Do you have a cyber insurance policy? Many businesses don’t, believing that coverage offered under their existing insurance will suffice. But if you’re relying on such policies, be careful! Many insurers want to reduce their so-called “silent cyber” liability as policies renew. You don’t want to find yourself caught in a coverage gap.
What Is Silent Cyber?
Silent Cyber refers to potential cyber exposures lurking within traditional insurance policies such as general liability or property insurance. These policies typically don’t include specific language concerning cyber events, but do have language that may be interpreted to cover such risks in certain circumstances. Clarifying the “fuzzy” language that causes confusion over whether cyber events are or aren’t covered means that carriers are no longer liable for losses that where neither anticipated nor reflected in premium amounts.
What’s Driving the Trend to Eliminate the Silent Cyber Threat?
Silent cyber risk isn’t new, so what’s changed? Well, after 2020’s unanticipated costs – both in terms of claims paid and operating expenses – many carriers are reviewing their risk profiles. A general hardening of the insurance market also plays a role. Still, there are a number of factors specifically driving cyber coverage concerns.
The Internet of Things
Look around that the items you use every day. Chances are many of them could legitimately be called computers. As networked technology becomes enmeshed with everything from cars to thermostats, the line between “information system” and “property” becomes increasingly blurry.
IoT devices are vulnerable to many of the same threats as traditional information systems. This means a rapidly-expanding pool of potential risks. Additionally, even the most basic cybersecurity measures – such as passwords – haven’t always been used by consumers who don’t yet see such devices as IT.
Rising Cyber Crime Costs
A second factor changing insurers’ risk appetites is the increase in both the frequency and costs of cyberattacks. This is particularly true when it comes to ransomware. While “old-school” ransomware just scrambled your data, criminals now often copy data before encrypting it. Additionally, ransomware often turns off backups. This action makes restoration difficult, increasing the likelihood of a payoff.
At the same time, the “cost of entry” for cybercrime continues to fall. Ready-to-use packets of malware are available online for as little as $50 and require minimal skill to deploy. This makes attacks on small to medium-sized companies, which often have fewer defenses, a profitable endeavor.
Increased Awareness of Cybersecurity
Another factor driving the reconsideration of cyber coverage is an increased awareness of the current threat landscape. In part, this is due to an increased emphasis on cybersecurity and data privacy by regulators. 2020 saw South Carolina, New Hampshire, Alabama, Connecticut, Mississippi, and Delaware roll out phases of their data security regulations. Additionally, Indiana, Virginia, and Louisiana adopted their own variations of the NAIC Model Law.
In 2021, Virginia joined California in enacting a Consumer Data Protection Act. More states seem likely to follow, and a federal bill has been reintroduced in Congress. Combine this regulatory environment with a number of high-profile breaches including the Microsoft Exchange hack and the massive SolarWinds event, and it’s little surprise that insurers are wary!
Maturing Cyber Insurance Market
While this fact might seem likely to ease underwriters’ fears, in some ways it’s doing the opposite. Cyber liability coverage is no longer an outlier placed solely in the non-admitted market. With more policies being written, analysts now have hard numbers to work with concerning losses. Furthermore, challenges resulting from imprecise language and overly generous underwriting in some early cyber policies have increased awareness of the need for clarity throughout the market.
What You Can Do to Close the Silent Cyber Gap
If you fear that your company may be vulnerable to cyber risks, either operationally or financially, there are steps you can take to shore up your defenses. These steps aren’t (necessarily) as straightforward as they sound, but they are vital for the ongoing viability of your business.
- Read your current insurance policies and ask questions. This should be a no-brainer for insurance professionals, but there’s an old saying about the cobbler’s children running barefoot. Don’t make assumptions about your coverage based on past claims.
- Implement a robust cybersecurity program. Even if your insurance business doesn’t do business in a state that’s adopted a data security regulation, consider developing an Information Security Program. As my colleague, Russ Foster, likes to say, the costs of a breach can greatly exceed the amount you could have invested to protect yourself!
- Consider a stand-alone cyber policy. I know times are tight financially for a lot of businesses, and underwriting for cyber insurance is becoming tighter. Nevertheless, what price do you put on having peace of mind about what your insurance does and doesn’t cover? At a minimum, consider a stand-alone policy to cover some of the costs if you’re the victim of a ransomware attack.
For More Information on Silent Cyber and Cyber Liability Insurance
- What Is Cyber Liability Insurance? By Elaine Nance
- Spot On Insurance Podcast, Ep. 185: Cowbell Cyber – Determining Your Insurable Threat With AI, featuring Caroline Thompson
- Cyber Liability, Session 1 & Session 2, featuring WSIA’s Emerging Issues & Innovations Committee