By now all insurers should be familiar with the concept of non-affirmative or “silent” cyber. Silent cyber is the idea that although traditional insurance policies (such as standard commercial property or errors & omissions policies) do not expressly refer to cyber-related risks, the policies nevertheless could be found to “silently” afford coverage for cyber losses under certain circumstances.
FisherBroyles counsels insurers to be mindful that the silence could create ambiguity in the interpretation of policy language (and then construed against the insurer). Worse, the silence could result in unaccounted-for liability exposure for the insurer.
Recently, the US District Court for Maryland held that a commercial property insurance policy issued to an embroidery company afforded coverage for the full replacement of the company’s computer system following a 2016 ransomware attack.
In National Ink and Stitch v. State Auto Insurance Companies 1:18-cv-02138, the policyholder sought coverage under a commercial property insurance policy for the replacement of a new computer server, workstations and other IT items.
The policy – like most commercial property policies – afforded coverage for “direct physical loss.” As such, the insurer argued that there was no coverage because the ransomware attack merely made the policyholder’s data unavailable (due to being encrypted) and the inability to access intangible electronic data was not “direct physical loss”.
The policy at issue was silent as to the cyber risk – in this case, risks associated with ransomware and digital extortion.
The federal court sided with the policyholder which argued that the loss of reliability, and the impaired functionality of its computer system demonstrate sufficient harm to satisfy the “physical loss or damage to” policy definition.
As a result, the commercial property insurer now must cover a risk that it likely never intended to or anticipated covering. As a property insurer, risks relating to ransomware likely were never subject to underwriting and worse, there was likely no premium collected corresponding with that risk.
The larger lesson for insurers to take from the National Ink case is how they should address non-affirmative cyber at the macro level. It is highly advisable for insurance leadership to address non-affirmative cyber across the enterprise and to document such efforts.
If an insurer does business in the London market, regulations require insurers to be able to “identify, quantify and manage cyber insurance underwriting risk” relating to silent cyber. The UK’s Prudential Regulation Authority (“PRA”) expects insurers to assess their insurance products with specific consideration to non-affirmative cyber risk, including property and casualty policies that might respond to cyber risk exposure from physical and non-physical damage (exactly what occurred in National Ink).
FisherBroyles strongly counsels its insurer clients to assess their internal silent cyber risk by assessing whether a policy potentially responds to any of the risks found in traditional stand-alone cyber policies and carefully managing the companies’ use of exclusions relating to same. Insurers should aim for uniformity in the use of cyber exclusions. Insurers should of course also constantly analyze the potential losses relating to non-affirmative cyber risk.
Additional silent cyber strategies available to insurers include:
- Expressly excluding cyber from traditional policies;
- Where cyber has been excluded, offer a buy-back option;
- Sublimit cyber coverages;
- Institute a uniform claim-handling strategy for all claims arising out of cyber occurrences;
- Create a company-wide cyber task force to holistically address non-affirmative cyber issues; and
- Transfer non-affirmative cyber risk through reinsurance.
The FisherBroyles Cyber-Risk; Privacy & Data Security practice group is pleased to assist insurers with these issues. For any questions about corporate privacy, cyber liability, or other legal issues, please contact our team.
Stuart A. Panensky (609) 454 6957 firstname.lastname@example.org
Tony Onorato (202) 459 3599 email@example.com
Donia Sawwan (212) 956 0586 firstname.lastname@example.org
Landon Speights (832) 915 2300 email@example.com
Michael Khoury (248) 590 2910 firstname.lastname@example.org