Silent Cyber (or non-affirmative cyber risk) happens when a policy doesn’t clearly say whether cyber events are covered or excluded. That ambiguity means coverage often depends on interpretation after a loss — a position no risk manager wants to be in.

Where It Came From

Traditional insurance was designed for physical perils — fire, theft, natural disasters — long before cyber threats existed.

When the internet transformed business, policy language didn’t evolve as quickly. This led to high-profile disputes like:

• Mondelez vs. Zurich (2017) – USD 100 million ransomware loss denied under a “war exclusion.”
• Merck & Co. (2023) – USD 1.4 billion judgment after property insurers rejected a cyber-attack claim.

These cases exposed the urgent need for clearer cyber definitions.

Global Market Response

In 2020, Lloyd’s of London required all policies to affirmatively state whether cyber coverage is included or excluded.

Other markets followed, aiming to remove ambiguity and prevent unintended cyber exposure.
This shift has improved underwriting discipline and encouraged firms to adopt dedicated Cyber Insurance where appropriate.

Silent Cyber in Vietnam

While international insurers have updated their wordings to clearly define cyber exposure, many businesses in Vietnam still operate under legacy policies written before these global reforms.
Below are some common real-world scenarios that illustrate how Silent Cyber exposure can emerge within traditional policies:

• Operational Disruption and Business Interruption:

A ransomware attack locks down a factory’s control system, forcing production to stop for several days. There’s no physical damage, but the financial loss is significant. The question then arises: does the property policy respond to this type of cyber-triggered interruption?

• Data Breach and Third-Party Liability:

An employee unknowingly opens a malicious file, exposing sensitive customer data. The company must notify affected clients and cover related expenses, but its liability policy excludes “electronic data.” The result — uncertainty over whether the incident is covered at all.

•  Marine and Supply Chain Disruption:

A vessel’s GPS or logistics software is hacked, leading to delayed or misrouted shipments and increased storage costs. Most marine and cargo policies have never contemplated cyber risks, leaving both shipowners and cargo interests wondering if the loss qualifies for indemnity.

Why It Matters

For corporate risk managers and CFOs, Silent Cyber presents three main challenges:

1. Coverage Gaps – Critical financial losses may go uninsured if cyber perils are silently excluded.
2. Claims Uncertainty – Ambiguous wording can lead to delayed or disputed indemnity.
3. Governance Pressure – With new cybersecurity and data-protection laws (i.e Vietnam’s Decree 13/2023/ND-CP), boards must ensure that insurance coverage aligns with compliance expectations.

Looking Ahead

The movement toward transparency in cyber coverage is inevitable. As digital transformation accelerates across Vietnam, insurers and insureds alike will need to align on where cyber risks sit — and how they are priced. The key question isn’t “Do we have Cyber Insurance?” It’s “Do our other policies respond when a cyber event happens?” Because in risk management, what’s silent can still speak the loudest.