurers call “clash claims”—situations where both a non-affirmative property and liability policy and a separate, stand-alone cyber insurance policy respond to the same cause of loss. “There are just so many uncertainties right now,” he says. “And that causes trepidation.”
Affirmative Cyber Exclusions
Complicating the claims scenario for insureds—and by extension their insurance brokers—is that several insurers have denied claims for cyber losses in all-risks property and liability policies that actually had affirmative protections for cyber exposures.
A case in point is the large claim (a reported $100 million) filed by Mondelez International with Zurich Insurance for losses attributed to the NotPetya cyber attack. The insurer denied the claim based on the policy’s war and terrorism exclusion, maintaining that NotPetya was an act of war by Russian-backed operatives. Russia has formally denied any responsibility for the cyber attack. Mondelez, a U.S. maker of snack foods like Oreo cookies, subsequently sued Zurich for breach of contract. (See our digital short “Warring Factions” for more on this suit.)
Pharmaceutical giant Merck also has filed lawsuits against more than 20 insurers that rejected its claims related to NotPetya on affirmative policies, several of which cited the war exemption in their reasoning. Undoubtedly, this claims treatment sends a confusing message to current and prospective buyers about the value of buying cyber insurance outside the stand-alone market. “The message seems to be that, if the claim is too much money, the insurer will go to court over it,” Edmundson says.
What do these lawsuits mean for holders of non-affirmative policies? Do the exclusions make the difference when it comes to paying claims, or will insurers point to the existence of the stand-alone market as evidence enough that a non-affirmative policy was not intended for cyber claims?
According to Joshua Motta, CEO of Coalition, a San Francisco firm that offers cyber insurance and risk management for small and midsize businesses, it’s not. “There is a long precedent across many lines of insurance that coverage is written on an open-peril basis—denying coverage for claims only when there is an explicit exclusion in the policy,” Motta says. “This shouldn’t be any different for cyber claims. Cyber is truly a form of peril and can trigger losses across the entire known spectrum of risk—from supply-chain interruptions to centrifuge explosions, hospital shutdowns and hotel lockouts. While more coverage for these exposures is likely to make its way into the stand-alone cyber market, cyber is a risk that pervades all classes of insurance. If an insurer’s intent is to deny coverage, it should be affirmatively excluded in their policy.”
“It’s a can of worms for insurers with non-affirmative policies,” says Daniel Leahy, an account executive at Miller Insurance Services, which places cyber insurance contracts in the London insurance and reinsurance markets. “The policies don’t address if cyber is a covered peril or not, leaving the matter open to interpretation. If insureds file claims and insurers deny them, companies are likely to sue.”
Whether courts will rule in their favor is anybody’s guess. “There are just too many shades of gray,” says Robert Hartwig, an associate professor of insurance and finance at the University of South Carolina. “No one knows where the axe may fall.”
Are Brokers Next in Line?
If courts rule the non-affirmative policies were not intended to cover losses attributed to cyber attacks, the news is potentially grim for some of these insureds’ insurance brokers. The issue is twofold: whether the brokers explicitly pointed out to insureds the danger of relying on the all-risks policies to address their cyber exposures, and whether they emphasized in words and writing the need to address these perils through the stand-alone cyber insurance market.
“I’m pretty sure that a sophisticated broker that handles many different classes of insurance would strongly recommend to the risk manager of a midsize or larger company the importance of buying stand-alone cyber insurance,” says Luke Foord-Kelcey, international head of cyber for Aon’s Reinsurance Solutions Business. “They’re going to get the right advice.”
Edmundson is less certain. “Brokers face growing E&O pressures if they haven’t got this right and carriers deny claims that insureds believed they had coverage for,” he says. “We’ve seen other instances of litigation between insureds and insurers arising out of pollution and employment practices claims where this initial wave of litigation is followed by a secondary wave against other potentially responsible parties with deep pockets—like brokers.”
