How Canadian insurers should price for their ‘silent cyber’ exposures

By David Gambrill | November 8, 2018 | Last updated on October 30, 2024
2 min read

The possibility exists of a global, widescale, multi-country cyber security breach. To get a true sense of their overall exposure, Canadian property and casualty insurers should be reviewing all of the policies they sell – not just dedicated cyber policies, but also the property and liability contracts that do not explicitly exclude cyber coverage.

“That’s because silence on cyber is going to be an interesting defence,” Lynn Oldfield, CEO of AIG Insurance Company of Canada, told an audience attending the Insurance Institute of Canada’s ‘At the Forefront’ event in Toronto Oct. 29. “It’s going to be tied up in the courts for many, many years.” Oldfield was speaking about her personal opinions at the event and not as a representative of AIG.

What is “cyber silence”?

The issue is whether the courts could read cyber coverage into policies in which cyber is not explicitly excluded. And if they do, have insurance companies priced for the cyber exposure on these policies?

This came up in a supervisory statement issued last July by the Prudential Regulation Authority (PRA), the United Kingdom’s financial services regulatory body. Specifically, the PRA made three recommendations to European P&C insurers to properly calculate the amount of capital required to cover their cyber exposures.

The PRA’s Bulletin SS4/17 states: “Firms are expected to introduce measures that reduce the unintended exposure to (silent cyber) risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board.”

To achieve this, the bulletin continues, firms might consider any of the following:

  • adjusting the premium to reflect the additional risk and offer explicit cover;
  • introducing robust wording exclusions; and/or
  • attaching specific limits of cover.

The issue of silent cyber coverage is coming up in litigation around directors’ and officers’ liability policies, as noted in Chubb’s 2018 Q3 results call on October 24.

“A driver that we’re observing, I’ll call event-driven litigation against boards,” John W. Keogh, executive vice chairman and chief operating officer of Chubb Limited, reported during the call. “So, imagine the traditional general liability and property claims. Think of mass tort, a dam bursting and people being hurt, a cyber breach where you get property claims, you get liability claims. Well, guess what? More often than not today, you also get allegations and claims being brought against management and boards of directors. So, there’s the loss cost trends that we observe.”

A recent report by PwC estimated that the global cyber market would double to $5 billion in annual premiums by 2018 and treble to at least $7.5 billion by 2020. In Canada, statistics reported by the country’s solvency regulator show that federally regulated insurers in Canada wrote about $58 million in cyber liability coverage last year.

David Gambrill

David Gambrill