When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.
Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.
At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. James Burns, Cyber Product Leader, CFC Underwriting
We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.
Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.
To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).
To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.
Indemnity periods on cyber policies typically work in one of three ways:
- The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
- The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
- The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.
Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown in the above graphic is the most beneficial for insureds.
At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.
To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.
