In general, boards of directors and management now include cyber perils and solutions in corporate governance discussions as they learn more regarding the potential financial statement impact of cyber incidents. Yet, many organisations still only insure a small portion of their intangible assets compared to insurance coverage for their physical assets.
To truly protect their business, organisations must identify cyber perils and model potential cyber related losses based upon their unique set of business operations. They must navigate their way through the grey area of insurance coverage such as aggregated, “clash” and “silent cyber” exposures. Innovative approaches to assist in addressing insurers concerns about these issues are starting to emerge.
“Silent cyber” refers to the cyber exposure lying in policies which do not specify whether losses arising from a cyber attack are affirmatively covered. Absent specific cyber coverage grants or exclusions, insurers either (a) intentionally provide non-affirmative cyber coverage; or (b) unintentionally provide nonaffirmative coverage due to the lack of specific exclusions. In other words, silent cyber strikes when a court’s findings are in favour of a policy owner because the policy does not clearly grant or exclude cyber coverage.
“When considering insurance protection for cyber risks, organisations should make an informed decision as to how much and what type of insurance to purchase, and how that insurance mitigates larger cyber risks.”
Alignment with best practice standards will help organisations withstand cyber attacks and can also result in more favourable insurance terms and conditions, because insurers favourably consider proactive cybersecurity and risk management when underwriting cyber risks.
Silent Cyber: Managing a Silent Threat
When considering insurance protection for cyber risks, you should look to address the following:
- Ensure your organisation’s leadership has an appropriate governance structure, particularly regarding reporting protocols for insurable and non-insurable cyber risk.
- Position cyber insurance treatment solutions as a subset of enterprise risk management system capabilities for the organisation to enable a firm-wide cyber risk management culture.
- Understand specific cyber vulnerabilities associated with operations, including the legal liabilities and financial exposure from IT systems and related customer and vendor contracts.
- Determine cyber coverage protection and gaps within your current insurance policies.
- Analyse various scenarios in connection with potential coverage and gaps under all existing insurance policies, comparing first- and third-party coverages from potential insurers based on your firm’s defined needs.
- Consider alternative risk transfer strategies, including use of a captive, which could facilitate enhanced customisation and potentially increased limits capacity via access to reinsurance markets.
- Satisfy minimum loss mitigation governance standards.
- Articulate the scope of responsibilities for individuals engaged in any cyber response plan.
- Prepare the mechanisms for filing a cyber claim well in advance of any such event.
- Stay informed of insurance market trends to address cyber perils, particularly for coverage capacity, policy wording customisation and regulatory constraints. Cyber exposures and solutions are dynamic and fluid.
Download Aon’s Cyber Perils in a Growing Market report below to learn more.