The Non-Affirmative Cyber panel, hosted on June 30, 2020 at NetDiligence’s Virtual Cyber Summit had one clear message: non-affirmative is on its way out, and insurers need to respond with solutions that clearly and explicitly cover cyber risk in ways that insureds can understand and depend on.
Moderator Robert Parisi (Marsh) began with an outline of the silent cyber and the problems associated with it. Primarily, if cyber risk is covered (or assumed to be covered) under property or casualty lines, it may be limited by ambiguous language or implicit exclusions. Specific cyber lines can step into the breach, but the resultant patchwork of coverage can cause confusion, delay, and even litigation.
Recent developments – most specifically the publication of the “Lloyd’s Mandate” – have accelerated the need for change. This mandate requires that all policies be clear on coverage for losses caused by a cyber event – either providing affirmative coverage or excluding coverage. With such a clear directive from this industry leader, the question now is how to comply. Where should coverage for various cyber risks lie?
According to Michael Hauner (MunichRe) the answer is clear: cyber risks belong in cyber lines. Specialists in cyber are uniquely suited to assess these risks. The systemic nature of cyber events makes the high limits associated with property lines inappropriate to cyber concerns. And, in the case of technology, losses due to bricking – while they involve physical objects – do not take the form of physical damage. However, Hauner acknowledges that the actual incidents can be messy, with cyber representing only one element in a chain of causation. Careful reading of any policy, and continual reassessment and reanalysis of the threat landscape is required.
For Max Perkins (AXIS) a focus on clear communication supersedes rigid recommendations. Clients wish to transfer risk, and it is up to underwriters to understand what exposures are specific to each client/industry and determine whether to take on the risk. Though cyber is most often best suited to the clients’ needs, the more important feature is that policies are explicit and clear.
Scott Godes (Barnes Thornburg) provided even more client-based perspective. Despite cyber policy writers’ insistence that they provide the most appropriate coverage, he has seen instances where clients who have potential coverage on multiple lines are frustrated to find that they face multiple denials, with each insurer asking that a different line provide the first dollar of coverage. This could be alleviated by clearer language or even a separate clause, but ultimately, it may fall on the insured to drill down at the time of purchase.
Client expectations also loomed large in the panel’s discussion of Lloyd’s language around malfeasance vs. misfeasance. Despite a longstanding attempt to distinguish system failure from security failure, the industry must acknowledge that insured are likely to see the results as being the same – affecting the same systems and causing the same disruptions. Furthermore, Hauner pointed out, it is impracticable in many cases to trace the origin of systemic failure without adding significant costs related to forensics. Generally, the panel agreed that the distinction is real, but not useful in the long run.
The industry has responded in a number of ways, using subrogation or reinsurance as a way to mitigate its own risk. But the panelists agreed that a better way forward – one that is transparent, sustainable, and fully capitalized – should be the ultimate goal.