Understanding Business Interruption Risk
Determining the appropriate coverage limit for both business interruption (BI) and contingent business interruption (CBI)
Cyber insurance protects against internet-based risks and threats to information technology infrastructure. Determining the appropriate coverage limit for both business interruption (BI) and contingent business interruption (CBI) can be one of the most complex tasks when evaluating a cyber insurance quote.
Business Interruption Coverage in Cyber Insurance
Business interruption coverage is designed to protect a company from the losses it suffers when it cannot operate due to a covered event. In traditional property insurance, covered events might include fires or natural disasters. These are dangers to the business that are covered explicitly by the insurance policy and, in the realm of cyber insurance, typically include cyber attacks. Business interruption coverage is measured as a function of lost revenues while business remains inoperative due to the event and can vary from hours to weeks depending on the extent of the attack. This is relatively simple at face but becomes much more complex when one considers the nuances of cyber insurance. Below are several key points of nuance:
- Attribution of the Event: Determining the cause of a cyber-related business interruption can be challenging. Cyber attacks are not always clear-cut events like a fire or an explosion; they can be subtle, complex, and difficult to trace. It may be difficult to ascertain if an interruption was the result of a malicious attack, a system failure, or human error.
- Definition of “Interruption”: The term “interruption” can be vague within cyber insurance policies. Policies need clear definitions of what constitutes an interruption and the extent to which partial outages or slowdowns in operations are covered.
- Indemnity Periods: BI coverage typically includes an indemnity period – the period during which the insurer will reimburse the business for lost revenues. In cyber policies, establishing the start and end of the indemnity period is not straightforward owing to the potential latency of cyber events; some network intrusions can go undetected for a prolonged period.
- Valuation of Losses: Calculating the financial impact of a cyber business interruption involves assessing not only direct costs but also the loss of profits and the extra expenses incurred to mitigate the interruption. This requires an understanding of the business's operations, revenue streams, and the cyber event's impact on them. It can be challenging to differentiate between losses directly related to the cyber event and those resulting from other causes, such as market changes or competitive pressures that coincided with the cyber event.
- Duration and Scope of Coverage: The duration of a cyber BI event may be much longer than a traditional BI event due to the time required to fully restore data systems and ensure they are secure. Additionally, it's crucial to ascertain the scope of coverage since some policies might have limitations or exclusions on specific events or types of data.
Contingent Business Interruption in Cyber Insurance
Contingent business interruption extends protection to include losses caused by disruptions to the policyholder’s supply chain or service providers. When a key supplier or partner experiences a cyber event that impairs their ability to deliver goods or services, Contingent Business Interruption can cover the resulting financial impact on the insured's business. The complexity in CBI includes:
- Third-Party Dependencies: Companies depend on an array of external partners and services, from cloud service providers to manufacturers. The interconnected nature of these relationships means that disruptions can cascade, making it difficult to trace the source and extent of the interruption.
- Proof of Loss: For a CBI claim to be successful, the policyholder must usually prove that the third-party interruption directly caused the loss of income. This involves obtaining detailed information from the third party about the cyber event, which they may be reluctant to share.
- Exclusions and Limitations: Insurers often include specific exclusions in CBI coverage. These exclusions may involve certain types of third-party service providers, such as telecom or utility companies. There can also be geographic limitations that exclude coverage for events in certain regions or countries.
Quantification of Losses
Quantifying losses from business interruption due to cyber events is an inherently complex endeavor. It necessitates a rigorous approach to financial analysis and often requires the expertise of forensic accountants to dissect and attribute the loss appropriately. Challenges include:
- Historical Financial Performance: Underwriters look at historical financial data to project what the business would have made had it not been for the interruption. For rapidly growing or fluctuating businesses, this can be a point of contention.
- Incremental Costs: Cyber BI claims may involve incremental costs such as overtimes, expedited shipping, consulting fees, and additional IT resources that were necessary to maintain operations during the disruption. Isolating and valuing these costs can be complex.
- Projection of Lost Sales: Businesses must forecast lost sales, which involves speculation. Not only must the immediate loss of income be calculated, but also the longer-term impact on customer relationships and market position.
The Role of Cyber Insurance Specialists
Given these complexities, cyber insurance necessitates a collaborative effort involving insurance specialists, underwriters, risk managers, and IT professionals. Risk assessments must be thorough, considering not only direct risks to the business's network but also indirect risks through third parties and supply chains. It is equally essential to underscore the significance of having knowledgeable professionals who understand the evolving cyber threats and can adeptly navigate the complexities of insurance policies. Cyber insurance specialists, like those at Limit, play a pivotal role in ensuring that businesses are adequately protected in the digital realm. Beyond just risk assessments, these specialists possess a deep understanding of the dynamic and ever-changing nature of cyber threats. They stay abreast of the latest trends, emerging vulnerabilities, and evolving regulatory landscapes, allowing them to tailor insurance solutions for your business. Cyber insurance specialists are instrumental in guiding businesses through the intricate process of policy selection, helping them understand the nuances of coverage, limitations, and potential gaps.
Limit AI is here to revolutionize your workflow.
Limit has built the State of the Art AI for insurance. Limit AI will summarize and compare your quotes, run your surplus lines taxes and fee calculations, identify coverage deficiencies, and do what you need to get your job done. Limit AI is extremely well-versed in all lines of P&C and highly skilled at analyzing your policies & quotes.
Our AI Assistant is built on Limit’s years of expertise as a commercial insurance wholesaler with hands on experience in all lines of P&C. Limit AI answers questions, drafts emails, and compares quotes & policies with substantially more rigor and attention to nuance than any other competitive AI product today.
Ready to get started? Join the waitlist by visiting limit.com/ai or email us at contact@limit.com.