Cyber Coverage Explained: Contingent Business Interruption
We're diving into the details of a key insuring agreement to help brokers better understand their clients' cyber coverage.
This post was originally published February 2020 and was updated in September 2021.
Introduction to Contingent Business Interruption
For a basic claim scenario, think of your client, an online retailer, whose website was inaccessible in some parts of the country for several hours due to an outage at their outsourced web hosting provider. In this case, if your client has contingent business interruption coverage, they may be eligible for a claim.
We’ve seen the necessity for Contingent Business Interruption illustrated in recent news, like ransomware group REvil’s attack on Florida-based software provider, Kaseya, which created downstream risk for Managed Service Providers utilizing the on-premise Kaseya VSA solution. This led to outages in unpredictable places, like a supermarket chain in Sweden and several public administration offices in Romania, which highlights the sheer scope of attacks like this.
Background: The Why and How
Contingent BI is a key offering for cyber insurance policies and a prime example of how quickly cyber coverage has evolved. Just a few years ago carriers and reinsurers were not entertaining this coverage, due in part to a lack of understanding of cyber risk. However, It grew in popularity along with the expansion of cyber coverage. As the current cyber market deals with the prevalence of ransomware, and its first significant encounter with a hard market, we’ve seen some stark reductions in coverage.
A major consideration for why we’ve seen some markets pull back on contingent BI is due to aggregation. With a few major service providers like Amazon Web Services and Google providing IT services for millions of companies, the risk of a single outage leading to catastrophe-like consequences for carriers loomed large in the minds of reinsurers. Risk aggregation was an unknown quantity.
There have been examples of near-catastrophic cyber events, like the AWS EC2 outage in 2017, which have turned out not to be overly problematic from an insurance standpoint. In these cases, affected insureds did not experience protracted outages, as service providers were able to fix problems quickly. Reinsurers’ appetite for contingent coverage cracked open enough for more progressive underwriters to begin creating these coverages with waiting periods gauged to the experiences of organizations during these major outage events.
Then ransomware hit. We saw organizations face encryption and massive data loss, which led to skyrocketing ransom payments. Beyond outages, this was a whole new risk for carriers to consider, especially facing the reality of how far reaching a single ransomware attack can be across customers.
The Details: What Brokers Should Watch For
Like many of the coverages we see across cyber, language is not universal. Some markets may use “contingent”, while others use “dependent” - others use neither. Other key wordings you may encounter are “security failure” and “system failure” - respectively, a cyber event caused by a cyberattack, and a cyber event caused by an accidental outage like human error.
For context, here’s the full language Corvus uses:
Contingent Business Interruption: Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. (Full limits)
Limitations and Exclusions
Some exclusions exist depending on how the coverage is structured. Some policies will identify specific services that count under the coverage, for instance describing specific types of IT providers whose service interruption would qualify. Other policies require the insured to schedule specific vendors rather than providing blanket coverage. Some exclude ‘infrastructure’, meaning basic services like an Internet Service Provider or the electrical grid.
There is also a question of triggers: the system and security failures mentioned above. Contingent BI coverage most often covers security failure. System failure coverage (events not triggered by an attack) is not as common and is often sub-limited when given.
Waiting periods range widely, from conservative to aggressive. Waiting periods under 12 hours are increasingly common. Corvus offers a 6 hour waiting period for this coverage.
Another aspect of the coverage that’s not yet standardized is how markets treat retention. In some cases, the waiting period stands in as the retention, with no additional dollar retention. In others, losses accruing to retention will start counting after the waiting period is up, and still, others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention.
The Bottom Line
This coverage is still not universal, so check the policies from markets you work with. The more progressive cyber forms will include it. Be sure to review the language with an eye toward the technicalities reviewed above, to ensure you’re offering your client the terms that will cover them best considering the IT service providers they use and the type of business they operate.
Ask any CISO and they’ll tell you dealing with the immediate challenges of an active cyber incident is only half the battle (less, actually). An effective response requires a well-executed strategy that covers both before and after an incident to limit both major disruption to operations and financial harm.
On October 4, 2021, a faulty configuration change impacted 3.5 billion people.