We draw on two sources because the literature does not provide adequate coverage of this topic, which is novel and complex. By analyzing the general insurance terms and conditions of traditional insurance lines, we used Mayring’s qualitative content analysis. Moreover, we interviewed experts in the German insurance industry to determine how insurers perceive their silent cyber risks, and what steps they are taking to address them. According to the study, cyber liability poses a substantial risk to insurers in the considered lines of business. Both explicit and implicit inclusions and exclusions of Cyber Haftpflicht risks result from insufficient descriptions of the contract’s scope of coverage and imprecise wordings of insurance clauses.
Companies face data breaches, cybercrime, IT failures/outages, fines and penalties as the most significant risks in the 21st century (Allianz Global Corporate & Specialty (AGCS) 2020; World Economic Forum 2020). Information and communication technologies (ICTs) pose a cyber risk if they compromise confidentiality, availability, or integrity of data or services. Due to operational technology impairments, businesses are disrupted, (critical) infrastructure fails, and people and property suffer physical damage (Eling and Schnell 2016a, b). A breach of data protection-related obligations, a business interruption, and data theft can result in damage to financial and reputational resources (Cavusoglu et al. according to Cavusoglu et al. (2004), Smith (2004), and Järveläinen (2013). Over the last two years, German companies have been hit with cyberattacks worth EUR 205.7 billion (Bitkom 2020).
For transferring cyber threats risks to companies, insurance solutions are particularly useful (Innerhofer-Oberperfler and Breu 2010; Tosh et al. 2017; Tonn et al. 2019) 2016; OECD 2017b; EIOPA 2018a). Insurance companies have a hard time designing new products because their coverage may overlap. Cyber coverage is often incorporated into traditional products, creating complexity and obscurity (Haas and Hofmann 2014; Siegel et al. 2018); on the other hand, cyber coverage contains vague insurance terms and conditions and insufficient descriptions of the contractually agreed scope (Baer 2003; Meland et al. 2015; Marotta et al. 2015, 2017). Some policies do not mention cyber damage in their terms and conditions (Ruffle et al. 2015). However, the structure of cyber coverage is largely determined by the words used in insurance terms and conditions, as well as the description of the contractually agreed scope of coverage (Woods and Simpson 2017).
New insurance products explicitly cover or exclude cyber risks, but existing policies are unclear whether or to what extent they cover them (Kirkpatrick 2015; Eling 2018; Siegel et al. 2018; Woods and Moore 2020). Traditional insurance policies are susceptible to ‘silent cyber risks’ because of this unintended, implicit coinsurance (Woods and Simpson 2017; EIOPA 2019). Silent cyber risks arise from implicit cyber exposure within policies that do not explicitly exclude them (Bank of England Prudential Regulation Authority (PRA), 2016).
