Property and casualty (P&C) insurers have been warned they may be on the hook for millions in insurance payouts because they have unwittingly included cyber coverage in many policies.

Moody’s latest P&C report says ambiguous policy wordings or a lack of exclusions is leaving some cyber coverage “embedded” in policies. To make matters worse, commercial property policy limits are often multiples of the limits provided for cyber-only coverage.

The ratings agency says accurate assessment and management of “silent cyber exposures” in commercial property and liability policies should be a top priority for insurers.

Two ongoing court cases in the US related to the global NotPetya cyber attacks of 2017 are proving an obstacle to assessing insurer’s true cyber exposures.

The report says that in both cases cyber coverage was embedded in traditional P&C policies, but the insurers are denying coverage on the grounds that the attack was an act of war or terrorism and therefore excluded.

It says insurers are closely monitoring the court’s interpretation of the specific language in the contracts.

The report says insurers are also assessing their true cyber exposures, including creating an inventory of policies with embedded cyber exposure, modifying policy terms and conditions and allocating premiums to policies that contain cyber risk.

They are also implementing cyber sub-limits and shifting cyber risk to standalone policies.