Confusion around cyber exclusions may have stemmed from Lloyd’s clampdown on clearly defining physical and intangible risks

The “relationship between the property and cyber [insurance markets] needs to become better”, especially as a 2019 mandate from Lloyd’s may have contributed to a “gap in the market” around covering physical losses that result from a cyber attack, according to senior cyber insurance experts.

Speaking at an exclusive Insurance Times roundtable in association with professional services firm RSM - entitled Cyber risk: What is it and what does it mean for the sector? - on 26 January 2023, insurance consultant Richard Hodson explained: “The relationship between the property market and cyber market is one which needs to become better.

“Now we are seeing physical losses from cyber incursions and that’s an area we need to really look for nowadays with increasing Internet of Things [technology] and areas where the property market needs to step up to the plate a bit more as well.”

Partners& cyber director Matthew Clark agreed that there is currently ”a gap in the market” as to whether physical losses arising from a cyber event are covered by property policies or cyber specific wordings. ”The property underwriter is not going to want to write that currently,” he added.

In or out?

For Simon Meech, cyber practice leader at BMS Group, Lloyd’s of London may have ”created the problem” around this coverage grey area.

In July 2019, Lloyd’s issued Bulletin Y5258 to mandate that all insurance policies must be explicit on whether coverage is provided for physical losses caused by a cyber event. This aimed to eliminate silent cyber cover, which refers to cyber losses unintentionally being covered under non-cyber specific policies.

At this point, Meech said the property market determined that this particular risk was definitely “out” of its policies’ scope. Meanwhile, cyber insurers “didn’t believe” they should pick up the tab for physical risks linked to cyber events because they were not charging the premiums for them, added Hodson.

Meech believes the property market could easily have underwritten this risk if it had been explained more clearly.

He said: ”The conversation should have been to the property market [that] this [risk] is very, very rare. They could underwrite it. It’s just another risk that was on that portfolio for decades and then it changed overnight.  

”The cyber market may understand [these losses] a bit more, but if you’ve got a cyber and property team, maybe they should be talking internally. It’s not for the end insurer to just sit there with massive gaps in their policy left by a mandate from Lloyd’s that [has] come in and forced that.”

Meech further explained that big businesses may face financial barriers, therefore, when looking to get adequate property and cyber covers because they ”need to buy hundreds of millions of property policy and then come to the cyber market and pay a lot for a cyber property damage policy - they can get maybe £50m of limits at a very expensive rate”.

He added: ”It’s very difficult to explain that other than inefficiencies [in] the way the insurance market operates. And that’s the best excuse.”

Lindsey Nelson, cyber development leader at CFC Underwriting, agreed with Meech: ”We can’t send a team of security experts who sit behind computers negotiating ransomware attacks to go [and] put out a fire.”

One example of a cyber attack that caused physical losses was in July 2022. A hacking group called Predatory Sparrow conducted three cyber attacks against Iranian steelmakers. This led to molten metal spraying across a steel factory floor, creating a fire and significant damage to the factory’s industrial equipment.

Different hackers were also responsible for the malware programme Triton, which was used to attack a petrochemical plant in Saudi Arabia in 2017. The hackers’ intention was to cause an explosion.

Legal clarification

Although Meech thinks that, following the Lloyd’s mandate, property underwriters had the opportunity to charge more for their policies to turn silent cyber cover into explicit cyber wordings, Nelson feels ”strongly” about ”physical property damage and cyber being completely separate”. This is because of the ”ability of the cyber market globally to actually absorb any property loss” based on the premiums it collects.

”It’s keeping the tangible and intangible separate – everybody needs to work together, yes, but the coverage should very clearly be delineated between physical here and intangible here,” she said.

Hodson, meanwhile, predicted there will be “a few court cases over what will be deemed as the proximate cause of a loss” before clarity is truly achieved for this risk.

In November 2022, for example, food and drink giant Mondelez International and insurer Zurich settled a multiyear legal battle over a NotPetya cyber claim worth $100m (£87m) – the dispute was because Mondelez’s claim had been made via a property policy, rather than a cyber policy.

Broker advice

With physical losses arising from cyber events seemingly being shirked as a risk by some underwriters - although not all - this can make broker conversations with end clients difficult.

Hodson advised: “Brokers need to make sure when they’re placing [cover for] physical losses, they’re looking at the exclusions under the wording - especially for manufacturing loss risks - [that] there’s no cyber exclusion there which is going to say ‘ok, proximate cause was a cyber attack, but actually the loss was caused by a fire’.”

He pointed to Covéa Insurance as a “good example” of a providing a clear offering in this area and added that large composite insurers like Aviva and RSA can help too by providing packages for manufacturing SMEs - although these products would not then be suitable for heavy manufacturing industries.