5 Ways Cyber Insurance Exclusions Are Creating Zombie Policies

By: | September 12, 2022

Stephanie Snyder Frenier is SVP with CAC Specialty’s Professional & Cyber Solutions practice. Stephanie has over 18 years of experience engaging with clients and prospects to develop tailor-made cyber and technology errors & omissions risk transfer solutions, while also supporting marketing and sales strategy.

Topics: Cyber | Risk Insider

Is it the night of the living dead for cyber insurance? New clarifications of coverage — seeking to exclude losses for certain types of events — should be concerning for cyber insurance buyers.

While carriers cite loss aggregation, portfolio sustainability and access to new capital as reasons for these changes, the outcome is new exclusions on top of an already challenging cyber insurance offering.

These coverage amendments have the potential to exclude losses for insurance buyers’ most concerning cyber loss scenarios. This could render the insurance less meaningful, should it lack material coverage for large financial losses, turning it into an undead shell of its former self — essentially, a zombie policy.

Let’s look at the top five zombie policy characteristics in today’s cyber insurance market:

1) Zombie from the Grave

After years of no sub-limits on cyber insurance policies, this coverage structure came back from the grave in response to ransomware attacks and IT supply chain losses. Sub-limits may be related to dependent business interruption coverage, malware/ransomware losses, or may include regulatory fines, payment card loss, hardware replacement, technology betterment, and/or reputational harm coverage. Sub-limits create an additional coverage concern as excess carriers may not follow these primary sub-limits.

2) Biting Zombie

Like the bite that results in zombie transmission, some carriers have introduced catastrophic loss exclusions for events impacting more than one organization at the same time. Coverage is available for an attack against one company only, and should there be “transmission” to another company coverage is excluded. Examples of these “bites” include events impacting the software supply chain, zero-day exploits, unpatched known vulnerabilities, and events impacting internet and telecommunications service providers.

3) Runner Zombie

The runner zombie remains dormant until it is reanimated and becomes aggressive. This is a zombie who lies in wait until a triggering event, like the limitation to systemic event cyber coverage after a 72-hour period of indemnity. While this coverage provision appears to be docile as coverage is available for systemic events — such as an operating system or cloud provider outage — after 72 hours, this zombie attacks and excludes further loss.

4) Walker Zombie

The walker zombie is slow and tends to congregate in groups. These exclusions are more specific to individual security controls and may be batched together. Several carriers have introduced specific exclusions addressing losses associated with end-of-life software that is no longer supported, common vulnerabilities, and software that is not patched. Some carriers have introduced co-insurance that incrementally shifts more risk to the insurance buyer if the vulnerability is not patched after various time periods.

5) New Zombie

Lloyd’s Market Association recently shared a Market Bulletin indicating that starting in March 2023, Lloyd’s cover holders must add language excluding state-backed cyberattacks. This will also require language in terms of determining attribution of the cyberattack. This new zombie is one to watch, as it has the potential to be particularly deadly to coverage.

How can cyber insurance buyers ensure that they are not purchasing a zombie policy? Find a good broker who specializes in cyber insurance coverage and can help negotiate with underwriters in multiple markets (U.S. retail, U.S. wholesale, London, and Bermuda) to determine the broadest possible coverage at the best possible price.

Even more importantly, buyers should ensure that they are investing in cybersecurity posture improvements and are maintaining best practices relative to ever-evolving cybersecurity standards. A good broker cannot overcome poor cybersecurity hygiene, and the worse a company’s hygiene, the more their coverage is apt to be a zombie. With work on all sides — buyer, broker, and carrier — the cyber insurance market can remain sustainable while avoiding a dawn of the dead. &

More from Risk & Insurance