A new report from a group representing London market insurers has highlighted the need for risk managers to carry out an assessment of cyber related business interruption exposures, as well as a careful review of related insurance policy wordings.
A COSTLY DISRUPTION
Historically, companies have associated cyber risk with malicious attacks and data breaches. However, the past 18 months have witnessed a number of cyber incidents that have resulted in substantial business interruption.
Probably best known are the WannaCry and NotPetya malware attacks, which caused widespread disruption in 2017. The attacks closed ports, shut down manufacturing plants and crippled IT systems for logistics firms, service companies and healthcare providers. Consumer goods company, Reckitt Benckiser, reported an estimated sales loss of GBP 110 million as a consequence of the NotPetya attack.
Last year also saw human error trigger a massive system outage for British Airways, which resulted in a projected business interruption loss of GBP 80 million. More recently, an IT platform migration at TSB caused over a month of service disruption for 1.9 million customers, costing the bank GBP 176 million. The incident in April caused TSB to post a half year loss, ultimately costing the bank’s chief executive officer Paul Pester his job. Pester stepped down in August after seven years in the role.
Business interruption coverage under a property damage policy should pay for business interruption losses that flow directly from damage to insured property. Business interruption in cyber policies, at present, tends to be a standalone extension, where triggers are separately defined in the policy wording. Even though a company may have coverage for a particular type of cyber loss, such as the legal costs arising from a data breach, it does not automatically follow that the resulting loss of profits directly caused by that event will also be covered, notes the report from the International Underwriting Association (IUA).
The business interruption section of a cyber insurance policy is usually triggered by disruption to, or failure of, the insured’s IT system or network. Business interruption cover under a cyber policy is available for a wide range of triggers, which can include; unauthorised use of, or access to, the network, a denial of service attack, ransomware/extortion, theft of data, operational errors, outages and system failure.
The report, written in conjunction with forensic accounting experts RGL, notes that the above triggers are not all included in every policy that is currently available. Companies therefore need to ensure that they have identified all of their cyber business interruption risks and that their policy fully addresses these risks.
Considerable differences in business interruption cover exist between cyber insurance policies. For example, while all cyber business interruption policies provide cover for the period of restoration (time taken to restore systems), not all will include a period of extended coverage.
The report also notes that calculating a cyber BI loss differs from that of a property damage BI loss. This requires the insurer to work with the insured entity to ensure that all issues that will influence a calculation are appropriately identified and considered. Insurers also need to work with insureds to establish the best approach for setting waiting periods and deductibles that best suit the insured’s own particular business, as well as how best to measure the period of disruption.
There are also considerations for contingent business interruption cover under cyber policies, according to the IUA. Contingent business interruption insurance is currently available in the cyber market. For example, for cloud providers, outsourced service providers and/or named providers. However, companies may wish to consider the wording of their supply agreements and how information regarding cyber events are shared (which may affect how a policy responds), given the impact that this may have on cyber business interruption insurance.
Cyber risks can be complex and the business interruption consequences of a cyber incident can be significant, says the IUA. The report, therefore, concludes that it is crucial for companies to fully explore the ways in which cyber events could affect their business and therefore identify the key operational risks. It is also important for companies to compare policy wordings to their key risks to ensure that any coverage purchased meets the needs of the business.
The report also highlights the need for a three-way conversation between the company, their broker and underwriters to ensure that the cover that is purchased will respond appropriately in the event of a loss.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org.
YOU MAY ALSO BE INTERESTED IN