Cyber business interruption is financial loss incurred by an organization when operations are disrupted due to a cyber event. Cyber insurance can protect firms from cyber business interruption, but cyber insurance isn’t standardized, so each insurer offers something different. Many insurers don’t even rely on the time-tested terms and conditions used in property insurance policies. Unfortunately, the coverage available for cyber business interruption varies radically by insurer and is often filled with technology jargon usually designed to narrow the policy coverage. With this in mind, we are kicking off our “anatomy of cyber insurance” educational series by taking a closer look at cyber business interruption insurance.
Purpose of Cyber Business INterruption
The purpose of cyber business interruption insurance is to protect the insured from financial losses when business operations are interrupted by a cyber event. The coverage for cyber business interruption is typically broken into four main coverage components, including the following:
- Business Income Loss: Covers the insured’s loss of income resulting from a computer system disruption caused by a covered cyber incident.
- Extended Business Income Loss: Covers the insured’s long-term loss of income following a computer system disruption during the intermediary period that begins once the computer system disruption ends and before the insured’s income returns to pre-loss levels.
- Dependent Business Income Loss: Covers the insured’s loss of income incurred due to an interruption in the service of a third-party service provider caused by a computer system disruption of that service provider’s network.
- Extra Expense: Covers additional costs incurred by the insured while recovering from a computer system disruption. Proper extra expense coverage is designed to cover expenses that go beyond normal operating costs to continue operations during the computer system disruption.
Not all cyber insurance policies cover all four of the main cyber business interruption coverage components outlined above. Most cyber insurance policies only cover three of the four main coverage components. In addition, each main coverage component of cyber business interruption has numerous subparts making it difficult to determine if the insured has adequate protection. Therefore, the rest of this article will focus on understanding and evaluating the strengths and weaknesses of cyber business interruption coverage when comparing cyber insurance products available today.
Cyber business interruption insurance operates the same way that traditional business interruption in property insurance policies does. There are, of course, several differences between cyber business interruption insurance, which is designed to protect insureds from computer system disruptions from cyber perils, and traditional business interruption insurance, which is designed to protect insureds from an interruption in business operations due to physical perils. However, the main components of coverage are the same and the best cyber insurance policies utilize many of the terms and conditions of traditional business interruption insurance policies, which have been tested and refined for over 50 years.
Depth or breadth of COverage
Unfortunately, there isn’t a simple or magic formula to measure the full breadth of traditional or cyber business interruption insurance coverage for every company. There are, however, several common areas to consider when evaluating cyber business interruption coverage for specific insureds. The areas listed in the bullet points below provide basic insight into the core elements of cyber business interruption insurance coverage.
Covered Computer Systems
When evaluating cyber business interruption coverage, it’s critical to ensure the insured’s entire computer network is covered. Understanding the scope of coverage for the insured’s computer systems is often as simple as referring to the definition of covered computer systems within the policy. At a minimum, cyber insurance policies should cover computer equipment owned, rented, or leased and operated by the insured. Some cyber insurance policies also extend coverage to employee-owned devices (used for work) and/or online video and audio conferencing services.
Many cyber insurance policies also cover cyber business interruption suffered by the insured when a vendor’s computer systems suffer a cyber incident. Such coverage is commonly referred to as “dependent” or sometimes “contingent” business interruption. Coverage for dependent business interruption is usually subject to a sub-limit and actual coverage differs significantly between insurers. Some insurers provide narrow protection for specified technology and telecommunication vendors providing services to the insured under contract. For example, the following policy wording from a leading cyber insurer illustrates how some insurers limit coverage for dependent business interruption by narrowing the definition of covered computer systems:
“Computer systems include….that are operated by a third party vendor, but only for providing hosted computer application services to you pursuant to a written contract.”
Insuretech Policy Language
It’s worth noting that the language above isn’t located in the exclusions section of the policy. Instead, it’s buried in a sub-part of a definition within a cyber insurance policy that stretches well over 70 pages with endorsements. Policy wording like the wording above is almost certainly bound to result in confusion and disputes. It’s safe to say that most insureds probably don’t want to learn that there is a difference between managed services, hosted services, and cloud services after a claim occurs. As such, it’s important to drill down when determining the scope of coverage for computer systems and negotiate changes in advance.