Over the past three decades, a few notable cases, in particular, have spurred mass claims against insurers. One was the 1989 grounding of the Exxon Valdez in Alaska, which resulted in stricter enforcement of liability regulations and led to a slew of claims for environmental impairment liability. Another occurred in the early 2000s, when an increase in workplace discrimination lawsuits spurred greater enforcement of civil rights laws governing job hiring, promotions and termination, leading to a jump in employment practices liability claims.
In both cases, insureds filed claims against policies for losses they believed were covered by their insurance. Many claims were denied, spurring litigation that eventually dragged brokers into the disputes for not adequately pointing out contractual nuances that affected the clients’ liability and alternative means of protection. “Brokers have been in this position far too many times before whenever there is coverage ambiguity following a series of large claims,” Hartwig says.
Other industry participants have a slightly different perspective on broker liability. “Certainly, there’s a potential for E&O claims against brokers that have neglected the need for granular conversations with their insureds about stand-alone cyber insurance,” says Daniel Burke, national cyber practice leader at insurance brokerage Woodruff-Sawyer. “But I honestly don’t know many brokers that aren’t offering these coverage options to their accounts. The question is whether the broker was effective in selling it. If not, the client could push back and say they thought they already had cyber insurance via the non-affirmative all-risk policy.”
Brokers also confront E&O risks from all-risks policies that include affirmative cyber coverages. “You’ve got companies like Mondelez and Merck alleging their brokers assured them they had cyber coverage,” Hartwig says. “If the courts rule against them in their breach-of-contract lawsuits, they may go after their brokers next.”
Obviously, silent cyber poses a potential financial crisis for both insurers and brokers. Attorney Daniel Garrie, head of the cyber-security practice at law firm Zeichner Ellman & Krause, says a catastrophic cyber attack causing massive first-party damage claims and third-party business disruption claims will slam into insurers, reinsurers and brokers like a tsunami.
“The idea that you need to have property damage to cover a cyber attack that produces loss is ridiculous,” Garrie says. “Servers, IoT devices, computers, tablets and mobile devices can be turned into the equivalent of bricks via a ‘wiperware’ attack that effectively wipes out hard drives. If they’re inoperable, that is physical damage. If the insurer hasn’t specifically excluded losses from cyber attacks, they’re on shaky ground. The E&O blowback for brokers will likely be insane, given the large number of brokers that are in the market today that do not understand what they’re selling when it comes to cyber.”
“Such a crisis,” he adds, “is imminent.”
Dizzying Cyber Market
Truthfully, it is difficult to imagine that courts will heave the burden of paying for companies’ cyber-related losses onto the backs of insurers and reinsurers. Since the 1990s, the industry has tried its best to insure a dynamically changing risk that has morphed with every new hacking. The first stand-alone cyber-risk policies were written in the 1990s, albeit coverage terms and conditions were narrow and premiums and deductibles veered toward the high side. As newer cyber attacks surfaced, coverages expanded, but the policies containing them became increasingly complicated and voluminous in length.
“Each passing year in the evolution of the cyber insurance market has been an improvement on the last,” Motta says. “As compared to today, cyber insurance products in the 1990s were a bit like eating soup with a fork. However, because there is little standardization in the cyber insurance market even to this day, there are still carriers offering products and policy language that are well out of date. Buyer beware.”
While he notes the market is growing rapidly, “The lack of standardization and technical nature of the product have also resulted in numerous failures,” Motta says. “Many cyber insurance policies to this day provide only third-party coverage and provide no cover for the growing first-party losses experienced by victims of cyber crime, such as extortion, wire fraud, as well as the many other costs to respond to an incident or breach.” (See sidebar: “A Growing Cyber Insurance Market of Many Colors.”)
Edmundson, however, believes the stand-alone products “gave insurers a degree of confidence that traditional insurance policies could remain silent on cyber risks.”
That complacency withered following the NotPetya disaster. “When claims were filed against the non-affirmative policies,” Edmundson says, “alarm bells sounded in insurer boardrooms, since it was clear the carriers had not reflected these risks in their premium derivations.”
