Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
By now, you’ve likely heard about “silent cyber” -- after all, it’s been the most talked-about term in global commercial insurance for the past year or so. It seems like every major reinsurer, broker, and insurance publication has commented on the topic and explained the risks it poses.
What you may not have heard yet are suggestions for how insurers can take action to avoid those risks. It’s a difficult problem for insurers to solve, for a number of reasons -- but there are ways to start mitigating the risk through the use of technology. We cover these challenges, and suggestions for overcoming them, in our new whitepaper: Silent Cyber: Threat or Opportunity? If you want to read more in-depth on the issue, head over to check out the full whitepaper now.
If you’re just getting started, read on as we discuss the basics of the issue of silent cyber: what it is, and how we got here as an industry.
Silent cyber risk is a term describing the possibility that an insurer of a non-cyber insurance policy (e.g., Property, Business Interruption, General Liability) could assume risk triggered by a cyber peril such as a ransomware attack, social engineering attack, business email compromise (BEC) attack, denial-of-service attack, or data breach. Importantly, the policy in question must be “silent” about cyber: neither mentioning cyber risk as part of the coverage nor excluding it. By covering things like damage to property or business interruption that are potentially impacted by a cyberattack, but not defining how that situation will be handled, you have the conditions for silent cyber risk.
There are a few different ways silent cyber risk can manifest. Sometimes the insured business does not have any sort of standalone cyber insurance policy at all -- only non-cyber policies that are silent on cyber. In others, a business may have a dedicated cyber insurance policy, but also have cyber-silent policies covering property or general liability. Those non-cyber policies may still be impacted by certain perils that are beyond the scope of the standalone cyber policy. Lastly, there may be cyber-specific language ("affirmative cyber") included in some non-cyber policies, but not others.
Needless to say, things can get complicated with ambiguity at various levels. Each situation is unique to the business and its coverage.
The first cyber insurance policies, issued in the 1990s, were limited in scope. Over time, as new risks emerged and demand for insurance grew, insurers offered increasingly complex insurance policies. That expansion of coverage allowed insurers of other traditional commercial Property & Casualty (P&C) insurance policies to remain silent, hoping that cyber policies would come to the rescue if there were claims.
The mode of complacency was shaken in 2017 when a series of attacks on major global businesses rocked the insurance industry. The NotPetya and WannaCry ransomware viruses affected large, global businesses like FedEx, Merck, Mondelez, WPP, and Maersk, among others. In each case costs ran to the tens or hundreds of millions of dollars. At the high end, total losses for some companies were reported to have exceeded $1 billion.
Costs were driven not only by direct damage, such as infected computer hardware but also business interruption losses. Property/Business Interruption insurers covering the affected companies likely did not underwrite cyber risk under their policies, nor did they charge an explicit premium for the risk. Alarm bells began sounding in insurer board rooms across the world.
The attacks had the effect of magnifying the silent cyber issue. In several cases, insurers paid out millions in affirmative cyber coverage, but those claims represented a small fraction of overall losses for businesses. The rest of the losses, due to business interruption, for instance, remained ambiguous due to cyber silence and left insurers open to the risk of disputes if insured companies were to seek redress. With hundreds of millions in losses uncovered, the stakes are high for all involved.
If you’re interested in learning about why silent cyber risk persists, and what can be done about it, we invite you to check out our free whitepaper: Silent Cyber: Threat or Opportunity.
While you’re at it, follow us on Twitter for more content and commentary on cyber insurance and the intersection of insurance, data, and technology: @CorvusInsurance