Other insurers provide broader coverage for dependent business income. Examples include blanket coverage for all the insured’s technology and telecommunications vendors without contractual restrictions or requirements. Some insurers will even provide coverage for the insured’s non-technology or telecommunications vendors.
Covered Cyber Events
All claims covered under a cyber insurance policy must arise from a covered cyber event, such as a virus, hacker attack, social engineering, or system failure. Covered cyber events are frequently referred to as coverage triggers or covered perils. Cyber insurance policies use detailed definitions to control the coverage triggers applicable to each coverage. One unique design feature of cyber insurance policies is the coverage triggers often differ for each coverage section of the policy (Network Security Liability, Media Liability, Cyber Business Interruption, etc.). For example, coverage triggers for cyber crime/social engineering are usually significantly different than coverage triggers for network security liability. More complicated cyber insurance policies also incorporate different coverage triggers within the same coverage section. For example, some insurers use a narrower set of coverage triggers for dependent cyber business interruption when compared with cyber business interruption. Therefore, it’s vital to understand what cyber events will trigger coverage under each coverage section and cyber business interruption is no exception.
Coupled with persistent technology jargon, multiple coverage sections, and lengthy definitions, cyber insurance coverage triggers can be difficult to understand. Some insurers use long lists when defining coverage triggers and well-written cyber insurance policies make use of broad categories and omnibus-style descriptions instead. Unfortunately, no two insurers define coverage triggers the same way, so comparing cyber insurance products can be taxing. Fortunately, there are just three main categories of coverage triggers applicable to cyber business interruption. A summary of the categories of coverage triggers applicable to cyber business interruption follows in the bullet points below:
Data and Network Security Breaches
A data or network security breach is commonly used to describe the many different types of malicious technological attacks that can be launched against an insured’s computer system. When cyber insurance was first created in 1996, the network security breach trigger was usually the only cyber coverage trigger in the entire policy and today it’s usually what we think of when we think of when we think of cyber insurance. Today, most cyber insurers use a multi-part definition that encompasses the myriad of different types of malicious attacks on a computer system, including:
- Unauthorized access to or unauthorized access to the insured’s computer system;
- DDOS attacks, virus/malicious code, hacking, and similar attacks;
- Data breaches;
- Cyber theft;
- Cyber extortion and ransomware attacks;
Although most cyber insurance policies contain similar definitions for network security breaches, actual coverage varies. For example, a few insurers still utilize wild virus exclusions that limit coverage to attacks targeting the insured. Likewise, some insurers use “widespread event” exclusions that prevents coverage for losses resulting from a single attack or vulnerability that impacts a wide range of businesses.
System Failure
Generally, a system failure is an unintentional and unexpected computer system disruption not caused by a network security breach. Insurers typically use a multi-part definition to describe the system failure coverage triggers. However, the system failure coverage triggers tend to vary significantly by insurer. That said, there are some components of system failure common to many cyber insurers, including the following:
- Errors in operating, maintaining, or upgrading the insured’s computer system;
- Data entry or modification errors;
- Damage or loss of the insured’s electronic data resulting from physical damage to computer hardware or storage media; or
- Damage or loss of the insured’s electronic data resulting from electrostatic build-up, under/over-voltage, or failure of power supplies under the operational control of the insured.
Cyber insurance policies with the broadest coverage for system failure incorporate all the elements listed above, while inferior policies include just a few system failure coverage triggers. In addition, some insurers further limit system failure coverage triggers using carveouts. A few particularly egregious examples of such carveouts follow below:
“System failure does not include any failure or defect in the design, architecture, or configuration of computer systems.”
Insuretech Policy
“System failure does not include any failure of a third party technology or cloud service provider that results in an outage that extends beyond your computer systems”
Insuretech Policy
The examples above are just a small sampling of the unique challenges associated with understanding and negotiating system failure coverage. Other more complex examples that drastically reduce coverage exist, including one nameless carrier that uses a deceptive dual coverage trigger for system failure, which requires two separate events to occur in sequence before coverage can be triggered.
Voluntary Shutdown
At a high level, the term “voluntary shutdown” refers to the partial or total shutdown of the insured’s computer system based upon the insured’s belief that such shutdown is necessary to minimize or avoid the impact of a security breach or system failure. For the most part, voluntary shutdown coverage is straightforward and many cyber insurers use similar policy wording. That said, there are material differences in coverage for voluntary shutdown among cyber insurance products.
