When the first cyber insurance policies emerged in the late 1990’s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.
Unfortunately, the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn. The main focus of these policies was no longer system business interruption, but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk, and only recently, has the issue of Cyber Crime come to rival it for attention in cyber wordings.
You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Since they are unable to use this building, they have suffered from a reduction in sales, amounting to $193,433, to date.Once they are able to use the building again, they won’t immediately start trading at the same level that they would have, had the fire not taken place. After all, they will need to restock the premises, reengage with their suppliers, and reattract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).
To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.
Indemnity periods on cyber policies typically work in one of three ways:
- The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
- The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
- The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.
Consider the example of an online retailer. They are hit by a distributed denial of service (DDoS) attack, whereby cyber criminals use multiple computers under their control to flood the website, resulting in the website crashing and rendering it inaccessible to normal internet users. As the business is an online retailer, the website is their only way of selling their products. So as soon as the website is down, they start seeing an immediate and dramatic drop off in revenue. In this case, the DDoS attack manages to take down the company’s website for a total of 16 hours. Following this event, the company turns to their cyber insurer for the reimbursement of financial loss during this period.
Depending on the type of cyber policy that the business has purchased, the policy will generally respond in one of two ways:
Loss in excess of the time retention period: The policy will be triggered once the system has been down for a set number of hours (typically this is eight hours on a cyber policy), but the policy will only pay from that point onwards. So if the set number of hours for the waiting period is eight hours and the website was down for 16 hours, the losses incurred during the first eight hours that the website was down would not be covered.
Loss within the time retention period: The policy will be triggered once the system has been down for a set number of hours, but in this case the policy pays from the initial starting point of the outage. So if the set number of hours for the time retention is eight hours and the website was down for 16 hours, the policy would pay for the whole 16 hours’ worth of lost income and additional expenses.
This is an important distinction. With the first option outlined above, the first eight hours’ worth of financial loss are not covered. With the second option, the business is looking at an additional eight hours’ worth of financial loss being recoverable under the policy. This could make a big financial difference to the organization.
Therefore, making sure that your cyber policy covers the entirety of the loss after the time retention has been exhausted is extremely important. Unfortunately this is not always apparent in the policy wording, so it’s always worth checking with the insurance provider in question as to how this particular part of their policy works in practice.