July 11, 2019

The danger posed by silent cyber is an issue this newsletter has called attention to in the past. We highlighted Willis Towers Watson’s 2018 Silent Cyber Risk Outlook, which showed that concerns about silent cyber, or non-affirmative cyber risk—“potential cyber-related losses due to silent coverage under insurance policies not specifically designed to cover cyber risk”—were industry-wide. Again in November, we featured a Leader’s Edge interview with Prashant Pai, vice president of cyber offerings at Verisk, in which he discussed how Verisk was planning to partner with Capsicum Re in order to better model the unique threat.

Now Lloyd’s of London, the specialist insurance and reinsurance market, is also taking steps to mitigate silent cyber. According to a recent Lloyd’s market bulletin, “Lloyd’s is mandating that all non-affirmative policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.” Here, Lloyd’s defines cyber risk as “any risk where the losses are cyber-related, arising from either malicious (e.g., cyberattack, infection of an IT system with malicious code) or non-malicious acts (e.g., loss of data, accidental acts or omissions) involving either tangible or intangible assets.” Non-affirmative policies is defined as policies “where no [cyber] exclusion exists and there is no express grant of cyber coverage.”

This mandate follows guidance from the Prudential Regulation Authority (PRA), the UK’s financial services watchdog. The PRA wrote to insurers in January 2019 regarding the results of their follow-up survey of insurance firms under their purview and industry associations about silent cyber.  Survey results showed there were “areas where firms can do more to ensure the prudent management of cyber risk exposures,” and the PRA made clear that it expected insurers to have action plans targeted at reducing the exposure caused by non-affirmative cyber coverage.

Lloyd’s will require that all first-party property damage policies written on or after January 1, 2020, conform to the new mandate. Additionally, for liability lines and treaty reinsurance, the requirements will come into effect during 2020/2021.