Business interrupted: Part one

Business interruption series: Part 1Today, business interruption in cyber insurance policies is back in a big way. To explore this growing risk, we’re running a three-part blog series on the subject exploring the many ways in which BI cover is essential for modern businesses, and key things brokers and clients should look out for. Today’s post examines the value of longer indemnity periods.

When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.

Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.

We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.

Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.

To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).

To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.

Indemnity periods on cyber policies typically work in one of three ways:
1) The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
2) The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
3) The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.

Click icon to view larger graphic: Business interruption and indemnity periods

Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown above is the most beneficial for insureds.

At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.

To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.