UK Regulators Lead
Regulators are also sounding the alarm. At present, the United Kingdom’s insurance regulator, the Prudential Regulatory Authority (PRA), has taken the strongest stance on silent cyber. In 2018, the PRA surveyed regulated insurers on their cyber exposures to non-affirmative cyber risks. The responses ranged from “between zero and the full limits (of the policies).” The PRA has since demanded the insurers develop an action plan by the end of 2019 to reduce their unintended exposures to non-affirmative cyber losses.
Although U.S. state regulators are said to be closely following the PRA’s lead on the matter, ratings agencies like Standard & Poor’s are taking notice. “We’re paying increasing attention to the possibility of insurer policies paying out potentially huge sums of money for cyber losses they did not anticipate,” says Tracy Dolin, director and insurance sector lead at S&P Global Ratings. “At this point, we’re applying an inquiry-based approach as opposed to incorporating a specific factor [for cyber] in our ratings framework.”
Leahy agrees. “It’s a potential minefield for carriers,” he says. “As per the PRA, several insurers [of non-affirmative policies] are in the thick of performing cyber loss stress tests trying to calculate just how much exposure they may have across their product portfolios.”
But it’s not necessarily just the carriers that should be the regulatory focus. “The role of any regulatory effort must be to create the appropriate conditions and incentives, and conversely penalties, under which businesses are encouraged to exercise a standard of care in protecting their stakeholders—be that employees, customers and other third parties—from cyber crime and data breaches,” Motta says. “Any regulatory effort that bolstered law enforcement’s ability to investigate and enforce violations of the law pertaining to cyber crime would also go a long way to deterring further acts of crime. It is a rare occurrence that justice is served for victims of cyber crime.”
Carriers Adding Clarity
In late April, insurer Axa XL broke the silence on cyber in its all-risks policy. The insurer designed a first-party cyber insurance option for buyers of its premium commercial property insurance policy. The added coverage explicitly absorbs business interruption losses resulting from a cyber attack. John Coletti, the insurer’s chief underwriting officer for cyber and technology, says the coverage offers clarity where presently there is none. “With no physical damage per se, business interruption from a cyber event can be caught in a gray area,” he says.
In other words, it’s time to make all-risks policies black and white—either make it clear that the policies cover first-party and third-party losses attributed to a cyber attack or exclude these perils by pointing the way to the stand-alone cyber insurance market. This is the strong position recently espoused by the PRA on silent cyber in the United Kingdom.
Zurich, which has declined to comment on its current legal case, is another carrier focused on bringing transparency to its policies. By undergoing a global review of its portfolio, Zurich is looking to add clarity of coverage wherever it sees silent cyber potential. And as Lori Bailey, global head of cyber risk, commercial insurance, for Zurich, says, “It’s a journey, and it’s an important one, but I don’t know that it’s ever going to be one that has a finite end either because cyber exposures are going to continue to evolve at such a pace that, even if we get to a place where we think we know what we’re going to do, the risk could change and we need to be constantly tweaking our wording to fit the current state of the market.”
That notion—that cyber risk is undergoing continuous change—underlies Zurich’s approach to its affirmative risk portfolio as well, “because the manifestations of cyber events continue to evolve with the evolution of technology and the increased interconnectedness through IoT devices and sensors,” says Michelle Chia, senior vice president, head of E&O and cyber, specialty products, for Zurich North America. What that means is a lot of collaboration across business lines, she says, “in order to understand where other coverages end and where cyber starts.”
Undoubtedly, many insurers on this side of the Atlantic would be prudent to do the same. “Carriers in the U.S. should follow the lead of the PRA and take a more aggressive approach, but they haven’t,” says Mark Synnott, executive vice president and global head of Willis Re’s cyber practice. “That’s a mistake. Given recent cyber attacks and claims litigation, insurers need to assess their downside exposures and take steps to mitigate them.”
