Silent Cyber
Unintended cyber exposure embedded in traditional property and liability policies that neither explicitly cover nor exclude cyber losses.
What It Is
Silent cyber, also called non-affirmative cyber, refers to potential cyber-related losses that could be covered under traditional property, liability, or other non-cyber insurance policies that were not specifically designed to address cyber risks. These policies neither explicitly include nor exclude cyber losses, creating ambiguity about whether a cyber event would trigger coverage.
For example, a commercial property policy may cover business interruption from any cause of loss not specifically excluded. If a cyberattack causes the insured's systems to fail and operations to cease, the property policy might arguably respond because cyber is not excluded. Similarly, a general liability policy's personal and advertising injury coverage might respond to a data breach claim alleging invasion of privacy.
Regulators, particularly Lloyd's of London, have mandated that carriers address silent cyber by either affirmatively including or explicitly excluding cyber coverage in traditional lines. Lloyd's required all syndicates to implement clear cyber exclusions or affirmative cyber language in all policies by 2023. The US market has followed with many carriers adding cyber-specific exclusions to property and GL forms, though the transition is not yet universal.
Why It Matters for Brokers
Silent cyber creates uncertainty for both carriers and insureds. Brokers must understand where silent cyber exposure exists in a client's program because relying on ambiguous coverage in traditional policies is unreliable and likely to result in litigation at claim time. The proper approach is to place affirmative cyber coverage through a standalone policy and ensure traditional policies have clear cyber exclusions to avoid coverage disputes.
Real-World Example
A manufacturing plant's industrial control systems are compromised by malware, causing physical damage to equipment worth $3.2M and a 30-day production shutdown. The property policy has no cyber exclusion. The insured argues the property policy covers the physical damage and resulting BI. The carrier argues the proximate cause was a cyber event, not a covered peril. Litigation takes 22 months to resolve, during which the insured receives no payment. A standalone cyber policy with $5M in limits would have responded within 30 days.
Common Mistakes
- 1Allowing clients to rely on potential silent cyber coverage in property or GL policies instead of placing dedicated cyber coverage.
- 2Not reviewing traditional policies for newly added cyber exclusions that may have been inserted at renewal, creating gaps if standalone cyber was not placed simultaneously.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker scans all uploaded policies across an account's program for cyber exclusion language and flags any traditional policy that lacks a clear cyber exclusion, identifying potential silent cyber exposure. The system cross-references these findings with the client's standalone cyber policy to ensure there are no unintended gaps.