Affirmative versus Silent Cyber: An Overview

While the current debate over “affirmative” versus “non-affirmative” coverage has been ongoing for a few years, WannaCry and Petya/NotPetya cyberattacks helped make the issue of ”silent cyber” more critical. These two 2017 cyberattacks effectively shifted the conversation from data breach, notification costs and third-party liability to first-party liability insuring agreements due to the extent and expanse of the systematic, large-scale damages they triggered. Insured losses from WannaCry and Petya/NotPetya attacks were extensive in part because of the broad nature of the original security and privacy insurance policy language for first-party coverages, such as including system failure and business interruption. The widespread damage that the attacks caused underlined how extensive first-party coverage components can be. The global magnitude of the damage from WannaCry and Petya/NotPetya also demonstrated the speed at which cyberattacks spread and the risk of proliferation and accumulation. As a peril, cyber risk can be defined as any risk emerging from the use of information and communication technology that compromises the confidentiality, integrity or availability of data, systems or services. In affirmative cyber, coverages for cyber perils are contained within either stand-alone network security and privacy policies or the endorsements that are added on to property and casualty policies covering the costs that arise from the impact of a data breach, network attack or failure covering first-party and third-party liability. Affirmative provides coverage for such first-party components as:

• Forensics, public relations and credit monitoring costs associated with a breach
• Losses from business interruption
• Cyber extortion and ransomware
• Costs of replacing, restoring and recreating damaged or lost data;

And also for third-party liabilities:

• Privacy liabilities, such as liabilities and defense costs, fines and penalties
• Network security liabilities
• Privacy regulatory defense costs.

Non-affirmative/silent/unintended cyber refers to the unknown or unquantified exposures originating from cyber perils that may trigger traditional property and liability insurance policies. The systemic nature of cyber risk means silent cyber is becoming endemic in virtually every type of insurance policy. While initiatives have emerged across the industry to address non-affirmative cyber coverage, there is still a great degree of uncertainty as to the extent to which this type of coverage is unintentionally being written. Although insurers are beginning to actively address this challenging issue, this area of unknown leaves the (re)insurance industry vulnerable to a major accumulation of losses, which will only grow in today’s market conditions. Guy Carpenter developed the first dedicated cyber specialty reinsurance brokering practice in the industry nearly 20 years ago. It was the first reinsurance broker to structure a stand-alone cyber reinsurance product and the first to place a cyber aggregate excess of loss treaty. It has placed over 30 stand-alone and blended cyber programs globally that protect against affirmative and non-affirmative/ silent cyber.