Cyber Coverage Explained: Business Interruption
First, let’s set the stage with a definition. Business Interruption covers business income loss and extra expenses incurred during a computer network outage. As a point of differentiation with contingent business interruption, this coverage applies to outages of internally managed IT, such as employee devices or internal networks or databases -- not a cloud computing provider or other type of third-party IT vendor.
Say your client is a wholesale auto parts distributor. If employees are locked out of their computers because of a ransomware attack of their own IT system and cannot process or send orders as a result, and customers have to go seek another supplier, that lost business would potentially fall under business interruption cover.
Background: The Why and How
As we saw with contingent/dependent business interruption in our last post, this cover has evolved rapidly, and recently. A few years ago, if Business Interruption was offered at all, it was likely limited by defined perils that might cause the outage/interruption, and/or by long waiting periods. But as cyber coverage has evolved across the board, and simultaneously ransomware events become more common, BI coverage has received more scrutiny from brokers and policyholders. If the goal of a hacker is to take down an organization’s system, rather than to steal their data, business interruption is likely to be the most costly outcome of an attack.
With growth in demand from the market and better understanding of cyber risk on the part of carriers, BI coverage has become broader and more generous over time. But as ransomware claims continue to mount, brokers may begin to see more sub-limits or other restrictions applied to this coverage as a result in the near future.
The Details: What Brokers Should Watch For
Just as with Contingent Business Interruption, policy language isn’t universal, although some language is becoming more standardized over time. Key wordings you may encounter are “security failure” and “system failure” – respectively, a cyber event caused by a cyberattack, and a cyber event caused by an accidental outage. Note that some markets will interpret “system failure” as only administrative error, such as misconfiguring a system update. Others, like Corvus, include unintentional damage beyond admin error, including accidental destruction of digital assets, failure in power supply, and more.
Finally, some markets use the term “network” and “network security failure” in describing the IT system involved, and a breach of that system. Corvus uses the term “computer system”.
The following is the Corvus policy form’s language:
Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of the total, or partial, or intermittent interruption or degradation in service of an Insured's Computer System caused directly by a Privacy Breach, Security Breach, Administrative Error or Power Failure.
Virtually all BI coverage has a waiting period. This holds a company responsible for a period of system downtime before the insurance starts paying out, meaning short-term outages won’t result in a claim paid. If you are looking at a sophisticated Cyber market for coverage, a Business Interruption waiting period is typically 8-12 hours. Some markets will reduce this time frame for an additional premium or ask more questions about whether or not the insured has tested their system recovery process. Some might even offer lower, enhanced waiting periods that only address one type of attack.
Be aware that some standard market forms or package policies may have 24 hour waiting periods. According to research by IDG, it takes an average of 7 hours to resume normal operations after a data loss incident, so a waiting period of that length would apply to only the most catastrophic outages for your insureds. Most businesses can work with their IT team to calculate their ability to operate off-line to see how many hours they can still function normally without losing money. Ideally, they would correlate that estimated time with their Cyber policy.
Corvus offers a 6 hour waiting period as standard on every policy and can consider lowering this as well. Given the average downtime of 7+ hours, many brokers we work with find value in a waiting period under that threshold in the event the insured already started losing revenue and productivity.
As we saw with Contingent BI, the waiting period may sometimes stand in as the retention, with no additional dollar retention. In others, losses accruing to a retention will start counting after the waiting period is up, and still others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention.
Coverage Period: Beginning and Ending
It is crucial to secure Business Interruption coverage wording that triggers regardless of when the insured discovered the issue. Some policies have trigger wording like “substantial degradation” of systems, which leaves the burden of proof on the insured to convince the insurer of exactly how far back the attack began to substantially impact them. This means that if there wasn’t obvious disfunction impacting a company’s systems until 8 hours after an attack, then a policy with poor wording might not apply those 8 hours to the waiting period -- despite any damage that started ensuing deep in the system. In this situation, the company could be stuck fronting any loss that ensued in those first 8 hours, in addition to another 8-12 hour waiting period before the policy would pay out.
Corvus’s Business Interruption coverage triggers as soon as there is any partial or complete interruption, degradation or failure of computer systems. Corvus’s policy would apply the 6 hour waiting period from the time of the initial attack, so even if the company started losing revenue or productivity from the first minute, they would be able to recoup damages starting from that point (assuming the outage eventually eclipsed the 6 hour waiting period).
In addition to determining the front end of the coverage period, brokers should keep an eye out for the best language regarding when the coverage period ends. Many times, companies think they have full functionality back - only to uncover left-over damage to other processes. The Corvus policy covers the insured for the full Interruption period until “the date of full system restoration.” This is broader than some policies that limit the period of coverage to the date that the interruption ends - which could leave the insurer off the hook when it comes to truly bringing the client back to full restoration. Even if systems are fully restored, Corvus offers an additional 30 days following that for additional costs to the business.
Finally, some policies also include limiting wording that says their BI indemnity period ends if the insured did not act with due diligence. At Corvus we trust that the vendors we provide for help with breach response will help the insured to act with due diligence, so we don’t include this wording.
A hacked power grid turning the lights out for millions, a dam being controlled by an adversary — these are the kinds of nightmare situations cybersecurity researchers often talk about in the context of cyber warfare or state-sponsored terrorism.
As ransomware rose to become the single biggest driver of cyber insurance claims in 2020, we felt that this aspect of cyber risk deserved more detailed reporting for brokers and policyholders. So we got to work. We decided to re-create one aspect of our overall cyber risk score, adding more detail and providing a separate report page in Smart Cyber quotes. You can read about the specifics of the score here.