The broadest cyber insurance policies allow the insured to voluntarily shut down their computer system at any time to minimize potential losses from any first or third-party cyber event otherwise covered by the policy without advance approval from the insurer. Lesser cyber insurance policies frequently limit the voluntary shutdown coverage trigger to just those shutdowns that mitigate first-party losses. There are even some insurers that further restrict coverage for voluntary shutdowns to mitigate specified loss from specified coverages only. For example, we noticed a few interesting examples of how some insurers quietly restrict the scope of the voluntary shutdown trigger deep in the sub parts of the policy definitions:
“means a voluntary shutdown of the Insured’s Computer System when such action is taken to minimize, avoid or reduce Unauthorized Access or Unauthorized Use.”
Insuretech Policy
“…but only when such voluntary shutdown is necessary to reduce or avoid Income Loss. Voluntary shutdown does not mean or include costs or expenses that exceed the amount of Income Loss that is thereby reduced or avoided.”
Insuretech Policy
Covered Time Period
The coverage for cyber business interruption is limited to a time period specified in the policy. Such time period is commonly referred to as the “period of restoration”, or “period of indemnity” in cyber insurance policies and it typically begins on the day/time the computer disruption begins and ends on the day/time the computer disruption ends. Most cyber insurance policies incorporate a period of restoration between 60 and 180 days.
One common problem when evaluating the period of restoration is understanding how coverage functions inside and outside the period of restoration. Insureds frequently want to negotiate a longer period of restoration for cyber business interruption coverage like what they might negotiate for their traditional business interruption coverage. Although it seems like a sensible approach to cover longer-term losses, it’s a common source of confusion and disappointment. In many cases, the period of restoration in cyber business interruption coverage is strictly limited to the period beginning on the date and time when the computer system disruption begins and ending on the date and time the computer system disruption ends. Coverage for losses that continue beyond the period of restoration is usually not covered by most insurers, which means that the longer periods of restoration are overpriced and practically meaningless beyond 30 days for most insureds.
A handful cyber insurers are willing to provide cyber business interruption coverage for losses incurred after the computer system disruption ceases. Even then, most refuse to provide substantive coverage for indirect losses, such as loss of customers. Thankfully there are still a few cyber insurers willing to provide traditional extended business interruption coverage for direct and indirect losses that continue beyond the period of restoration.
Covered Losses
The most common source of misunderstandings and coverage disputes in cyber insurance is the coverage for and valuation of cyber business interruption losses. Some cyber insurers used traditional (physical) business interruption policies to develop cyber business interruption coverage because traditional business interruption wording is largely standardized and has been slowly refined for decades. Many newer cyber insurers, especially Insuretechs, decided to deviate from the simplified traditional approach in favor of complex, jargon-filled, and unique policy wording for cyber business interruption coverage. With that in mind, we’ve outlined a handful of the most common sources of confusion and the optimal approach to coverage and loss valuation in the bullet points below.
Business/Dependent Business Income Loss
The purpose of cyber business income and dependent cyber business income insurance is to cover the insured’s loss of profits that would have been earned during the computer system disruption. Nearly all cyber business income sold today uses a gross profit structure with an actual loss sustained valuation. Business income coverage written with a gross revenue or increased cost of working structure is typically only available to larger firms or firms in specific industries. Coverage written with an agreed hourly loss valuation was equally popular to the actual loss sustained approach fifteen years ago, but today it’s difficult to find.
Given the current market conditions, the ideal cyber business interruption coverage for most businesses should include coverage for the following: (a) loss of net profit (or loss before) taxes; plus (b) continuing fixed and variable expenses. Most insurers are willing to cover the insured’s net profit (or loss) before taxes and some continuing fixed expenses. More recently, a few prominent insurers began limiting coverage for income loss to just the net profit (or loss) before taxes without consideration for any continuing expenses.
The larger problem with cyber business income coverage is loss valuation, which is less obvious, more nuanced for some industries, and impacts far more insureds overall. Most cyber insurers limit covered cyber business income losses to the profits that would have been earned from those transactions occurring during computer system disruption. This valuation method creates a small window of time when losses can be fully realized and eliminates coverage for losses that manifest after the computer system disruption ends. Though such a restrictive approach may still work well for highly transactional businesses, it hurts businesses with a material lag between the time they provide a service or sell a good and the time they get paid.
