Zurich and AIG on track to remove silent cyber in 2020
Some of the largest corporate insurers are on track to remove silent cyber from the majority of property and casualty policies by the end of 2020.
In September, AIG said it was finalising its transition to affirmative cyber by 2020, while Allianz Global Corporate and Specialty (AGCS) has implemented its silent cyber strategy for new and renewal business in 2019. Zurich Insurance has now revealed that it too aims to remove silent cyber from commercial and specialty insurance policies by the end of next year.
“We have largely completed an assessment of each of our commercial insurance products, with a view on the current state and intended future state of each product line with respect to cyber exposures,” Sierra Signorelli, chief underwriting officer for commercial insurance at Zurich Insurance, told CRE. “As a result, silent cyber cover will generally be eliminated by year-end 2020, except where such an approach is prohibited by statute, or where a specific reference to cyber would be inappropriate due to the nature of the product,” she added.
Broadly speaking, Zurich aims to provide affirmative cyber cover for third-party property damage and bodily injury in its liability products, while sub-limiting or excluding cyber cover inproperty. However, in many cases, such as resulting damage from fire and explosion, a cyber event will continue to be part of property cover.
“For non-cyber products in general, our plans are to exclude cyber liability and financial losses related to cyber, such as non-damage business interruption,” explained Ms Signorelli. “Cover for cyber liability and financial loss is available through various cyber insurances and potentially carve-backs in property and casualty policies,” she said.
Zurich began addressing silent cyber in 2016 and in recent years has updated its standalone cyber cover, including its wordings, risk advisory and breach response services. Earlier this year, the insurer decided to remove silent cyber from the remaining P&C products, and is now “well on its way” to meeting its own 2020 target, said Ms Signorelli.
Zurich is now addressing silent cyber in its liability policies where needed. To this end, the insurer is applying cyber exclusions or sub-limits. Where it is unable to exclude cyber – such as in certain liability policies with statutory minimum terms and conditions – it will address silent cyber through its risk appetite, Ms Signorelli explained.
“Many property and casualty policies were written at a time when cyber was not contemplated, so they need cyber cover to be clarified. This may mean an exclusion, sub-limit or specific provision where we are comfortable doing so. We are discussing with customers where cyber is best placed – either through cyber insurance or through the clear intent of the underwriter,” said Ms Signorelli.
Zurich has been giving customers plenty of notice about changes ahead of renewals and discussing options to address cyber risk, according to Ms Signorelli. “We are not looking to shock the industry. We want a conversation with clients in adequate time,” she said.
AIG is also well on its way to removing silent cyber. As of January 2020, the majority of its commercial P&C insurance policies will exclude silent cyber cover and begin affirmatively covering physical and non-physical cyber exposures. Generally, the insurer is looking to exclude silent cyber from property and liability policies, although affirmative cover will be available in the form of carve-backs and/or standalone cyber insurance for most lines.
“We want to clarify cyber cover in commercial insurance policies, including large corporate and specialty lines, and give customers more choice and options for affirmative cover for both physical and non-physical cyber exposures,” said Mark Camillo, head of cyber for the EMEA region at AIG. “This has meant defining physical versus non-physical across product lines and giving underwriters tools to underwrite, charge and code cyber risk,” he told Commercial Risk Europe.
Exclusions and write-backs will be in place for most property and casualty lines from January 2020, although more complex casualty and financial lines may take longer, according to Mr Camillo. “While exclusions are already common in some lines, like energy and marine, in other lines we have had to create exclusions and write-backs,” he said.
AIG has engaged with key clients and brokers, and been very public with its approach, according to Mr Camillo. “The response of brokers and customers has been generally positive. They are looking for contract certainty and do not want to be in a situation in a cyber event where they not know how their cover will respond,” he said.
“At renewal, customers need to look at cyber as a peril and consider what a loss would look like for their business, and how it would be covered. If there is a cyber exclusion, customers will need to consider how they can get that cover back through a write-back, or purchase it in separate cover for physical and non-physical cyber,” said Mr Camillo.
By addressing silent cyber, insurers will be able to track their cyber exposures in property and casualty policies, and charge additional premium if losses materialise, explained Mr Camillo. Because physical damage as a consequence of a cyber event is typically covered under a property policy, the move to silent cyber should not result in changes to premium for most customers on the property damage side, he explained.
However, appetite for cyber risk is likely to vary between lines of business, and some exposures will be moved out or sub-limited, according to Mr Camillo. For example, some GDPR cover can be found today under general liability insurance in the UK and the general trend is to remove or sub-limit this exposure, with options for more robust cover and higher limits available under standalone cyber insurance, he said.
“Some may feel that in removing silent cyber, cover is curtailed or premium added. But clarity is appreciated and there is a recognition that this is needed as cyber exposure increases, and to avoid coverage disputes and litigation on cyber,” added Mr Camillo.
AGCS, one of the first international insurers to go public with its commitment to address silent cyber, is also working to make cyber liability cover affirmative. “When AGCS started its silent cyber project, it decided to put all corporate policies in scope, including liability, and progress them all the same,” said Marek Stanislawski, deputy global head of cyber and tech PI at AGCS in Stockholm.
For most customers, the changes have not resulted in premium increases or a reduction in cover, argued Mr Stanislawski.
“I would not stress this as purely an exclusion. It is a clause designed to achieve our goal – to make silent cyber affirmative. We do not try to exclude cyber but make the underwriting intention explicit… The premium impact of transitioning the policy from silent to affirmative cyber is zero as we only make the original intention explicit. If a client or broker realises they have a gap and want to address it, they can add cover and pay a premium,” he said.