A Comprehensive Guide to Silent Cyber Wordings

Print Friendly, PDF & Email

Written by Chris Cheatham, Bryan Wilson 

ACKNOWLEDGMENTS 
The O.G.’s (Original Geniuses): Jake, Anh, Brenan, and Jeremy (I still don’t understand taxonomy 2.0) 

Overview

As new technologies disrupt traditional business models, the insurance industry requires a more effective way to measure, evaluate, and insure new, emergent forms of risk.

But how are insurers supposed to protect against things that do not yet exist?

The answer lies in  understanding the past, looking at the present, and adapting.

For insurance, this means analyzing insurance coverage from the past based on today’s understanding of risk. We need to develop strategies to:

  1. Understand new types of emerging risk,
  2. Identify where that emerging risk might fall within the coverage, and
  3. Update language that is obsolete or creates unwanted exposures.

The following guide applies the above framework to one form of emerging risk, cyber liability. Specifically, this framework looks at strength of wordings for cyber language and helps evaluate instances where “silent cyber” clauses may create unwanted exposures. Broadly, silent cyber language includes cyber-related loss covered by insurance policy language that makes no explicit reference to cyber.

I. INTRO TO THE SILENT CYBER STRENGTH OF WORDINGS GUIDE

The graphics below detail our framework for how to analyze silent cyber wordings. Obviously, these graphics are visualizations of the frameworks that illustrate the clauses that must be analyzed inside any insurance policy in order to understand if silent cyber exposure is present. 

The purpose of this guide is to create a process to effectively analyze any insurance policy and determine if and where it contains elements pertaining to cyber liability, including silent cyber coverage. Put another way — we have a map that we believe can be helpful to determine if an insurance policy properly excludes or inadvertently includes coverage for a cyber event that causes a loss. 

In order to review details of the Beta and Gamma Check, just hover your mouse over relevant sections to zoom in on

a. Alpha Check: Does an Absolute Cyber Exclusion Exist?

Alpha Check

b. Beta Check: Does Cyber Coverage or Exclusions Exist?

Beta Check

There are three primary ways cyber coverage can manifest in a policy (Note: there are potentially infinite ways cyber coverage could manifest; we have limited this number to three because this is what we have observed so far). As shown in the graphic, the three primary categories of insurance clauses: 1) coverages; 2) exclusions, and 3) definitions. 

A drafter may have specifically included coverage for a cyber event. We have listed known instances in this playbook. If a drafter of a policy has specifically contemplated cyber events, this information will likely appear through the presence or absence of the term in the exclusions.  If the policy does not contain an obvious exclusion, then it is critical to double-check the listed coverages and determine if a cyber event could be construed as covered. Finally, after having gone through each of these instances, it will be important to make sure that someone defined a term in some way that might subject the carrier to exposure.

c. Gamma Check: Does Cyber Coverage Exists in Given Scenario?

The Gamma Check is an analysis of policy language given a specific scenario. The visualization for Gamma Check includes all clauses that might render Cyber Coverage in any given scenario. Please click through to review this extended visualization.

II. ORIGIN STORY  

“Most people overestimate what they can do in one year and underestimate what they can do in ten years.”Bill Gates

In 2016, RiskGenius was a one-year-old company looking to demonstrate the power of its algorithms. We decided to direct a certain amount of focus on cyber insurance policies, a fairly new product in the marketplace. Industry experts indicated that cyber coverage widely diverged and so we set out to test this theory with our technology. 

The RiskGenius team collected insurance policies from sixty-seven insurance carriers. We broke these policies down into clauses and added common labels depending on the content. We were left with 24,688 clauses, categorized into 109 categories. Then, using a proprietary machine-learning algorithm, we scored similarly-categorized clauses against one another to derive an average similarity score. 

In creating the average similarity score and sifting through this relatively small corpus of documents, we were able to uncover some rudimentary, yet novel, insights about the marketplace for various cyber insurance wordings. And we were able to answer the question, “are cyber insurance clauses across carriers homogenous?” 

They were not.

In one example, we isolated each definition of “malicious code” in order to determine whether this definition had any consistency throughout the industry. 

We scored the definition of malicious code in a Liberty Mutual policy (see ClauseID 15438 in Appendix A of this report) against the other definitions of malicious code and calculated the average similarity score for that particular clause. We then repeated this process for the remaining clauses that defined “malicious code” and then ranked the clauses based on the value of the average similarity score. 

The usefulness of this initial cyber coverage analysis, however, was limited. Many of the policies we looked at were several years old and some had really bad page recognition, which inappropriately skewed our results. Then, as our fledgling company began exploring the ways that our software could achieve product-market fit, the cyber project faded to the periphery in favor of more lucrative, short-term wins. However, the lessons learned during that initial process have helped us identify a strategy to dealing with a question that has recently started emerging:

“Can you help us identify silent cyber insurance policies?”

