Today we’re introducing a new series to help brokers drill down into the details of a cyber policy to better understand the coverage they’re offering their clients. Have an idea for what questions you want us to cover in future posts? Drop us a line at email@example.com.
Today we start with Contingent Business Interruption (also known as dependent business interruption in some forms): coverage for insured losses stemming from business interruption caused by interrupted or degraded service from a third-party service provider.
For a basic claim scenario, think of your client, an online retailer, whose website was inaccessible in some parts of the country for several hours due to an outage at their outsourced web hosting provider. In this case, if your client has contingent business interruption coverage, they may be eligible for a claim.
Contingent BI is a relatively new offering for cyber insurance policies and a prime example of how quickly cyber coverage has evolved. Just a few years ago carriers and reinsurers were not entertaining this coverage, due in part to a lack of understanding of cyber risk. Now, while not universal, it’s found in the forms of more than a few markets, including Corvus.
Why has it taken so long to develop? In a word: aggregation. With a few major service providers like Amazon Web Services and Google providing IT services for millions of companies, the risk of a single outage leading to catastrophe-like consequences for carriers loomed large in the minds of reinsurers. Risk aggregation was an unknown quantity.
Yet the demand for this kind of coverage grew, and the market’s understanding and pricing of cyber risk matured. Importantly, there have been examples of near-catastrophic cyber events, like the AWS EC2 outage in 2017, which have turned out not to be overly problematic from an insurance standpoint. In these cases, affected insureds did not experience protracted outages, as service providers were able to fix problems quickly. Reinsurers’ appetite for contingent coverage cracked open enough for more progressive underwriters to begin creating these coverages with waiting periods gauged to the experiences of organizations during these major outage events.
Like many newer coverages in cyber, language is not universal. Some markets may use “contingent”, while others use “dependent” – others use neither. Other key wordings you may encounter are “security failure” and “system failure” – respectively, a cyber event caused by a cyberattack, and a cyber event caused by an accidental outage like human error.
For context, here’s the full language Corvus uses:
Contingent Business Interruption: Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. (Full limits)
Limitations and Exclusions
Some exclusions exist depending on how the coverage is structured. Some policies will identify specific services that count under the coverage, for instance describing specific types of IT providers whose service interruption would qualify. Other policies require the insured to schedule specific vendors rather than providing blanket coverage. Some exclude ‘infrastructure’, meaning basic services like an Internet Service Provider or the electrical grid.
There is also a question of triggers: the system and security failures mentioned above. Contingent BI coverage most often covers security failure. System failure coverage (events not triggered by an attack) is not as common and is often sub-limited when given.
Waiting periods range widely, from conservative to aggressive. Waiting periods under 12 hours are increasingly common. Corvus offers a 6 hour waiting period for this coverage.
Another aspect of the coverage that’s not yet standardized is how markets treat retention. In some cases, the waiting period stands in as the retention, with no additional dollar retention. In others, losses accruing to a retention will start counting after the waiting period is up, and still others count from hour 1 but only after the waiting period is met. Corvus has no dollar retention.
This coverage is still not universal, so check the policies from markets you work with. The more progressive cyber forms will include it. Be sure to review the language with an eye toward the technicalities reviewed above, to ensure you’re offering your client the terms that will cover them best considering the IT service providers they use and the type of business they operate.
We gathered some thoughts from insurance and cybersecurity veterans, from Corvus and elsewhere, and shared where they see trends moving in cyber in 2020.
Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.
Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.
James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.
Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.
Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.