Business interrupted: Part one

Business interruption series: Part 1Today, business interruption in cyber insurance policies is back in a big way. To explore this growing risk, we’re running a three-part blog series on the subject exploring the many ways in which BI cover is essential for modern businesses, and key things brokers and clients should look out for. Today’s post examines the value of longer indemnity periods.

When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.

Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.

We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.

Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.

To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).

To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.

Indemnity periods on cyber policies typically work in one of three ways:
1) The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
2) The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
3) The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.

Click icon to view larger graphic: Business interruption and indemnity periods

Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown above is the most beneficial for insureds.

At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.

To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.