One of the consequences of the lack of standardisation in cyber policy wordings is that there are a bewildering range of terms out there for the concept of time retentions: time retention, time franchise and waiting period are just some of the expressions that you are likely to come across. All these different phrases can become a bit confusing, but the main question that needs to be asked here is: “does the entire BI loss get paid?” The answer to this question can vary from insurer to insurer, depending on how the policy operates.
Let’s consider the example of an online retailer. They get hit by a distributed denial of service (DDoS) attack, whereby cyber criminals use multiple computers under their control to flood their website, resulting in it crashing and rendering it inaccessible to normal internet users. As the business is an online retailer, their website is their only way of selling their products. So as soon as their website is down, they start seeing an immediate and dramatic drop off in revenue. In this case, the DDoS attack manages to take down the company's website for a total of 16 hours. Following this event, the company turns to their cyber insurer for the reimbursement of their financial loss during this period.
Depending on the type of cyber policy that the business has purchased, the policy will generally respond in one of two ways:
-
Loss in excess of the time retention period
The policy will be triggered once the system has been down for a set number of hours (typically this is eight hours on a cyber policy), but the policy will only pay from that point onwards. So if the set number of hours for the waiting period is eight hours and the website was down for 16 hours, the losses incurred during the first eight hours that the website was down would not be covered.
-
Loss within the time retention period
The policy will be triggered once the system has been down for a set number of hours, but in this case the policy pays from the initial starting-point of the outage. So if the set number of hours for the time retention is eight hours and the website was down for 16 hours, the policy would pay for the whole 16 hours’ worth of lost income and additional expenses.
This is an important distinction. With the first option outlined above, the first eight hours’ worth of financial loss are not covered. With the second option, the business is looking at an additional eight hours’ worth of financial loss being recoverable under the policy. This could make a big financial difference to the organisation.
Therefore, making sure that your cyber policy covers the entirety of the loss after the time retention has been exhausted is key. Unfortunately this is not always apparent in the policy wording, so it’s always worth checking with the insurance provider in question as to how this particular part of their policy works in practice.
