Cyber Coverage Explained: Contingent Business Interruption
Today we're diving into the details of a key insuring agreement to help brokers better understand their clients' cyber coverage.
Is there a coverage you want to see explained? Drop us a line at email@example.com.
Introduction to Contingent Business Interruption
Today we're discussing Contingent Business Interruption (also known as dependent business interruption in some forms): coverage for insured losses stemming from business interruption caused by interrupted or degraded service from a third-party service provider.
For a basic claim scenario, think of your client, an online retailer, whose website was inaccessible in some parts of the country for several hours due to an outage at their outsourced web hosting provider. In this case, if your client has contingent business interruption coverage, they may be eligible for a claim.
Background: The Why and How
Contingent BI is a relatively new offering for cyber insurance policies and a prime example of how quickly cyber coverage has evolved. Just a few years ago carriers and reinsurers were not entertaining this coverage, due in part to a lack of understanding of cyber risk. Now, while not universal, it’s found in the forms of more than a few markets, including Corvus.
Why has it taken so long to develop? In a word: aggregation. With a few major service providers like Amazon Web Services and Google providing IT services for millions of companies, the risk of a single outage leading to catastrophe-like consequences for carriers loomed large in the minds of reinsurers. Risk aggregation was an unknown quantity.
Yet the demand for this kind of coverage grew, and the market’s understanding and pricing of cyber risk matured. Importantly, there have been examples of near-catastrophic cyber events, like the AWS EC2 outage in 2017, which have turned out not to be overly problematic from an insurance standpoint. In these cases, affected insureds did not experience protracted outages, as service providers were able to fix problems quickly. Reinsurers’ appetite for contingent coverage cracked open enough for more progressive underwriters to begin creating these coverages with waiting periods gauged to the experiences of organizations during these major outage events.
The Details: What Brokers Should Watch For
Like many newer coverages in cyber, language is not universal. Some markets may use “contingent”, while others use “dependent” - others use neither. Other key wordings you may encounter are “security failure” and “system failure” - respectively, a cyber event caused by a cyberattack, and a cyber event caused by an accidental outage like human error.
For context, here’s the full language Corvus uses:
Contingent Business Interruption: Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. (Full limits)
Limitations and Exclusions
Some exclusions exist depending on how the coverage is structured. Some policies will identify specific services that count under the coverage, for instance describing specific types of IT providers whose service interruption would qualify. Other policies require the insured to schedule specific vendors rather than providing blanket coverage. Some exclude ‘infrastructure’, meaning basic services like an Internet Service Provider or the electrical grid.
There is also a question of triggers: the system and security failures mentioned above. Contingent BI coverage most often covers security failure. System failure coverage (events not triggered by an attack) is not as common and is often sub-limited when given.
Waiting periods range widely, from conservative to aggressive. Waiting periods under 12 hours are increasingly common. Corvus offers a 6 hour waiting period for this coverage.
Another aspect of the coverage that’s not yet standardized is how markets treat retention. In some cases, the waiting period stands in as the retention, with no additional dollar retention. In others, losses accruing to a retention will start counting after the waiting period is up, and still others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention.
The Bottom Line
This coverage is still not universal, so check the policies from markets you work with. The more progressive cyber forms will include it. Be sure to review the language with an eye toward the technicalities reviewed above, to ensure you’re offering your client the terms that will cover them best considering the IT service providers they use and the type of business they operate.
Open Positions at Corvus
A hacked power grid turning the lights out for millions, a dam being controlled by an adversary — these are the kinds of nightmare situations cybersecurity researchers often talk about in the context of cyber warfare or state-sponsored terrorism.
As ransomware rose to become the single biggest driver of cyber insurance claims in 2020, we felt that this aspect of cyber risk deserved more detailed reporting for brokers and policyholders. So we got to work. We decided to re-create one aspect of our overall cyber risk score, adding more detail and providing a separate report page in Smart Cyber quotes. You can read about the specifics of the score here.