Cyber insurance protects against internet-based risks and threats to information technology infrastructure. Determining the appropriate coverage limit for both business interruption (BI) and contingent business interruption (CBI) can be one of the most complex tasks when evaluating a cyber insurance quote.
Business Interruption Coverage in Cyber Insurance
Business interruption coverage is designed to protect a company from the losses it suffers when it cannot operate due to a covered event. In traditional property insurance, covered events might include fires or natural disasters. These are dangers to the business that are covered explicitly by the insurance policy and, in the realm of cyber insurance, typically include cyber attacks. Business interruption coverage is measured as a function of lost revenues while business remains inoperative due to the event and can vary from hours to weeks depending on the extent of the attack. This is relatively simple at face but becomes much more complex when one considers the nuances of cyber insurance. Below are several key points of nuance:
- Attribution of the Event: Determining the cause of a cyber-related business interruption can be challenging. Cyber attacks are not always clear-cut events like a fire or an explosion; they can be subtle, complex, and difficult to trace. It may be difficult to ascertain if an interruption was the result of a malicious attack, a system failure, or human error.
- Definition of “Interruption”: The term “interruption” can be vague within cyber insurance policies. Policies need clear definitions of what constitutes an interruption and the extent to which partial outages or slowdowns in operations are covered.
- Indemnity Periods: BI coverage typically includes an indemnity period – the period during which the insurer will reimburse the business for lost revenues. In cyber policies, establishing the start and end of the indemnity period is not straightforward owing to the potential latency of cyber events; some network intrusions can go undetected for a prolonged period.
- Valuation of Losses: Calculating the financial impact of a cyber business interruption involves assessing not only direct costs but also the loss of profits and the extra expenses incurred to mitigate the interruption. This requires an understanding of the business's operations, revenue streams, and the cyber event's impact on them. It can be challenging to differentiate between losses directly related to the cyber event and those resulting from other causes, such as market changes or competitive pressures that coincided with the cyber event.
- Duration and Scope of Coverage: The duration of a cyber BI event may be much longer than a traditional BI event due to the time required to fully restore data systems and ensure they are secure. Additionally, it's crucial to ascertain the scope of coverage since some policies might have limitations or exclusions on specific events or types of data.
Contingent Business Interruption in Cyber Insurance
Contingent business interruption extends protection to include losses caused by disruptions to the policyholder’s supply chain or service providers. When a key supplier or partner experiences a cyber event that impairs their ability to deliver goods or services, Contingent Business Interruption can cover the resulting financial impact on the insured's business. The complexity in CBI includes:
- Third-Party Dependencies: Companies depend on an array of external partners and services, from cloud service providers to manufacturers. The interconnected nature of these relationships means that disruptions can cascade, making it difficult to trace the source and extent of the interruption.
- Proof of Loss: For a CBI claim to be successful, the policyholder must usually prove that the third-party interruption directly caused the loss of income. This involves obtaining detailed information from the third party about the cyber event, which they may be reluctant to share.
- Exclusions and Limitations: Insurers often include specific exclusions in CBI coverage. These exclusions may involve certain types of third-party service providers, such as telecom or utility companies. There can also be geographic limitations that exclude coverage for events in certain regions or countries.
Quantification of Losses
Quantifying losses from business interruption due to cyber events is an inherently complex endeavor. It necessitates a rigorous approach to financial analysis and often requires the expertise of forensic accountants to dissect and attribute the loss appropriately. Challenges include:
- Historical Financial Performance: Underwriters look at historical financial data to project what the business would have made had it not been for the interruption. For rapidly growing or fluctuating businesses, this can be a point of contention.
- Incremental Costs: Cyber BI claims may involve incremental costs such as overtimes, expedited shipping, consulting fees, and additional IT resources that were necessary to maintain operations during the disruption. Isolating and valuing these costs can be complex.
- Projection of Lost Sales: Businesses must forecast lost sales, which involves speculation. Not only must the immediate loss of income be calculated, but also the longer-term impact on customer relationships and market position.
The Role of Cyber Insurance Specialists
Given these complexities, cyber insurance necessitates a collaborative effort involving insurance specialists, underwriters, risk managers, and IT professionals. Risk assessments must be thorough, considering not only direct risks to the business's network but also indirect risks through third parties and supply chains. It is equally essential to underscore the significance of having knowledgeable professionals who understand the evolving cyber threats and can adeptly navigate the complexities of insurance policies. Cyber insurance specialists, like those at Limit, play a pivotal role in ensuring that businesses are adequately protected in the digital realm. Beyond just risk assessments, these specialists possess a deep understanding of the dynamic and ever-changing nature of cyber threats. They stay abreast of the latest trends, emerging vulnerabilities, and evolving regulatory landscapes, allowing them to tailor insurance solutions for your business. Cyber insurance specialists are instrumental in guiding businesses through the intricate process of policy selection, helping them understand the nuances of coverage, limitations, and potential gaps.
The Limit Perspective
Limit is a digitally-native wholesale insurance broker working on behalf of retailers in multiple lines of insurance and across the United States. Limit works on your behalf to find the right policy based on your insured’s exposure to cyber risk. We can work with insurance providers to help customize cyber policies to fit your needs and the market. Customizable options may include endorsements to extend coverage for certain scenarios or exclude specific elements that are either too risky to cover or already covered under other policies.
Our platform allows you to:
- Obtain instant quotes from cyber carriers
- Find up to $3M in Insurance coverage automatically
- Receive a plan with customizable and comprehensive coverage
- 24/7 support
Limit is building a lean, tech-enabled business that can efficiently deliver insurance policies which are tailored to the needs of individual clients. We have taken some of the first steps to revolutionizing the industry and welcome you to learn more on our website: www.limit.com
Please reach out and connect with us and our representatives on LinkedIn as well.