Many cyber insurers offer business interruption coverage to policyholders who are concerned that a ransomware event or some other malware incident will disrupt the continuity of production or the services offered to customers. Many factors go into the policyholder’s consideration of such coverage and the insurers’ assessment of these risks, not the least of which is how to evaluate and calculate the ultimate losses, from the start of the event to the time when everyone agrees the organization is back to its “regular” operations.
In a world where no entity is an island, some companies may be less worried about their practices in collecting personal or sensitive data information—the original focus of many cyber coverages—and more worried about what happens if malware infects plant operations. There are some key questions to consider in such an event: Is there coverage for third-party systems? Is there coverage for cloud failure? Are there exclusions for power failures, blackouts, and brownouts? Is there coverage for losses beyond the “recovery” period? Is the “waiting period” until coverage is triggered too long? Is there any limitation to physical perils?
First the Failure, then the Loss
Under the latest first-party coverages for cyber policies, “business income” or “business interruption loss” events may provide coverage for the losses and expenses attributable to the downtime that an entity suffers as a result of an attack. The current typical language may say something to the effect that such a loss means “the total or partial interruption, degradation in service, or failure of the computer system that is leased, owned, or operated by the insured, or operated on behalf of the insured by a provider.”
Sometimes it is easy to spot “the failure.” However, even in the case of a ransomware attack where it is obvious that employees cannot access files and data has been encrypted, the IT professionals are usually scrambling in the first few hours to identify and catalog whether every system is impacted, whether disconnecting systems from the network and the internet saved them from a total collapse, and whether any early attempts to mitigate the damage were helpful. In the first throws of responding to these events, the staff may not have a complete picture of how disruptive the attack will be in the coming days and even weeks. Indeed, in one of the relatively few court decisions addressing coverage for “cyber” losses, one court addressed the distinction between “loss of functionality” as compared to complete “inoperability.” See National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, at 1, case number 1:18-cv-02138 (D. Md. Jan. 23, 2020). Most entities would hope that they have insurance coverage well short of having to face a total shutdown of functionality. Limping along with the pain post-recovery does not always mean the company survives intact.
Most cyber insurers now look to avoid having to force their policyholders to rely on language that only provides coverage for the “total meltdown” scenario. This is where those provisions that reflect “partial” interruptions or “degradation” of operations as the more accurate picture of what an entity may suffer as a result of an attack on or even a compromise of its environment. The policy will respond not just to a stoppage for the insured but the terms assume that the insured may be able to rely on some redundancies or backups but will not be at full strength. Hence, the “partial” or “degradation” element is significant for an insured.
Whose System Is It Anyway?
Packed into these “interruption” and “disruption” terms are a few other crucial considerations. A failure is not just limited to the insured’s system but a system relied upon by the insured (sometimes referred to as “dependent business interruption”). Also, in these terms, the definition of “computer system” is typically important. Would such systems include “cloud computing or hosted services provided by a third party”? Does that system include everything connected and accessible and all components (e.g., peripheral devices, employee devices)? Can a “cloud” fail? Well, if your organization is relying upon it, probably so!
Some policies define the “system” in less robust terms, limiting that coverage to connected devices, applications, or systems to those that are proprietary to or licensed to the insured as the owner of the system. Because many entities, small and large, are ever more reliant on service providers, vendors, or suppliers who collect, manage, store or distribute their critical data, policyholders do not want to approach the risk based solely on the in-house “stuff” anymore.
Been Waiting So Long
“I’ve been waiting so long; I’m not feeling so strong,” so the story goes. “Supertramp,” R. Davies, R. Hodgson, Waiting So Long, …Famous Last Words… (Oct. 1982). Then, there are “waiting periods” and “interruption periods” to evaluate and how each is triggered. The “waiting period” is typically shown on the declarations page under the deductible section. This is the period of time that has to be exhausted, or more appropriately, the period which must elapse before the insurer will consider making payments on losses and expenses incurred. The presumption, again, is that the policyholder is motivated to get back up and running in a very short time period, so it is only those losses that are excessive or entirely out of their control, which would exceed that period.
In the earlier days of this coverage, that time period could be somewhat significant, e.g., 48 to 72 hours. This time frame would track with other commercial business interruption scenarios—like storm damage. Sending in the adjuster, making sure the premises are safe and fit-for-purpose could reasonably take a few days. In the case of a disruption caused by network security failures, many entities can get by in their physical space more readily than doing without connected logistics and payment systems. Indeed, these policies originally were targeted at primarily virtual businesses so the “physical” impediment was likely not the focus. In that regard, competitive terms now reflect much shorter waiting periods, like 12, 8, and 6 hours.
The Final Tally
Cyber insurers have stepped up to retain outside forensic accounting firms to assist in calculating losses, and some reportedly have retained specific staff in-house to resolve these questions. Reports are that there are few disputes between policyholders and insurers when it comes to calculating such losses. This is probably because the coverage, like much of the history of cyber coverage, is relatively new, and the terms became more competitive in a very short time. One can guess that in a hardening market, insurers will look closely at whether even a limited interruption in network service is cause for concern. This is particularly so in light of headlines regarding the attacks on systems and applications that are relied upon by industries around the globe (like the circumstances involving the apparent SolarWinds software compromise and attacks on Microsoft Exchange Servers).