Zurich taking ‘flexible’ approach to cyber but warns about gaps in traditional cover

This article was originally published by Commercial Risk.

Following a number of large cyber-related claims in the property market, and under growing regulatory pressure, insurers have been assessing their cyber exposures under traditional P&C coverages.

For example, FM Global recently issued revised wordings for its property insurance to address silent cyber cover, while the London market has published a broad cyber exclusion for P&C contracts.

Insurers are now rationalising which liabilities should align to which product, and are offering a more comprehensive policy for cyber liabilities, explained Lori Bailey, Zurich’s global head of cyber risk coverage.

As cyber risk has evolved, it has touched on many existing lines of traditional insurance, such as property, crime, kidnap and ransom, and a number of liability lines. However, cyber was not a consideration when such traditional insurance contracts were designed, explained Ms Bailey in a recent interview with CRE.

“The market may have questions on coverage in traditional policies, but policyholders can be more certain about the scope and breadth of coverage they obtain through more comprehensive, dedicated cyber products,” she said.

Zurich’s ongoing review of cyber cover under its P&C contracts has resulted in the insurer aligning some wordings, explained Ms Bailey. But it has also worked on affirmative cover under endorsements and sub-limits, she added.

Ms Bailey said Zurich is taking a “flexible” approach to cyber in its P&C lines.

Some insurers have pursued a strategy of systematically removing silent cyber from their traditional insurance offerings. Allianz Global Corporate and Specialty and AIG, for example, are moving to “affirmative” cover, excluding certain cyber cover for P&C contracts, although they are offering write-backs and industry-based standalone cyber cover.

Last week, Lloyd’s told its syndicates they must tackle silent cyber exposure by clearly stating whether they include or exclude cover in all policies.

Zurich appears to be following a similar strategy, while trying to accommodate buyers’ different needs and preferences. “We want to be flexible but clear on cyber cover. Affirmative cyber cover will vary by line of business, geography and customer size. We are flexible in our approach and in some cases will offer extensions to traditional products,” said Ms Bailey.

For example, Zurich is conscious that some clients will want cyber risk included in traditional coverages under one policy, such as a single business interruption policy. “We have taken steps to develop business interruption endorsements in property. However, these are typically sub-limited and only address the first-party losses that a customer may incur,” she said.

Ms Bailey believes that all clients should at least consider specialist cyber insurance.

“Unlike traditional P&C coverages, a cyber insurance policy is intended to cover many of the types of cyber incidents seen today. If you are a risk manager, you want contract certainty and [to] avoid gaps in coverage. The best approach for customers is a dedicated cyber insurance policy, specifically designed and written for cyber incidents – both on a first- and third-party basis,” she said.

“In our view, every company should look at a [standalone] cyber insurance policy. There may be specific perils that are picked up under traditional coverage but such policies are not dedicated to cyber and certain exposures may not be covered, such as data breach response,” she said.

Cyber risk continues to evolve and expand, according to Ms Bailey. Several years ago, cyber risk was predominantly centred on data breaches, but it has now evolved to include a wide array of threats, including from nation states, human error and technical flaws.

“With the expansion of technology and digital industries, cyber risk is constantly evolving, which makes it a much more challenging and difficult risk to manage,” said Ms Bailey. “Cyberattacks have become more sophisticated and the potential damage is now larger and more widespread. No company is immune,” she said.

In particular, business interruption has emerged as a top concern, according to Ms Bailey. Recent years have seen a number of high-profile ransomware attacks that have stopped companies in their tracks.

“Five years ago it was very much about data breaches, and the procurement of cyber insurance was about security of personal and corporate information. Business interruption has taken over as the biggest concern. You can have the best cybersecurity in the world but customers and suppliers could still be impacted by a cyber incident,” said Ms Bailey.