By Ryan Windt | Head of Growth Marketing | Updated May 2026
Most businesses that think they have no cyber coverage actually have some. And most businesses that think their non-cyber policies cover cyber losses are wrong about the specifics. Both problems trace back to the same concept: silent cyber.
Silent cyber refers to cyber-related losses that are neither explicitly covered nor explicitly excluded in a traditional insurance policy. It is the coverage gray zone created when a policy was written before cyber risk was a meaningful underwriting consideration, and the language simply does not address it.
Understanding silent cyber matters for two reasons. First, it is one of the most common sources of coverage disputes after an incident. Second, insurers have been systematically eliminating it from non-cyber policies, which means businesses that assumed they had some cyber protection through their property or general liability policies may have less than they think.
How Silent Cyber Happens
Traditional insurance policies, including commercial property, general liability, commercial auto, and directors and officers policies, were written to cover physical risks. Property policies cover damage to tangible assets. General liability covers bodily injury and property damage. None of these forms were designed with cyber events in mind.
As cyber incidents became more frequent and more costly, insurers began asking whether losses from events like data breaches, ransomware attacks, and network outages triggered coverage under these traditional forms. The answer was often: maybe.
A ransomware attack that causes a manufacturer to halt production might trigger a business interruption claim under a commercial property policy, since the production halt caused a financial loss. Whether it actually does depends on whether the policy requires physical damage to trigger business interruption coverage, how the policy defines property, and whether any exclusion applies.
This ambiguity cuts both ways. Some businesses received unexpected coverage from traditional policies after cyber incidents. Some insurers paid claims they did not intend to cover. The exposure on the insurer side reached into the hundreds of billions of dollars globally, which is why the market moved aggressively to address it.
The NotPetya Moment
The clearest illustration of silent cyber at scale is the NotPetya malware attack in 2017. NotPetya was a destructive cyberattack, widely attributed to Russian military intelligence, that spread globally through a compromised Ukrainian accounting software update and caused an estimated $10 billion in damage.
Several major corporations affected by NotPetya filed property and all-risk insurance claims. Their insurers denied the claims, citing war exclusions. The policyholders sued, arguing that legacy war exclusion language written for conventional military conflict did not clearly apply to a cyberattack. Courts in multiple jurisdictions found in favor of policyholders, largely because the war exclusion language was too vague to apply cleanly.
Merck settled with its insurers in 2024 after lower courts found in its favor. Mondelez settled in 2022. Neither case created binding national precedent, but both sent the same signal: when cyber losses flow into traditional policies with ambiguous language, policyholders may win coverage disputes that insurers intended to deny.
The response from the insurance market was to eliminate the ambiguity. Insurers began adding explicit cyber exclusions to property, general liability, and other traditional policy forms, and Lloyd’s of London issued market guidance in 2022 requiring its syndicates to either explicitly include or explicitly exclude cyber coverage in all policies by a defined deadline. Silent cyber, the gray zone, was being systematically closed.
Where Silent Cyber Still Exists
Despite market-wide efforts to address it, silent cyber has not been fully eliminated. It persists in several places.
Older policy forms. Policies written several years ago on forms that predate the market’s move toward explicit cyber treatment may still contain ambiguous language. If you have not reviewed your non-cyber policies recently, the treatment of cyber losses may be unclear.
Endorsements that partially address cyber. Some non-cyber policies include limited cyber endorsements that were added to provide some coverage without creating a full standalone policy. These endorsements often have low sublimits, narrow covered perils, and claims processes that are not designed for cyber incidents. They create partial coverage that leaves significant gaps.
Professional liability and E&O policies. Technology errors and omissions policies may cover certain cyber-related professional liability claims, but the coverage is designed for claims that your technology service failed to perform, not for first-party losses from a cyberattack on your own systems. The line between what triggers tech E&O and what triggers cyber coverage is not always clear. For a detailed breakdown of how these two policies interact, see Tech E&O vs. Cyber Insurance: What’s the Difference and Which Do You Need?