Why Stay Silent?
Why has it taken so long for carriers to realize the inherent danger of remaining silent on a risk that so clearly affects their insureds? Some say it has to do with the fear of losing business. “No one wants to be the first mover to explicitly include cyber, because it will cost more money to the buyer,” Synnott says. “Just like no one wants to move first on specifically excluding cyber and recommending that the insured buy stand-alone cyber insurance, since that, too, costs more money.”
Aon’s Foord-Kelcey notes a similar approach from insureds themselves. “Insureds aren’t clamoring for clarity on the exclusion/inclusion conundrum, thinking they may already have coverage in their property and casualty insurance program and don’t need to buy a cyber policy,” he says. “They think they’re saving money. The flaw is that they’re making an assumption without clarifying explicitly what they’re covered for.”
And perhaps one of the reasons insureds aren’t clamoring for cyber insurance is because they aren’t thinking about the depth and the breadth of the risk.
“I’ve been in this market since the first policies came out…and it was always viewed as a data breach cover,” Zurich’s Bailey explains. Companies that didn’t traditionally consider themselves as having a lot of data—manufacturers, for example—didn’t think they needed cyber cover. And even if they did, she says, they figured their standard policy would pick it up. “But it has evolved so much now that, while data breach is still a really important part of it, because everything is so interconnected now, even if a customer isn’t a direct target of a specific incident, there could be a large indirect effect on the business interruption,” Bailey says. “So that’s where a lot more industries have now taken notice and also said, ‘Maybe my traditional program isn’t sufficient anymore. Maybe I do need a stand-alone product.’”
As the risk continues to evolve, businesses will become increasingly affected by cyber attacks. So how do we underscore the importance of cyber coverage before it happens? Education and mindset may be the keys.
“Businesses need to start by understanding that it is their company that needs defending and not just their network,” Motta, of Coalition, says. “In this day and age, it is a rare business whose core operations are not dependent on technology. A cyber incident can easily trigger losses across multiple lines of insurance—negligence claims against D&Os, product recalls resulting from security vulnerabilities, property damage from the failure of an industrial control system, and so on.”
True and accurate cyber underwriting can also help an organization more clearly see where it is at risk. Some of the more tech-driven cyber insurance companies, like Corvus and Coalition, focus on data-driven underwriting that uses software to scan the digital world for a company’s vulnerabilities, thus presenting a much more accurate and real-time view of risk.
“While they cannot view through firewalls, the scans can assess an organization’s IT security the same way that the bad guys do—looking for out-of-date software, specific threat intelligence, information on sale on the dark web and much more,” notes a Corvus white paper on silent cyber. These tools help uncover an organization’s hidden vulnerabilities in the digital world.
Once a business fully understands its risk and the need for coverage, then it must ensure it is fully covered. True cyber protection is more than risk transfer, Chia says. It’s about risk management as a whole. Adds Bailey, “A lot of the claims that we’ve seen, the loss is dictated by how well they handle it.”
Motta agrees. “While there is a long list of commonplace cyber-security practices organizations should take—such as routine patching, strong passwords, multifactor authentication, and the elimination of remote network access—these practices should be accompanied by a coherent incident response plan and a comprehensive insurance policy to help the business remain resilient.”
Brokers are key to helping their clients through this process, from understanding and recognizing the threat to ensuring they are covered and as protected as possible against cyber attacks.
“I think there’s a real obligation on [brokers’] part to make sure they’re helping their customers identify and really think about this issue,” Bailey says, “helping them really figure out where their specific cyber risk lies, what their existing program looks like, and how a cyber policy may or may not fit into that.”
Some brokers, such as Aon, are also developing reinsurance solutions for carriers that discover their own exposures. “We can help insurers identify and quantify their silent-cyber exposures through wording and threat analyses and then offer protections against these threats through reinsurance,” Foord-Kelcey says. “Our goal here is to end the silence, empowering carriers to either exclude or recognize these exposures, by way of leading to a day where they’ll strategically underwrite cyber risks across all lines of insurance.”
