“There are only two types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it” – Ted Schlein¹

We live in what is called the “Age of Computers” – everything is connected and virtual reality is part of our lives. In the corporate world, it is all about data and how much access you have to it. However, along with this tech reality comes a dangerous environment in which a large amount of data is available, data that, in the wrong hands, can lead to billion-dollar losses and forever-damaged reputations.

The website “Information is Beautiful” gives us an idea of how many large data breaches happened between 2004 and September 2022, and the number of records involved on each incident.² The question that remains is: How can this risk be assessed, and how can it be excluded from ordinary P&C policies?

Cyber Risk

The term “cyber risk” refers to the risk of loss resulting from digital incidents caused by third parties, company’s own employees or external collaborators, and can include theft, compromised integrity and/or damage to information and/or technology assets, internal and external fraud, and business disruption.³ Incidents may impact the confidentiality, the integrity, and the availability of data, and even the proper functioning of the information technology structure, which can be very costly to organizations.

Cyber incidents topped the list of business risks in 2024 for the third year in a row, according to the most recent Allianz Risk Barometer.⁴ The report shows that concern about this type of risk has grown considerably over the years and should keep companies engaged in continuously investing to strengthen their cyber controls for the years ahead.

Cyber Coverage

While insurance for certain technological and computational errors and omissions has been on offer since the late 1980s, the standalone cyber insurance product is a relatively new addition to brokers’ and insurers’ portfolios.⁵ It is gaining pace within some jurisdictions even though it still involves low limits for most of the players. An analysis of the market shows that cyber insurance coverage can exist in three forms:

1. a standalone policy that covers cyber risks
2. an endorsement to an existing policy offering cyber coverage
3. coverage provided by a traditional policy in a non explicit way due to the lack of any exclusion of this type of risk

The two first situations are normal cyber protections offered by the market. The last one reflects what we call “silent cyber exposure” or “non-affirmative cyber exposure”, which is the focus of the present article.

In P&C we normally differentiate coverage between “first party”, which refers to policies usually associated with property risks, and “third party”, which refers to policies usually associated with liability risks. When it comes to a specific cyber coverage, the particularity is that the coverage offered by the product includes both, namely first- and third-party cover. First-party coverage tends to indemnify the insured for its own damage suffered by reason of the breach, such as data destruction, extortion, theft, system repairs, etc. On the other hand, third-party coverage refers to damage suffered by third parties because of a breach.

So, What is Silent Cyber?

Silent cyber exposure also known as “non affirmative cyber” exposure occurs when coverage for a cyber event is not explicitly excluded by an insurance policy and/or the exclusion is not clear enough, thus making gaps in the effectiveness of exclusions a real problem to insurance companies. Several companies have seen quite interesting cases lately involving this topic. Non-cyber lines generally exclude cyber as a trigger of peril and cyber policies normally exclude bodily injury and physical property damage losses.

To illustrate with a claim example arising from silent cyber exposure, we can go back to June 2017, when the market was affected by the NotPetya malware,⁶ referred to the “most devastating cyberattacks since the invention of the Internet” and which cost more than USD 10 billion in total damages⁷. Companies that were affected by the attack included:

• Merck (damages estimated at USD 870 million)
• FedEx (damages estimated at USD 400 million)
• Maersk (damages estimated at USD 300 million)⁸

Another company that suffered from the NotPetya attack was Mondelez, known for its Oreo cookies and Cadbury chocolates. NotPetya malware infected two of its servers, affecting a significant portion of the company’s global Windows-based applications as well as sales, distribution, and financial networks across the company.⁹

The Mondelez example shows how much silent cyber can cost companies; the attack led to losses of around USD 100 million. They tried to recover under an all-risk property insurance policy as the policy coverage included:

“physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction… (and) Actual loss sustained and extra expenses incurred by the insured during the period of the interruption resulting from the failure of the Insured’s electronic data processing equipment or media to operate”.¹⁰

Coverage specifically included physical loss or damage to electronic data, program, or software caused by the malicious introduction of a machine code or instruction.

Nevertheless, the insurer determined at the time that the claim would be denied under the policy based on an exclusion they had limiting indemnification in cases of damages resulting directly or indirectly from a

“hostile or warlike action… by any government or sovereign power”.

Discussions ensued about the nature of the NotPetya attack and if it was “warlike” or “comparable to an act of war”. The debate over this issue cost the insurance company (and consequently reinsurers) a very significant amount in expenses and the matter was ultimately resolved via a negotiated agreement, which was kept confidential and closed the case.

In summary, the NotPetya occurrence left the whole market realizing that the war exclusions included in most policies were not fit for purpose as the reality was they had not contemplated at the time they were drafted using such exclusions in the context of data breaches and attacks. The fallout from NotPetya left insurers and reinsurers rethinking and reviewing in detail their policy terms and conditions to avoid such a situation happening again.

The Importance of Contract Certainty

Even if you are not a lawyer, you will probably have heard at some point the Latin expression pacta sunt servanda, which means the contract makes law between the parties or simply contracts need to be respected. This principle was probably consolidated during the Middle Ages and was incorporated into legislation throughout the world. As with all principles, it has its exceptions, but having conditions clearly written is a first step to avoiding future disputes.

When it comes to insurance and reinsurance, it is crucial to carefully review terms and conditions to ensure they keep up with changing times and to ensure they reflect the common intention of the parties to the agreement. A clause that is not well written or a condition or exclusion that is unclear or ambiguous may lead to a lack of clarity and misinterpretation and may generate extra unnecessary costs. To avoid misinterpretation and debate, a well-considered and well-written cyber exclusion is the first step for success.

Cyber Exposure – How to Avoid a Non-Desired Breach

It is becoming increasingly clear that contract clauses designed to exclude losses resulting from “cyber as a peril” are not as robust as once thought. As these clauses continue to be tested in the courts, there is growing concern about their validity and questions are being raised by the market on the reasonableness of their use.¹¹

A first step that may help mitigate silent cyber exposure is to perform an internal analysis of policies and contracts to check for the cyber coverage position. More specifically, the analysis would assess whether cyber exposure is being adequately addressed and whether it is included (via affirmative inclusion) or excluded (via affirmative exclusion). Silent cyber exclusions for property business generally aim to clarify what will constitute an excluded cyber attack or incident as well as stating that data is not (re)insured under the contract. This means that losses resulting from a lack of availability of data or system malfunctions are also not covered, e.g., where data needed for an operating system to function has been corrupted or deleted. There will usually be detailed definitions for computer systems, data, and cyber attacks/incidents.

Being prepared does not mean the exposure does not exist, and the mitigation process continues even if a wording has exclusions. This necessarily requires having a claims team prepared to handle possible incidents quickly and assertively, ideally with a good understanding of the cover and issues at hand to avoid establishing undesirable precedents.

Conclusion

As the digital landscape evolves, silent cyber threats continue to pose challenges to the insurance industry. The potential for silent cyber threats is not well enough understood and not yet well monitored by industry players. Providing coverage for cyber threats may not have been an intended coverage during the underwriting process, yet it can create a very complex and expensive exposure. Real examples need to be highlighted for discussion and need a proactive and collaborative approach to address the risks effectively. A cross collaboration between underwriting and claims departments can assure more targeted and assertive exclusions are included or clearly intended and defined cover is provided. A collaborative approach can help ensure that the risk of unintended gaps or coverage is not underestimated.