  • multiple carriers, asking us to develop a solution for this problem

So the RiskGenius team set out to analyze all the different ways cyber liability can be created within a policy, especially including silent cyber coverage, and now this handy guide sits in front of you.

The purpose of the guide is twofold. The first purpose of the Cyber Wordings Guide is to share our framework for effectively analyzing silent cyber inside an insurance policy. The RiskGenius team (Jeremy, Jake, Anh and Brenan) developed the framework after painstakingly reviewing hundreds of thousands of insurance clauses in order to determine the correct way to identify coverages, exclusions, and definitions that might impact Silent Cyber. While this Playbook does not address each and every product or clause that will require analysis, it does provide a straightforward method that can be especially useful in identifying the silent cyber challenges that you are facing.

The second purpose of this Playbook is to demonstrate that there are much easier ways of evaluating emerging risks, such as silent cyber, in ways that do not require your team reviewing every possible coverage that you have for this crazy, new risk vector. Because we look at policies as data, we can help your humans do the complicated things they were trained to do by letting the computers do the complicated things that we trained them to do. 

I have already said this guide will “equip you with the knowledge to effectively analyze silent cyber.” If you want to efficiently analyze silent cyber, then you have two options. You can either use the RiskGenius software that our team has spent thousands and thousands of hours training to find the right information in a policy very quickly, or you will probably need to find a dedicated team, attract several million dollars in venture capital, and wait a few years while your team builds you a solution. This is a shameless plug, but it is also a choice you get to make. I’m sure that somewhere out there, a junior underwriter or lawyer will pick up this handbook and think to him or herself, “I don’t want to review every insurance policy we have for these very technical and nuanced issues relating to silent cyber for the next three years.” If that is your case, if you are that junior underwriter or lawyer, RiskGenius is for you. More about that in the last chapter of this guide.

Note: This guide is narrowly focused on cyber liability insurance. However, we can also identify other forms of complex risk across other product types. If you are reading this and thinking about a use case that you have, the chances are we can probably help you. please email me your questions at: chris@riskgenius.com.

III. OVERVIEW OF CYBER WORDINGS

a.) Background

Cyber wordings come in a variety of forms. Cyber liability can be affirmatively disclaimed through an exclusion, expressly insured in a coverage section, or obliquely referenced through any of the various parts of an insurance policy. The obliquely referenced parts of a policy that might have some cyber coverage are called Silent Cyber. If you wanted to define it, you could say that Silent Cyber broadly refers to any cyber-related loss covered by insurance policy language that is not explicitly specific to cyber.

According to one Guy Carpenter report, Silent Cyber is triggered when

  1. Cyber perils are not explicitly included or excluded; 
  2. Exclusionary language, when included, is ambiguous; 
  3. Insuring agreements are satisfied, however the insurer did not price for or contemplate loss scenarios emanating from a cyber peril/threat

To demonstrate how this might appear, let’s look at a simple example. Imagine an insurance policy is comprised of one simple sentence:

“This insurance policy covers all damage to property.” 

Read by itself, there is no express mention of cyber in this language. However, “property” could be read broadly, thanks to an endorsement or definition, to include any damage caused by a cyber event. Conversely, an exclusion could just as easily carve “cyber event” out of the definition of “property,” resulting in potential exposures to all sorts of harm!

Back in our example, however, because the drafter of this clause did not go to the trouble of defining what exactly qualifies or does not qualify as property or damage, a reasonable interpretation or “property” could very well include “data” and a reasonable interpretation of “damage” might include a cyber attack that causes deletion of data. As this example shows, the results of silent cyber can be quite messy. 

Through creating this map of cyber liability wordings, we have identified three places these pesky silent cyber issues can arise in a policy: 

  1. through the language of a clause that affirmatively addresses cyber liability,
  2. through the presence of a clause that might address cyber liability, or 
  3. through the absence of a clause that might address cyber liability.

As such, there is not some magic sentence for the words “Silent Cyber” or even “Cyber.” Instead, carriers must analyze each and every word of every clause of every page in every document that may foreseeably contain coverage excluding cyber liability for the whole array of clauses that might contain some inclusion or exclusion related to cyber coverage.

Further complicating matters, some instances demand carriers evaluate silent cyber exposures across policy portfolios.The term policy portfolio is liberally used to describe the policies within a business unit or product line at one insurance carrier. We have seen first hand policy portfolios that include one or more product lines (e.g. General Liability, Commercial Property, etc), and then, within a given product, wordings with divergent meanings. These are often, due to manuscripting or changes to endorsements. For example, a commercial property policy could include one cyber exclusion (for Property X), multiple cyber exclusions (for Property X and Property Y, but not Property Z), or no cyber exclusions whatsoever.