If carriers move forward in this direction, greater competition would ensue, as traditional all-risks policies specifically reinsured to cover cyber risks would compete against the innumerable cyber policies in the stand-alone market, increasing overall insurance and reinsurance capacity.
With more than 60% of insurers anticipating higher cyber-related losses from NotPetya-like cyber attacks through the remainder of the year, competition would be a good thing.
Capacity aside, brokers who will best serve their clients are the ones who truly understand the risk. As Motta says, “The best way for a broker to ensure they are providing the best cyber insurance product for their clients is to work with carriers that deeply understand the specific cyber risks faced by their clients, that have the personnel with deep backgrounds in cyber security to help a client respond to an incident, and that specialize in protecting clients from cyber risk. As with any craft, there is no substitute for specialization and experience.”
A Cyber Insurance Market of Many Colors
The onus is on brokers to know the contractual distinctions and effectively educate clients about what they are and are not getting.
The first cyber insurance policies in the 1990s were narrowly written contracts providing a modicum of financial protection against third-party hackings. In the early 2000s, newer policies also covered data breaches, albeit with no first-party coverages and a variety of exclusions—like rogue employees. No one blamed the insurance industry for its conservatism at the time, given the paucity of cyber-attack data on hand to effectively evaluate the exposure.
As this data materialized in subsequent years and more companies in every industry suffered cyber losses, the industry’s conservatism gradually dissipated. Today, dozens of insurers offer a wide range of cyber-insurance policies focused on different lines of insurance, classes of business and wide-ranging cyber risks.
Consequently, the market has grown on the order of 25% each year through 2017 and is projected to increase another 33.8% by 2024. “The stand-alone cyber market today is very robust and much more mature than it was even a few years ago,” says Daniel Leahy, account executive at Miller Insurance Services, which places contracts in the London insurance and reinsurance markets. “It’s a mainstream market with 70-something insurers in London alone writing cyber with abundant capacity.”
The challenge for brokers and buyers is the contract wording within the insurers’ cyber policies. “You’ve got something like 70 carriers writing these policies, each with their own contract language and interpretative nuances,” says Daniel Garrie, co-head of the cyber-security practice at law firm Zeichner Ellman & Krause. “Nothing is uniform, making them difficult for brokers to explain and buyers to understand.”
Confusion over what is and is not covered is evident in the annual report by Betterley Risk Consultants on the cyber insurance market, which is based on a survey of 32 insurers offering cyber insurance. As the firm’s most recent 2018 report stated, “The types of coverage offered by cyber-risk insurers vary dramatically. Some offer coverage for a wide range of exposures, while others are more limited. For the insured (or its advisers) looking for proper coverage, choosing the right product can be
Other industry observers agree that the substantial variance in cyber policies complicates what already are complex risks. “There’s no standard policy—no two look exactly alike,” says Tracy Dolin, director and insurance sector lead at S&P Global Ratings. “We see this as a risk with great potential for the insurance industry and are being cautious because of the unknowns.”
With no one-size-fits-all cyber insurance policy, the onus is on brokers to be highly cognizant of the contractual distinctions to effectively educate current and prospective policyholders about what they’re buying and not buying.
Garrie agrees. He claims some brokers need to flatten their learning curves. “My advice to risk managers and other buyers of cyber insurance policies is to require their brokers to put in writing what is specifically covered and not covered in these contracts,” Garrie says.
Other industry observers recommend the value of a collaborative approach by brokers and risk managers in addressing the coverage challenges. “Cyber policies can be very gray and murky—to nobody’s benefit,” says Robert Hartwig, an associate professor of insurance and finance at the University of South Carolina. “To avoid claims disputes in the future, brokers and risk managers need to come together in developing agreed-upon contract language and standards of protection.”
Assuming this occurs, carriers can then compete to offer these policies in full understanding of what they are, in fact, covering.