Property insurers have for several years had to contend with the risk of "silent cyber" exposure creeping onto their books, but now cyber insurers are having to contend with a similar problem, albeit in reverse.
Silent cyber refers to the risk of claims arising from a hack or other cyber breach on a policy that neither specifically includes nor excludes cyber cover, for example damage to physical infrastructure caused by malware. But policies written specifically to cover hacks are increasingly placing insurers and brokers on the hook for their clients' dependent enterprises, insurance professionals said at a May 16 conference.
Portfolio managers are realizing that parts of the U.S. domestic supply chain or energy grid are on their books, for example, said Meghan Hannes, head of cyber for Hiscox Ltd. in the U.S.
"It's there because of IT dependencies," Hannes said during a panel discussion at the Cyber Risk Insights Conference in Chicago. Her company's cyber underwriting language now specifies coverage for things like utility infrastructure and financial markets, entities that the insurance industry is not able to cover, Hannes said.
Sublimits that cap payouts for specific expenses or losses within a policy are no protection if such uncertainties are littered throughout a portfolio, she added.
Aggregation risk for an insurer can expand to power, telecommunications and Internet service providers, said Brian Robb, cyber underwriting director for CNA Financial Corp. He said client links to dependent vendors have resulted in cyber insurers writing checks to companies they did not cover and covering expenses underwriters did not envision, Robb said.
During the underwriting process, insurers cannot always account for third-party contractors that might suffer losses due to down time from a breach, and the business with the cyber insurance usually has no control over the claims as they wait, Robb said.
"Basically at that point, we're just reimbursing invoices for somebody we have no relationship with," Robb said. As third-party liability goes, cyber insurers sometimes have no idea who they are covering, he said.
Wade Chmielinski, a cyber consultant with FM Global, observed that over the past decade, a wave of upgrades has connected manufacturers' central IT to industrial control systems.
"All the risks that were in that traditional cyber realm, are now coming into that operational technology realm," Chmielinski said. One industrial client had its engineering workstation hit with malware that could have permanently disabled an industrial control, he added.
Without the history of loss data that defines coverage and premium pricing for traditional insurance lines, cyber writers could find themselves liable for losses they did not mean to underwrite, said Matthew Danielak, a cyber insurance broker for Willis Towers Watson PLC.
"We're kind of forced into, or we as brokers might try to push you into, covering things a policy originally wasn't intended to cover," Danielak said.