Cyber claims that may fall under other lines, including property, crime and fidelity, and directors and officers liability coverages, create challenges for underwriters in writing policies and paying claims, experts say.

“In the early days, silent cyber really meant coverage that was in a noncyber policy that did the same thing as in an affirmative policy,” said Tim Francis, enterprise cyber lead for Travelers Cos. Inc., who moderated a panel on the topic at the Professional Liability Underwriting Society’s cyber symposium last week in New York.

Now, he said, “cyber” is used in connection with “anything that might be related to technology,” and sometimes it’s the appropriate term and sometimes it isn’t, Mr. Francis said.

Kelly Castriotta, Chicago-based head of product development and North American cyber underwriting lead for Allianz Global Corporate & Specialty SE, financial lines, North America, said that in measuring and assessing silent cyber exposure, the first thing to do is develop a framework, with the key terms being aberration, aggregate and aggravation.

Aberration is something covered that is not intended to be covered; aggregation involves covering the same issues as in other policies; and aggravation addresses whether there is a cyber peril or hazard that is increasing the loss, she said.

Duncan Ellis, head of retail property, North America general insurance, for American International Group Inc. in New York, said property policies cover damage to insured tangible property that you “can see, touch and feel,” while also covering business interruption or time element exposures, meaning losses rather than the profits that would have been made had there not been physical damage.

This means there was a “snap, crackle or pop” to a property’s molecular structure, which has somehow changed, Mr. Ellis said. Property policies have traditionally excluded electronic data, he said.

However, “if machines run wildly out of control and damages result from that,” or if a cyberattack causes a fire, that is considered physical damage and covered under a property policy, Mr. Ellis said.

At AIG, responsibility for nonphysical aspects of cyber-created damages “rolls up to Tracie Grella’s group,” he said, referring to the insurer’s head of cyber risk insurance. 

AIG announced in September that by January of this year nearly all of its policies would exclude or affirmatively cover cyber risks.

“The industry is grappling with how to define these concepts,” and there may be inconsistency within organizations, with different views as to how nonphysical damage is defined, Ms. Castriotta said.

Chris Arehart, Chicago-based senior vice president and product manager of crime, financial fidelity, kidnap/ransom and extortion, mail and workplace violence expense insurance for Chubb Ltd.’s North America financial lines division, said one challenge is introducing new policy forms into the system. “There’s always old forms, and our challenge as product development folks is to get those newer forms out there,” he said.

Mr. Arehart said coverage in bonds and crime, and cyber polices is akin to a Venn diagram, where the coverage overlaps in the middle. A product developer’s job is to make that overlap as small as possible, “because when you overlap, you end up with a risk you can’t get your arms around — you can’t actually underwrite to that,” he said.

Mr. Ellis, said, “Property policies are not racing to exclude anything. They’re racing, within AIG, from the first-party property perspective, to make sure they are clear on what they’re doing and what they’re not doing,” as with any peril.

“It’s these gray areas that are problematic, and that’s what we’re looking to work on, not excluding, but working to make sure it’s clear,” he said.

Another session during the conference focused on privacy enforcement and regulation. Lisa J. Sotto, managing partner at Hunton Andrews Kurth LLP in New York, said, “At a very global level, privacy is really considered very different” among different cultures because of different historical backdrops.

In Europe, she said, where data was used to persecute people in Eastern Europe under the Axis powers, data privacy “is considered a fundamental human right.” In the U.S., “we market people to death,” she said.

Europe “created the benchmark in this space,” with the General Data Protection Regulation, which is now being mimicked by a number of jurisdictions, she said. “It’s a comprehensive data protection law and every First World country other than the U.S. has a comprehensive data protection law,” she said.

“The states really have been where the action has been over the last 20 years,” Ms. Sotto said. “We’ve seen a tremendous amount of activity at the state level.” The California Consumer Privacy Act, which took effect in January, “really changed the landscape,” and will affect every company of any size in the U.S., she said.

She predicted there will be federal data protection legislation, although it’s unlikely before 2022.

Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, said during the session that there are those who argue the agency should only investigate cases in which there has been a data breach.

Mr. Smith said he does not agree with that approach. Just because there has been a data breach does not mean there is bad data security. It may just be a matter of the “bad guys” having figured out how to breach a system, he said. And just because a company does not believe it has been breached, does not mean it has good data security, he added.

Ms. Sotto said she has been involved in many FTC investigations and some enforcement actions. “Honestly, I have never found the FTC to be irrational or unreasonable in their demands,” she said. She said she encourages her clients “to be forthright and honest and transparent with the FTC.”

At another session, participants were asked to debate the pros and cons of paying ransomware demands.

Companies should place themselves in a position where they can make a choice whether to pay, said David B. Anderson, vice president, Northeast cyber technology practice for Lockton Cos. LLC in New York.

It is matter of someone who “feeds a monster” in the hope of getting their data back vs. having encouraged better data-handling practices before the ransomware attack occurred, he said.