Seeing that this could be a gruesome problem for carriers, the RiskGenius Cyber Wordings Guide was created to systematically identify the presence(s) or absence of Silent Cyber across a policy portfolio. 

In order to apply take the learnings from the Cyber Wordings Guide and apply them to thousands of insurance policies at once, our team had to get creative. Because the problem is so large (often, a policy portfolio will consist of thousands of insurance policies) and turns on such narrow changes to language, our team had to develop a computational approach to log language as data and identify each instance where that data could exist in a policy.

b.) Why is this problem so important?

Imagine you are a business owner of a software company. One morning you wake up and realize all of your data is missing. You have no record of any of your customers and all of your important documents (e.g., contracts, invoices, personal information of employees, etc.)  have vanished. The code for your software platform has been erased. All of your digital assets are gone. Functionally, your organization stopped existing.

In one of the earliest Silent Cyber cases, this is exactly what happened. A company realized its “vital computer files and databases necessary for the operation of the company’s manufacturing, sales, and administrative systems” had been erased. After some investigation, the company discovered that a former employee had hacked the company’s software system and deleted these files. The company filed a claim with its insurance company, The Hartford, under its commercial property insurance policy. The claim was denied.

The company sued. A court later found that the destruction of the company’s software system constitutes “damage to its property, specifically, damage to the computers it owned, and … the damage constitutes a covered cause of loss.

Sound familiar?

I like to imagine that an insurance executive learned of this court decision and thought to him or herself, “Oh Fiddlesticks! How many of our policies include this troubling latent coverage?” Then, I imagine the executive called other key insurance executives inside and outside the company and said “Holy smokes, do you have this latent insurance coverage too? I think we should call this ‘Latent Cyber Insurance Coverage.’” Then, after a marketing person was able to make “Latent Cyber Insurance Coverage” sound a little bit sexier, “Silent Cyber” was born.

While the NMS case involved only one company, a more recent cyber attack created worldwide Silent Cyber coverage issues for thousands of companies. The NotPetya attack, which may or may not have originated as an act of war, potentially created billions of Silent Cyber losses:

“The largest multi-insured loss arising from a cyber attack is the NotPetya event in 2017, estimated by Property Claim Services (PCS) at more than USD 3 billion. However, due to underinsurance and low product penetration by the affected businesses, most of that loss will likely fall to the non-affirmative insurance market, and claims under non-affirmative policies are being contested by some carriers. Due to the business community’s growing interconnectivity and increasing reliance on technology, cyber losses will continue to manifest in new and unexpected ways. The protection gap disparity highlighted by NotPetya between economic and insured loss may be only a sampling of what is to come.”

With billions of dollars at stake, and an increasing frequency of cyber attacks, now seems like a good time to get a handle on Silent Cyber.

c.) Is this problem real?

As it turns out, trying to prove that something fundamentally new and different exists is actually pretty difficult.

The television series Stranger Things comes to mind when thinking about this (Note: spoilers for the show may follow). I don’t have a great memory for television shows, but I vaguely recall that one of the characters in Stranger Things kept seeing a monster in an alternative universe and no one believed him. If you think about it, that’s kind of what any emerging risk is — it’s a monster from an alternate universe that only a few people have seen. In the beginning, only the main character’s best friends believed he was seeing the monster. Then the mother of the main character believed he was seeing the monster. Then, the mother convinced the local sheriff that the monster existed. Gradually, after the monster wreaked havoc across the whole town, everyone else started to believe a monster existed.

With that detour into the Upside Down, I now present to you the Stranger Things Emerging Risk Believability Index –STERB Index for short: 

Based on comments from government officials and others, we can at least say that Silent Cyber has graduated up the spectrum of emergent risks and into the category of “Independent Recognized Authority.” Please follow along for the Committee’s very scientific analysis: 

  • No Believers: I believe in Silent Cyber.
  • Evangelists: My best friends (RiskGenius employees, and yes, they are forced to be my best friends) believe in Silent Cyber.
  • Related Semi-Authority: Other software companies believe in silent cyber (CyberCube is one example) believe in Silent Cyber.
  • Independent Recognized Authority: Even the Casualty Actuarial Society acknowledges Silent Cyber.

Keep reading Insurance Prospectus as we formally develop and publish materials around the STERB Index and its application to Emerging Risks. We welcome reader submissions on emerging risks that are important to the insurance industry (email me at chris@riskgenius.com).

d.) The Cyber Wordings Guide

The chart on the following page details our framework for how to analyze silent cyber. The purpose of the framework is to create a process to effectively analyze two or more insurance policies to determine if they contain elements of silent cyber coverage. Put another way — we are trying to determine if an insurance policy properly excludes or inadvertently includes coverage for a cyber event that causes a loss. 

