As IOT devices become quickly outdated, the latent cyber risk caused by a development priority of functionality over security will begin to emerge. In turn, this has created an opportunity for cybercriminals seeking to exploit a much wider surface area of vulnerabilities, often resulting in the compromise of healthcare or Operational Technology networks that utilise the IOT.
The increase in cyber-attacks has required insurers to address cyber risk and to ensure that there is coverage certainty across multiple lines of business. Any cyber risk that is not expressly addressed is referred to as ‘silent cyber’.
In the UK, the Prudential Regulation Authority (the “PRA”) has sought to address the issue of ‘silent cyber’ and wants to ensure that insurers expressly affirm or exclude cover. Lloyd’s mandated managing agents to comply with those requirements on a phased basis from January 2020 until July 2021.
In addressing ‘silent cyber’, clarity is essential. Cyber risk does not just involve traditional computers but extends to complex network infrastructure.
One key to addressing this comprehensively is to use appropriate definitions. The LMA and IUA have published over 120 model clauses with consistent definitions being used. The key to addressing cyber risk in the context of the IOT is to ensure that any definition of a ‘Computer System’ is sufficiently broad and encompasses, effectively, anything that operates with a microchip or processes data.
Whilst there have been attempts to broaden definition further to ‘any electronic device’ this has caused some difficulty. There is the potential that an exclusion could then operate solely on the basis of a failure to use or access an electronic device, rather than one that contains a microchip or processes data.
Insurers should endeavour to provide as much clarity as possible to reflect the evolving risks of network infrastructure. It is best to avoid using clauses which simply list contemporary names of malware, or computer equipment. The speed of technological development means that these can often become outdated very quickly.