KELLY B. CASTRIOTTA | Global Cyber Underwriting Executive, at Markel Corporation
Insurers developed property and casualty insurance policies prior to widespread computerization and the prolific use and transmission of electronic data. Many such insurance contracts did not expressly address cyber exposures at the time of their initial creation. In 2015, the Prudential Regulatory Authority (PRA) formally introduced a theoretical problem of “silent cyber” to the insurance industry, contemplating catastrophic cyber scenarios with not only a potentially powerful impact on dedicated Cyber insurance portfolios, but also on traditional insurance portfolios. The issue soon became a reality in the wake of the expansive losses associated with the NotPetya attacks of 2017.
In response to the requests made by the PRA to insurers to manage “silent cyber”, Lloyd’s of London introduced a mandate to eliminate “silent cyber” on all Lloyds policies, first charting a course for the transformation of insurers’ contractual wording to more appropriately address cyber risk. This article discusses the general concerns around “silent cyber” as presented by the PRA, the challenges of defining cyber risk across the insurance industry, and steps taken to rectify the silent cyber issue. The article then explores the idea that the silent cyber problem is at its core a semantic one rather than one of risk perception. The article concludes by offering solutions as to a semantic framework under which to analyze and address “silent cyber”.