If we are trying to determine if there is coverage for a cyber event, then there are three primary provisions to evaluate: 1) coverages, 2) exclusions, and 3) definitions.

A drafter may have specifically included coverage for a cyber event. We have listed known instances in this playbook. If a drafter of a policy has specifically contemplated cyber events, this information will likely appear through the presence or absence of the term in the exclusions.  If the policy does not contain an obvious exclusion, then it is critical to double-check the listed coverages and determine if a cyber event could be construed as covered. Finally, after having gone through each of these instances, it will be important to make sure that someone defined a term in some way that might subject the carrier to exposure.

III. Conclusions

a.) It is impossible to know all of the answers

As we have shown, there are many ways that Silent Cyber can subject a carrier to unwanted exposures. And while we have gone through a lot of policies to identify all the different ways this problem manifests, new policies are being issued every day, new language is being manuscripted onto those policies, and it will be a while until the market for cyber liability products is as standardized as the market for something like general liability.

The Silent Cyber Handbook is a great first step on this long journey. Modeled after the RiskGenius insurance policy taxonomy, this handbook is the beginning of a human-computer system that will continually be adapted and improved to help reduce the vulnerabilities of the future in ways that are faster and more effective than either humans or computers alone completing this task. MIT Professor and renowned data scientist Alex “Sandy” Pentland has pointed out the flexibility required of any human-computer system

“(Y)ou can’t ever build human-machine systems that ‘just work.’ Instead, you will have to continually tweak, reiterate, and redesign them. Once you accept the limitations of the human intellect, you realize that the system must be modular, so you can revise the algorithms easily…” 

No framework for evaluating silent cyber in insurance policies can “just work.” And even if you were able to create some perfect framework, it would only be perfect until some new risk emerged. This underscores the need to continually adapt.

It is impossible to understand new and emerging risks without breaking an insurance policy down into clauses. One day, a new computer attack could emerge that had never been contemplated before by industry experts or insurance wording savants. This could impact whatever definition you have created for cyber. Another day, a judge may issue a ruling that makes a long-standing Absolute Cyber Exclusion ineffective. This could impact your key exclusions for cyber. Understanding an insurance policy clause-by-clause is paramount to this type of detailed analysis.

As a result of these unique considerations, the Cyber Wordings Guide is appropriately modular in its structure. It can be adapted to work in many scenarios, across many product lines, and for any insurance carrier’s policy. But it also must be continually tweaked and adjusted to fit the evolving circumstances of linear time. 

Think about the first cyber insurance coverage ever created. It likely did not account for “cloud services” or even the internet. As new technologies become more mature — like blockchain, edge computing, and quantum computing — what constitutes Silent Cyber will surely evolve. Future volumes of the Silent Cyber Handbook will focus on what is considered an “absolute” exclusion (and the subsequent problems that may arise from such a broad exclusion) and other scenarios where a more in depth analysis of Silent Cyber liability would be required (we call this our Gamma Check at RiskGenius). 

b.) Scaling the Framework Requires Technology 

A human being should be able to apply the Cyber Wordings Guide to an insurance policy. However, the process of applying the Cyber Wordings Guide to policy portfolios (thousands of policies) would take a lifetime for one person and cost an unthinkable amount of money. This is where the RiskGenius software comes in. Our software platform automates the application of the Cyber Wordings Guide to hundreds or thousands of insurance policies. 

By using a form of pattern matching that is trained by humans and improved by computers, this conceptual idea works as such: 

Imagine you are a cyborg Silent Cyber insurance professional. You are part human, part robot, and your sole purpose in life is to root out and destroy silent cyber in insurance policies. You have studied and memorized millions of insurance clauses. More importantly, you have a nearly instantaneous memory that allows you to recall any given insurance clause. And, even more astounding, you can immediately compare all the clauses in your Silent Cyber memory bank to the text you read on a page. 

Your master teaches you the Cyber Wordings Guide. So when someone hands you an insurance policy, you can quickly read it and instantaneously identify each of the clauses that could potentially trigger or exclude cyber coverage, and then determine whether the language “triggers” create any unwanted exposures.

That’s kind of how RiskGenius evaluates policies and uses the Cyber Wordings Guide. 

If you have any questions, please email me at chris@riskgenius.com

About 

Chris Cheatham is the CEO of RiskGenius and a former insurance attorney. He likes looking at the past to think about the future. Contact Chris at chris@riskgenius.com

Bryan Wilson is an MIT futurist, attorney, and former RiskGenius employee. He likes thinking about the future while living in the present. Contact Bryan at bryan@computationallaw.org

To learn more about RiskGenius, visit www.riskgenius.com

Thank you for reading. 

Menu