As far as insurance goes, Business Interruption (“BI”) is one of those topics that is frequently misunderstood. When people start speaking about BI, they often feel that it is too complex of a subject and can become easily overwhelmed. Forensic accountants, adjusters, and even insurance companies often disagree on how business interruption should be viewed and calculated when a loss occurs. Now, Cyber Business Interruption (“Cyber BI”) is being added to this conversation and many people simply feel lost. There is very little consensus on how Cyber BI should be valued, defined, calculated and ultimately adjusted. This is a problem due to the growing importance of Cyber BI coverage which is playing a critical role as more companies introduce technology to their operations.
The insurance industry has been offering Cyber insurance for a while now. In the past, the coverage typically provided reimbursement for costs required to address a data breach, replace damaged equipment, notify consumers, provide credit monitoring and other related expenses. Slowly, the focus has recently shifted to also covering the financial losses caused by cyber events. This is highlighted in the 9th annual Advisen & Zurich annual Information Security & Cyber Risk Management Survey. The survey is sent out to over 350 respondents including risk managers, executives and other risk professionals. This year, Cyber-related business interruption was named as the number-one risk by 94.5% of survey respondents, only inched-out by a data breach that came in at 95%. The results follow a trend where risk managers and businesses are becoming more focused on how these cyber events will impact their businesses and what can be done to protect against cyber loss.
In an attempt to clear some of the confusion surrounding the topic of Cyber BI and to give guidance on how to begin assessing Cyber BI, here are some basic concepts to consider: In general, business interruption is any type of disruption to the normal operations of a company typically caused by a variety of tangible events (fire, flood, etc.). BI insurance provides coverage for the loss of business income that results from the interruption. This coverage is normally triggered by physical damage such as a building burning that prevents a company from operating normally. Nowadays, top of the mind is the threat of a cyber-attack or a cyber event that will result in a direct, negative financial impact on the business. The operational impact on a business can be substantial and severe even in the absence of physical damage.
When purchasing BI insurance, whether it’s property damage or cyber-related, businesses struggle to know how much insurance coverage they should purchase. While there are numerous ways to calculate this, we will provide a few of the key differences between business interruption related to traditional property damage and business interruption related to cyber events that should be considered when assessing BI exposure:
Description
|
Traditional
|
Cyber
|
Personnel Required to Assess BI Exposure
|
Risk ManagerCFO/ Controller Operations Manager
|
Risk ManagerCFO/ Controller Operations Manager IT Personnel CISO/ CTO General Counsel
|
Peril Constraints
|
Confined to geographic area
|
No physical constraints
|
Period of Restoration
|
Clearly defined start (DOL) Defined POI vs EPOI
|
Less certainty as to start and end of cyber incident
|
Valuation Periods of Measurement
|
Loss valued for weeks & months of interruption
|
Loss valued in hours & days of interruption
|
Reputational Risk
|
Little to none
|
High
|
Understanding the differences in how a physical disruption compared to a cyber disruption may play out will help organizations to begin the process of assessing their cyber BI exposure. Each organization is unique and there is no “one-size-fits-all” approach to assessing the potential impact of a loss. In addition to the factors cited above, due consideration should be given to the following questions:
- Does the business have a disaster response plan? If so, what are the costs to implement this plan (e.g. Temp office space)
- Is the business seasonal? Would a BI loss be greater in one part of the year than another?
- What proactive steps has the business taken to limit the length of any disruption?
While business interruption terminology can seem complicated and confusing, it’s always important to keep this basic principle in mind. Simply put, the intent of business interruption insurance is to place a business in the same financial position that it would have been in “but for” the loss event. Cyber BI insurance is no different.
Download the complimentary Cyber Loss Mitigation Checklist > Quality documentation and forensic analysis is the cornerstone to effectuate a positive result on a cyber claim. Most cyber risk policies include coverage for business interruption or loss of income and extra expenses associated with a breach, which typically can make-up some of the more significant costs. When a cyber business interruption loss occurs