Directors and officers policies. A securities class action or shareholder derivative suit following a material cyber incident may create D&O exposure. Whether the D&O policy or the cyber policy responds, or whether they share the defense costs, depends on how each policy is written and whether they contain coordination of coverage provisions.
Crime and fidelity policies. Business email compromise and funds transfer fraud sometimes trigger claims under crime policies, particularly those with computer fraud or funds transfer fraud coverage. Whether the cyber policy or the crime policy responds first, and how sublimits interact, can be genuinely ambiguous. For how this plays out in practice, see Funds Transfer Fraud and Social Engineering Insurance.
What Insurers Are Doing About It
The insurance industry’s response to silent cyber has been to move from ambiguity to explicit treatment in both directions: either affirm cyber coverage in a policy or exclude it clearly.
Explicit cyber exclusions on non-cyber policies. Most major commercial property, general liability, and other traditional policy forms now include exclusions specifically addressing cyber losses. The language varies, but the intent is to remove cyber losses from the scope of traditional policies and push them to standalone cyber coverage.
Cyber affirmative coverage endorsements. Some insurers offer endorsements on traditional policies that explicitly affirm limited cyber coverage, typically with lower limits and narrower scope than a standalone policy. These are designed to fill specific gaps rather than replace standalone coverage.
Lloyd’s cyber mandate. Lloyd’s of London has required its syndicates to explicitly address cyber coverage in all policies since 2023. Every Lloyd’s policy must now either explicitly include or explicitly exclude cyber losses, eliminating silent cyber within the Lloyd’s market.
Updated war and cyber exclusion language. Following the NotPetya litigation, Lloyd’s and other market participants issued updated model war and cyber exclusion language that is more precisely drafted than the legacy forms at issue in those cases. The new forms include explicit definitions, attribution mechanisms tied to competent authorities, and carvebacks for uninvolved third parties caught in systemic attacks. For a detailed look at how war exclusions work in the current market, see Iran Conflict and the Cyber Insurance War Exclusion.
Why This Matters When You Buy a Standalone Cyber Policy
Understanding silent cyber is not just relevant for evaluating traditional policies. It affects how you structure a standalone cyber program.
Coordination of coverage. If your property policy explicitly excludes cyber losses and your cyber policy has a sublimit on business interruption, you may have a gap between the two. Neither policy covers the full loss. A broker who understands how your policies interact can identify those gaps before a claim exposes them.
Other insurance clauses. Most insurance policies include “other insurance” provisions that determine how multiple policies respond to the same loss. If a cyber loss could theoretically trigger both your cyber policy and a crime policy, the other insurance clauses determine which policy is primary. Getting this right before an incident requires reviewing the coordination provisions across your entire insurance program.
Sublimit mismatches. A business might have $5 million in property coverage and $1 million in cyber coverage. If a cyberattack causes $3 million in business interruption losses, the cyber policy’s business interruption sublimit may be the binding constraint, even if the property policy was assumed to provide some coverage. Reviewing how your total program responds to a realistic loss scenario is more useful than reviewing each policy in isolation.
For a guide to how sublimits work within a cyber policy specifically, see Cyber Insurance Sublimits Explained.
How to Audit Your Policies for Silent Cyber
A basic silent cyber audit involves reviewing each of your non-cyber insurance policies and asking a set of specific questions.
Does the policy include an explicit cyber exclusion? If yes, what are the carvebacks? Some exclusions preserve coverage for physical damage that results from a cyber event, or for cyber losses that arise from a covered cause of loss other than a cyberattack. Understanding exactly what is excluded matters as much as knowing that an exclusion exists.
Does the policy include any cyber-related endorsements or coverage grants? If yes, what are the sublimits, covered perils, and claims requirements? An endorsement that provides $50,000 in cyber coverage on a general liability policy is not meaningful protection for a business with a realistic breach exposure in the hundreds of thousands of dollars.
How does the policy handle business interruption? Does it require physical damage to trigger business interruption coverage? If so, a ransomware attack that causes a production shutdown without physically damaging equipment may not trigger the coverage.