Another significant issue with cyber business interruption arises from coverage for indirect financial loss also known as “consequential loss”, such as loss of customers, contractual penalties, or inability to collect fees. Consequential loss tends to be substantial and is often incurred during and after the period of restoration and after ends. Many insurers choose to partially or fully exclude consequential loss from cyber business interruption and it’s not always excluded clearly. Often, the cyber business interruption coverage needs to be analyzed to determine if there is coverage for indirect or consequential loss.
Some insurers make it clear that consequential losses are excluded by stating it clearly. Other cyber insurance policies lack a specific consequential damages exclusion or carveout, but also stipulate that all cyber business interruption loss must be caused directly by a computer system disruption For example, one insurer incorporates the following language into their definition of Business Interruption Loss:
“means the net profit that would have been earned before income taxes, or net loss that would not have been incurred, directly due to the partial or complete interruption of computer systems”
Insuretech Policy
Similarly, there are cyber insurers that don’t specifically exclude indirect losses, but ensure that all coverage is contained in the period of restoration. For example, the following language states that the period of restoration ends when the computer system disruption ends, which is functionally equivalent to excluding all loss, including consequential loss, that manifests after the period of restoration.
“…the continuous period of time that begins at the time of Interruption of Service of the Computer System and ends when the Computer System is reasonably restored or repaired…”
Insuretech Policy
The examples of business income valuation problems above are just a small sample of the issues insureds must navigate. There are numerous other problems with cyber business income valuation, some of which are industry-specific and others with broader implications. For example, we only reviewed a single cyber insurance product with affirmative coverage for the lost value of manufacturing production (“…net Income includes the net sales value of production…”) and such language is relatively common in traditional business interruption. We also saw that many cyber risk policies exclude interest from business income calculations, which will impact some industry verticals. Lastly, only 1-2 cyber risk products today include metered loss for professions and other industries that need it.
The optimal solution to cyber business income loss valuation is dependent on the insured’s industry. Ideally, loss of profits or income loss should be tied to the loss of sales, loss of output, and loss of billable hours as well as consequential loss incurred during the entire period of indemnity.
Extended Business Income Loss
2) Extended Business Income Loss: Extended business income loss compensates the insured for lost income incurred during an intermediary period between the end of a computer system disruption and before its income returns to pre-loss levels. Extended business interruption is usually designed to cover losses that result indirectly from (i.e. as a consequence of) a computer system disruption, such as a loss of customers, missed opportunities, contractual penalties, etc. This coverage is often beneficial after a significant computer system disruption because insureds frequently endure a lengthy “ramp-up” period over which income will gradually resume to pre-loss levels.
Although it’s very common in traditional business interruption policies, coverage for extended cyber business income loss is very rare in cyber insurance policies. Today, only a few cyber insurers incorporate extended business interruption into their cyber insurance policies. The insurers that do provide extended business interruption typically offer an extended interruption period of up to 180 days.
Extra Expense
The purpose of extra expense coverage is to cover the additional costs in excess of normal operation costs, which are necessary for the insured to continue operations after a computer system disruption during the period of restoration, so the insured can generate the sales needed to cover fixed expenses and provide a profit.
Extra expense coverage is a fairly simple concept carried over from traditional business interruption insurance, but coverage for the cyber business interruption variant of extra expense coverage can vary wildly. The coverage should apply to expenses over and above expenses that would have been incurred had the computer system disruption not occurred. However, some cyber insurers use wording more akin to expediting expense aka “expenses to reduce”, which limits coverage to only those expenses that reduce an income loss claim, and such expenses may not exceed the amount of loss that otherwise would have been payable as business interruption loss. An example of such language follows below:
“….actual costs incurred by the Insured in excess of its normal operating expenses to reduce or avoid Income Loss provided they are in excess of expenses the Insured would have incurred had there been no System Failure or Network Security Incident.”
Insuretech Policy
Conclusion
Insurance policy language matters when purchasing cyber insurance for your clients and customers. Don’t wait till you have a claim to find out the insurance you recommended to your client is weak and will not provide the breadth and depth of coverage needed.