Kelly B. Castriotta

Abstract

Insurers first developed property and casualty insurance policies prior to the internet, widespread computerization, the digital interconnectivity of electronic and mechanical devices, and the prolific use and transmission of electronic data. Many such insurance contracts did not expressly address cyber exposures at the time of their creation, leaving insurers and their customers to battle over contract interpretations for attritional cyber losses. In 2015, the Prudential Regulatory Authority (PRA) formally introduced a theoretical problem of “silent cyber” to the insurance industry, contemplating catastrophic cyber scenarios with not only a potentially powerful impact upon dedicated Cyber insurance portfolios, but also upon traditional insurance portfolios. The issue soon became a reality in the wake of the expansive insurance losses associated with the NotPetya attacks of 2017, as most insurable losses stemming from those attacks were ultimately recoverable under traditional insurance policies, as opposed to dedicated cyber insurance policies. In response to the requests made by the PRA to insurers to put into action a plan to manage silent cyber, Lloyd’s of London introduced a mandate to eliminate “silent cyber” on all Lloyds policies, charting a course for the transformation of insurers’ contractual wording to more appropriately address cyber risk. This article discusses the general concerns around “silent cyber” as presented by the PRA, the challenges of defining cyber risk across the insurance industry, and steps taken to rectify the silent cyber issue. The article then explores the idea that the silent cyber problem is at its core a semantic one rather than one of risk perception. The article concludes by offering solutions as to a semantic framework under which to analyze and address “silent cyber.”

---