Be wary of assumptions and check wordings
Silent cyber, according to Ryan van de Coolwijk, Product Head of Cyber at ITOO Special Risks, is the term that has been coined/adopted for the instances where non-cyber-specific insurance policies could inadvertently be triggered by and cover cyber-related perils.
Impact on the industry
“As systems and data have become more pervasive within a company’s operations, the potential for a cyber-related event to trigger these non-cyber specific policies has increased, and coupled with the sharp rise in cybercrime, this has become a growing concern that has not been priced into non-cyber specific insurance policies. In addition to pricing, the underwriting for these non-cyber policies tends to not adequately cover the cyber-related controls to align the exposure with the risk appetite of the insurer,” he said.
“It has generally become accepted that cyber-related risks should be placed within cyber-specific policies, which provide better-tailored cover to deal with the response to a cyber incident and better consider the risk and exposure via specific underwriting,” he added.
The impact on the insurance industry, according to van de Coolwijk, is that non-cyber-specific insurance policies were starting to inadvertently pick up unforeseen claim events that had not been sufficiently catered for from a pricing, reserving and underwriting perspective.
“Also, these incidents were not necessarily as effectively handled due to the policies not incorporating the tailored cyber cover elements. This resulted in adverse losses on these lines of business,” he stated.
“The response has been for the non-cyber policies to specifically include or exclude cyber exposures, with the general trend being to exclude and rather look at specific cyber insurance policies to manage the exposure,” added van de Coolwijk.
When it comes to the trends, predictions, changes, and exclusions to silent cyber, van de Coolwijk said that we will continue to see non-cyber insurance policies specifically excluding cyber exposure and further movement towards specific cyber policies to manage this exposure.
What you need to know
According to van de Coolwijk, cyber insurance policies include tailored cover elements such as incident response services that comprise IT, legal and public relations experts to respond to the incident, ultimately looking to limit the impact to the insured and affected parties. “These are specialist skills, which ITOO has seen on many occasions, have a major impact on reducing the ultimate damages suffered, when compared to the use of non-expert response providers.”
“Be wary of assumptions and check wordings and covers to ensure that cyber perils are covered if these are an area of concern. Working closely with brokers, we have noted many instances where insureds were under the impression that their business interruption cover under non-cyber policies would cover cyber incidents such as ransomware incidents, denial of service attacks and even rogue employees,” he cautioned.
Cyber insurance policies, he said, are wider than the name would imply. “While covering perils such as hacking and malware in all their forms and guises, including ransomware, they also cover things like rogue employees and service providers who use their authorised access in an unauthorised manner and breach of privacy of information via accidental disclosure, including things like lost or stolen devices and paper-based records.”
A final word
Cybercrime, according to van de Coolwijk, is on the rise and South Africa is not immune to it. “Due to being part of the globally connected internet, companies of all shapes and sizes are exposed to global cyber perils like ransomware, business email compromises (BEC), etc. Insureds are dependent on their brokers to advise them of the potential gaps in their existing coverages. With many companies having cyber-related risks as one of the top three risks on their risk register, it places brokers in a precarious position should they not advise their client accordingly and they subsequently become the victim of a cyber incident.”
“Cyber insurance policies provide a broad range of coverages, spanning both first- and third-party coverages to ensure that businesses are able to respond and recover as effectively as possible, following an incident. With the average cyber claim’s costs running into the millions, many clients – given the tough economic climate – cannot afford to take these losses to their bottom line,” he concluded.
Writer’s thoughts
Cybercrime is one of the most potentially fatal risks South African businesses face today and demand for cyber insurance continues to grow, reflecting increased awareness of exposures associated with digitalisation and remote working. However, with many companies having cyber-related risks as one of the top three risks on their risk register, do you believe this places brokers in a precarious position should they not advise their client accordingly and they subsequently become the victim of a cyber incident? Please comment below, interact with us on Twitter at @fanews_online or email me myra@fanews.co.za
