In this month’s edition Molly McGinnis Stine of Locke Lord, a member of JLT’s Cyber Risk Consortium discusses business interruption in a cyber risk world.
Highly publicised recent cyber incidents have raised alarms about business interruption. Business interruption scenarios can affect a single entity, a geographic area, an industry, or a multifaceted combination of all of these or multiples of these. It’s not hard to imagine how wide the reach of a cyber attack could be.
As examples, we all know about two situations significant in scope, although, fortunately, apparently relatively contained in effect. Last fall’s attack on Dyn, a global company supporting internet infrastructure, hit millions of IP addresses and temporarily brought down major websites around the world. This spring’s WannaCry ransomware onslaught created disruptions for numerous entities in 150 countries and spotlighted the potential for such issues for a myriad of others.
Following such incidents, entities can face downtime, lost sales, lapsed production, foregone customers, and other consequences. Outages or reduced capabilities may be brief or prolonged, with effects likely, but not necessarily, scaled to the length. Even after restoration, an entity’s reputation can still suffer and the potential economic benefit of customers or clients diverted may not be recovered. These are just some examples but illustrate the importance of the business interruption topic to insureds of all sizes and types.
The insurance industry is rapidly evolving to write possible coverages for business interruption in a cyber context. Such developments merit close watch. Although policy wordings and applicable limits or sublimits will vary, certain issues, among others, are likely to arise:
Causation: an affected insured must carefully consider its insurance contract to understand what causes of interrupted business may be covered. It must, either on its own or with assistance from a technical expert, timely identify and document what it contends caused the business interruption.
Data: an affected insured must document the lost revenue, lost profits or other economic loss potentially covered under its insurance contract. This will require, for example, comparisons to prior relevant timeframes. As part of its risk management in advance of any incident, an insured should consider whether it maintains or can generate data or reports to demonstrate relevant differences pre- and post-incident. In addition, to the extent that an insured alleges additional economic loss as a result of an incident, an insured should document the amounts involved and how they came to be incurred. The insured should consider the language of its insurance policy to assess whether its insurer’s consent is required before incurring any amounts for which the insured may seek coverage.
Mitigation: there may be steps an insured can take to reduce the duration or impact of an incident. An insured’s insurance policy may require such remedial measures. Also, depending on the wording, an insured may need to seek an insurer’s consent before undertaking such activities. Further, an insured should document the necessity or benefits of any such actions and the reasonableness of the specific amounts incurred.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on email@example.com