"Silent cyber", sometimes called non-affirmative cyber, describes cyber exposure that sits inside a policy which was never written with cyber in mind. A traditional professional indemnity or property wording did not mention cyber at all, so whether it responded to a cyber-driven loss was a matter of argument rather than design. Insurers had priced these policies without pricing the cyber risk, and policyholders could not be certain of the answer until a claim was tested.
From 2019 the Lloyd's market moved to require that all policies state expressly whether cyber is covered or excluded. Lloyd's Market Bulletin Y5258 set out the requirement for affirmative cyber cover, and the Lloyd's Market Association published standard cyber exclusion and write-back clauses - for example the LMA5400 and LMA5401 series - for underwriters to attach. The Prudential Regulation Authority had also pressed insurers to identify and manage silent cyber exposure across their portfolios.
The result is that a modern PI wording usually addresses cyber one way or another: either it carries a cyber exclusion, or it grants a limited write-back, or it is silent only because it predates the reforms. Firms relying on older wordings should not assume the ambiguity works in their favour.
For accountants and IT consultants, the practical question at renewal is simple to ask and important to answer: does the PI policy exclude cyber, and if so, is that exposure picked up by a standalone cyber policy? A clean exclusion in the PI wording is not a problem if the cyber policy is written to catch what the PI policy drops. It becomes a problem only when nobody has checked that the two line up.
Cyber exposure is also a material circumstance for the duty of fair presentation under the Insurance Act 2015. A firm that has suffered previous intrusions, holds large volumes of special category data, or has known vulnerabilities should present those facts at renewal. The affirmative-cover reforms removed the ambiguity about whether cyber is covered; they did not remove the firm's duty to disclose the risk fairly.
Apex reads the cyber wording and the PI wording together at renewal so the exclusions and write-backs in each are checked against the other before cover incepts.
A firm renewing a wording that predates the affirmative-cover reforms should not treat the silence as free extra protection. The safer reading is that the exposure is untested and may not respond as hoped. The practical steps are to ask the insurer to confirm in writing how the policy treats cyber, to check whether a standalone cyber policy is in place, and to map the two against each other so any gap is identified before it is needed.
The reforms were driven by a recognition that neither insurers nor policyholders benefit from uncertainty about whether a large loss is covered. For a professional firm the same logic applies at the individual level: certainty about which policy responds is worth more than an ambiguous wording that might, on a good day, be argued to cover more. Apex helps clients convert that ambiguity into a documented position at renewal.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.