6 March 2020

Cyber Coverage Explained: Business Interruption

Hannah Hoeflinger | Director of Business Development, National Accounts

Recently my colleague Joel Fehrman explained what brokers need to know about Contingent Business Interruption coverage. This week we will explore non-contingent business interruption: the more straightforward coverage, conceptually, but still one with many considerations that need to be explored. Waiting periods, coverage trigger language, and the time period of restoration provided are often overlooked in a policy but can be extremely impactful to your clients in the event of a claim.  

First, let’s set the stage with a definition. Business Interruption covers business income loss and extra expenses incurred during a computer network outage. As a point of differentiation with contingent business interruption, this coverage applies to outages of internally managed IT, such as employee devices or internal networks or databases — not a cloud computing provider or other type of third-party IT vendor. 

Say your client is a wholesale auto parts distributor. If employees are locked out of their computers because of a ransomware attack of their own IT system and cannot process or send orders as a result, and customers have to go seek another supplier, that lost business would potentially fall under business interruption cover. 

Background: The Why and How

As we saw with contingent/dependent business interruption in our last post, this cover has evolved rapidly, and recently. A few years ago, if Business Interruption was offered at all, it was likely limited by defined perils that might cause the outage/interruption, and/or by long waiting periods. But as cyber coverage has evolved across the board, and simultaneously ransomware events become more common, BI coverage has received more scrutiny from brokers and policyholders. If the goal of a hacker is to take down an organization’s system, rather than to steal their data, business interruption is likely to be the most costly outcome of an attack. 

With growth in demand from the market and better understanding of cyber risk on the part of carriers, BI coverage has become broader and more generous over time. But as ransomware claims continue to mount, brokers may begin to see more sub-limits or other restrictions applied to this coverage as a result in the near future. 

The Details: What Brokers Should Watch For

Common Language

Just as with Contingent Business Interruption, policy language isn’t universal, although some language is becoming more standardized over time. Key wordings you may encounter are “security failure” and “system failure” – respectively, a cyber event caused by a cyberattack, and a cyber event caused by an accidental outage. Note that some markets will interpret “system failure” as only administrative error, such as misconfiguring a system update. Others, like Corvus, include unintentional damage beyond admin error, including accidental destruction of digital assets, failure in power supply, and more. 

Finally, some markets use the term “network” and “network security failure” in describing the IT system involved, and a breach of that system. Corvus uses the term “computer system”.  

The following is the Corvus policy form’s language: 

Business Income Loss and Extra Expenses incurred during the Interruption Period directly as a result of the total, or partial, or intermittent interruption or degradation in service of an Insured’s Computer System caused directly by a Privacy Breach, Security Breach, Administrative Error or Power Failure.

Waiting Periods

Virtually all BI coverage has a waiting period. This holds a company responsible for a period of system downtime before the insurance starts paying out, meaning short-term outages won’t result in a claim paid. If you are looking at a sophisticated Cyber market for coverage, a Business Interruption waiting period is typically 8-12 hours. Some markets will reduce this time frame for an additional premium or ask more questions about whether or not the insured has tested their system recovery process. Some might even offer lower, enhanced waiting periods that only address one type of attack. 

Be aware that some standard market forms or package policies may have 24 hour waiting periods. According to research by IDG, it takes an average of 7 hours to resume normal operations after a data loss incident, so a waiting period of that length would apply to only the most catastrophic outages for your insureds. Most businesses can work with their IT team to calculate their ability to operate off-line to see how many hours they can still function normally without losing money. Ideally, they would correlate that estimated time with their Cyber policy. 

Corvus offers a 6 hour waiting period as standard on every policy and can consider lowering this as well. Given the average downtime of 7+ hours, many brokers we work with find value in a waiting period under that threshold in the event the insured already started losing revenue and productivity. 

Retention structure

As we saw with Contingent BI, the waiting period may sometimes stand in as the retention, with no additional dollar retention. In others, losses accruing to a retention will start counting after the waiting period is up, and still others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention. 

Coverage Period: Beginning and Ending

It is crucial to secure Business Interruption coverage wording that triggers regardless of when the insured discovered the issue. Some policies have trigger wording like “substantial degradation” of systems, which leaves the burden of proof on the insured to convince the insurer of exactly how far back the attack began to substantially impact them. This means that if there wasn’t obvious disfunction impacting a company’s systems until 8 hours after an attack, then a policy with poor wording might not apply those 8 hours to the waiting period — despite any damage that started ensuing deep in the system. In this situation, the company could be stuck fronting any loss that ensued in those first 8 hours, in addition to another 8-12 hour waiting period before the policy would pay out. 

Corvus’s Business Interruption coverage triggers as soon as there is any partial or complete interruption, degradation or failure of computer systems. Corvus’s policy would apply the 6 hour waiting period from the time of the initial attack, so even if the company started losing revenue or productivity from the first minute, they would be able to recoup damages starting from that point (assuming the outage eventually eclipsed the 6 hour waiting period). 

In addition to determining the front end of the coverage period, brokers should keep an eye out for the best language regarding when the coverage period ends. Many times, companies think they have full functionality back – only to uncover left-over damage to other processes. The Corvus policy covers the insured for the full Interruption period until “the date of full system restoration.” This is broader than some policies that limit the period of coverage to the date that the interruption ends – which could leave the insurer off the hook when it comes to truly bringing the client back to full restoration. Even if systems are fully restored, Corvus offers an additional 30 days following that for additional costs to the business. 

Finally, some policies also include limiting wording that says their BI indemnity period ends if the insured did not act with due diligence. At Corvus we trust that the vendors we provide for help with breach response will help the insured to act with due diligence, so we don’t include this wording.

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video