Insurance professionals and their business clients have made important strides clarifying coverage for losses from hacks, according to a recent survey.

As the number of high-profile breaches mounted, uncertainty over whether those attacks would be covered by insurance became a growing risk to the industry's reputation, said Andrew Laing, PartnerRe Ltd.'s head of global cyber and emerging risks. Concerns over so-called silent cyber risks increased as clients expected to be covered by commercial policies that did not mention internet-related vulnerabilities one way or the other.

Respondents to an annual survey conducted by PartnerRe and Advisen Ltd. indicated a decreasing overlap between cyber coverage and more traditional policies and a trend of underwriters and brokers more clearly outlining protection from hack losses.

"A large number of our clients and a large portion of the market are now going through the process of identifying nonaffirmative [silent] cyber coverage in their portfolios and eliminating this ambiguity," Laing said in an interview. He lauded initiatives by Lloyd's of London and certain global insurers to explicitly explain how and under what policies cyber risks would be covered.

But concern among insurance professionals has not dissipated, with 67% of survey respondents saying they were still worried about the presence of silent cyber expectations lurking among clients of specialty property insurance.

Going phishing

The survey also uncovered another important area of ambiguity in the industry. Fund transfer schemes, one of the costliest types of Internet-based fraud that criminals inflict on businesses, continues to divide opinions in the insurance world on how losses should be covered.

Online criminals have become more sophisticated with social engineering methods and are using them to trick employees into sending companies' funds to the wrong accounts. Patient and enterprising scammers fool workers into letting them into their companies' internal communications via email phishing, then spend months observing messages concerning money transfers before devising authentic-looking "instructions" to transmit millions of corporate dollars into their coffers.

The survey found that social engineering was the second-most-common reason insurance customers cited for purchasing or renewing their cyber policies. Most underwriters that responded thought it should be part of crime loss coverage. A narrower majority of brokers agreed, but the difference between the two groups widened by about 5 percentage points, Laing noticed.

"What we're not seeing is people coalescing around one opinion. They're actually diverging," Laing said. He sides with the majority that being tricked into sending money should be covered by crime insurance even though the fraud is technology based.

The frequency of social engineering theft and growing customer awareness of the threat means that insurers and brokers must make sure those risks are covered somewhere, Laing said.

"Debating where it should fit is probably less important to the insurance community than offering the coverage and making sure the clients are fully served," he said.

The head of small-business focused broker CyberPolicy believes breach and social engineering coverage should be included in more universal policies. Lives are more digital, and the Internet touches every part of business these days, CEO Keith Moore said in an interview.

"The cyber [coverage] has to coincide with the crime policy and everything else," he said.

Overall, takeup for cyber liability insurance continues to be strong in Europe and North America while other regions are catching up as more knowledge about the threats, and the products that can be used to mitigate the damage, become available, Laing said.

"We're seeing lower penetration outside those two markets, but it's certainly growing rapidly," he said.