How does the policy handle data and software? Most commercial property policies define covered property in terms of tangible assets. Data, software, and digital records may be explicitly excluded, or may not be addressed at all. If your business’s most valuable assets are digital, property coverage that only responds to physical damage is structurally inadequate.
How do the other insurance clauses interact with your cyber policy? If a loss could trigger both a traditional policy and your cyber policy, which is primary? Are there coordination provisions that prevent a coverage gap?
The goal of this audit is not to find coverage under your traditional policies. Most of the time, the answer is that cyber losses belong on the cyber policy. The goal is to confirm that assumption explicitly and to identify any coordination issues before an incident makes them urgent.
For guidance on how to structure a cyber policy that fits your overall program, see How to Read a Cyber Insurance Policy and How to Compare Cyber Insurance Quotes.
Silent Cyber and the Standalone Policy Argument
One of the clearest arguments for standalone cyber insurance is that it eliminates silent cyber from the equation entirely. A well-structured standalone policy explicitly defines what is covered, what is excluded, and how it coordinates with other policies. There is no ambiguity about whether a ransomware attack or data breach triggers coverage.
Businesses that rely on cyber endorsements bolted onto traditional policies, or that assume their property or GL policy will pick up some cyber losses, are accepting coverage uncertainty that a standalone policy resolves. For a full explanation of why standalone cyber coverage is structured differently from endorsements, see Why Every Business Needs Standalone Cyber Insurance.
Frequently Asked Questions
What is silent cyber in simple terms?
Silent cyber refers to cyber-related losses in insurance policies that are neither explicitly covered nor explicitly excluded. The policy language does not address cyber events, leaving it ambiguous whether a cyber loss is covered. It creates coverage uncertainty and is one of the most common sources of insurance disputes after a cyber incident.
Does my general liability policy cover a cyberattack?
Almost certainly not under a modern policy form. Most general liability policies now include explicit cyber exclusions. Even before those exclusions were standard, GL coverage was designed for bodily injury and property damage claims, not for the costs of a data breach or ransomware response. For a full breakdown, see Does General Liability Cover a Cyberattack?
Does my commercial property policy cover ransomware?
Unlikely under a current policy form. Most property policies now either explicitly exclude cyber losses or require physical damage to trigger business interruption coverage, which ransomware alone does not cause. Older policy forms may be more ambiguous, which is why reviewing your current forms matters.
What did NotPetya teach the insurance industry about silent cyber?
NotPetya produced a series of coverage disputes in which policyholders successfully argued that legacy war exclusion language in property policies did not clearly apply to a cyberattack, even one attributed to a state actor. Courts found in favor of policyholders in several cases. The insurance industry responded by adding explicit cyber exclusions to traditional policies and updating war exclusion language to be more precisely drafted.
Should I buy cyber coverage as an endorsement or a standalone policy?
A standalone policy is almost always the better structure. Endorsements on traditional policies typically have lower sublimits, narrower covered perils, and claims processes that are not designed for cyber incidents. A standalone policy provides explicit, purpose-built coverage without the ambiguity that creates disputes.
How do I know if my policies have silent cyber exposure?
Review each non-cyber policy for explicit cyber exclusions and any cyber-related endorsements. Pay particular attention to business interruption coverage triggers, the definition of covered property, and other insurance clauses. A broker who specializes in cyber can help you map how your policies interact and identify any gaps.
Related Resources
- Why Every Business Needs Standalone Cyber Insurance
- Does General Liability Cover a Cyberattack?
- Cyber Insurance Sublimits Explained
- How to Read a Cyber Insurance Policy
- How to Compare Cyber Insurance Quotes
- Iran Conflict and the Cyber Insurance War Exclusion
- Tech E&O vs. Cyber Insurance: What’s the Difference and Which Do You Need?
- Funds Transfer Fraud and Social Engineering Insurance
If you want to review how your current policies address cyber losses and whether your standalone coverage fills any gaps, contact SeedPod Cyber. We review your full insurance program as part of every placement. You can also explore coverage options or see how we work with businesses in your industry.