Insuring for Loss of Revenue following a Cyber Attack

Cyber Insurance can cover loss of income - but buyer beware.

Cyber Insurance can cover loss of income - but buyer beware.

Business Interruption Insurance is what keeps most businesses alive following a major loss event.   A full frontal cyber attack can be just as damaging to a business as a major fire.   However,  the extent of business interruption coverage available is anything but equal.


Loss of Income Insurance before the Internet

Property Insurance and consequential loss of profits have been inextricably linked for years. Throughout the industrial age it has provided business with an effective method of insuring  loss of profits from the time the loss occurred to the time a business trades at the same level of profits it enjoyed immediately prior to the loss.

There are very established methods of calculating your insurable gross profit together with agreed indemnity periods which ensure your period of insurance is sufficient to see you through until your business is back on its feet.

Things aren't what they used to be....

The problem with traditional Business Interruption insurance is that the loss of profits cover is only triggered when there is a valid claim under the material damage section of the property insurance policy.   This means an event such as fire, earthquake, water damage, storm etc.    

A cyber attack does not constitute a physical loss or damage which renders the industrial age insurance policy redundant in today's digital age.    Despite the growing publicity around Cyber Insurance many business executives mistakenly believe their traditional business interruption insurance will respond to a cyber attack.

I am constantly challenged by business owners and executives about the cover provided by their traditional business interruption insurance policies.  The conversation usually goes like this:

NWC Insurance Team:  Mr Business Owner, how would your business respond if your network was inoperable due to a cyber event such as a denial of service attack?

Mr Business Owner:  I've got insurance for loss of profits.

NWC Insurance Team: What type of policy is that?

Mr Business Owner: It's all part of the Buildings insurance.

NWC Insurance Team:  A cyber attack that does not cause any physical loss or damage will not be covered as the loss of profits is only triggered by in the event there is an insured property claim.

Mr Business Owner: Oh Sh$%!

The challenge is that insuring loss of income under a Cyber Insurance policy is a very different proposition when compared against traditional insurance policies that cater for the industrial age of bricks and mortar.

This problem is making c-level executives and company directors very nervous and feeding the booming cyber insurance market.  As the broader cyber security knowledge gap continues to be a challenge so does the effectiveness of traditional insurance policies in a digital world. 


CYBER INSURANCE - KNOW YOUR POLICY

Cyber Insurance is the fastest growing product in the commercial insurance world.  This is being fuelled by the world transitioning from an industrial age to a digital age.   All business are now connected to the digital world in some way.  This can be via trade or simply by the way we manage our payroll and inventory.  

If any business were unable to access their network for an extended period of time they would invariably suffer a business interruption with a financial consequence. 

The issue for the commercial insurance buyer is that the cyber insurance market has not yet matured to an extent where there is a benchmark for for the coverage offered between the various insurers who offer this form of coverage.

Key areas of cover to consider when selecting a cyber insurer:


Calculating your Sum Insured for Loss of Income:

For Cyber Insurance, this is a very different proposition to  calculating insurable gross profit under your traditional business interruption insurance policy.  There are no under insurance provisions as your sum insured is limited by the indemnity period imposed by the insurer (refer below).

Therefore, it is very important to model your exposure to loss of income following a cyber attack using established loss limit methodologies such as Bow Tie Analysis.  This method looks at the your key are areas of cyber risk and assesses the cause and impact on your business.  

The impact is assessed on a maximum, likely and minimum basis to allow an organisation to make an informed decision about the insurance limits it should be seeking across the different sections of a Cyber Insurance policy.

The cost of the insurance can then be assessed against the bow tie analysis to determine the confidence intervals on a percentile basis an organisation can insure their risk and the relative cost of that risk transfer.


Indemnity Period:

The indemnity period is how long an insurer will continue to pay a loss of income suffered by a policy holder.  This is a very important consideration as the sum insured selected can often be voided by a inadequate indemnity period.

The extent of coverage provided will vary significantly depending on your insurer.  Unlike traditional business interruption insurance, the period of indemnity will be imposed upon you depending on which insurer you place your Cyber Insurance policy with.

For example, one prominent cyber insurer only provides 30 days in respect of business income loss. This could result in a very large sum insured being limited  by the period of indemnity not reflecting the exposure a business faces.

A number of insurers will offer up to 120 days however cover will be limited to the time when the system is fully restored.   This means if your network was restored within 14 days, your cover in respect of business interruption will cease on that date.

Many businesses would continue to suffer a consequential loss even when their network is returned to normal service.   As a result any consequential loss following the insured event can be left uninsured.

Contrast this with another prominent cyber insurer who offers up to 12 months from the date of the cyber event / attack.   It really is a spread market when it comes to this important component of cyber insurance coverage.

It is extremely important for business owners, directors and executives to understand the extent of cover offered in respect to the period of indemnity under the Business Interruption section of your Cyber Insurance policy.


Losses occurring to Third Party Service Provider:

Many businesses in today's digital age use third party providers to either host or manage the networks.  This includes data centers and cloud computing providers as well as IT consultants and Software as a Service providers. 

This means that our businesses are exposed to the events that occur within these third party environments. It is critical for businesses that rely on third party providers to ensure that their cyber insurance policy extends to include these providers.  

The cyber insurance market is divided on the coverage provided in respect of this important area of coverage.   An organisation should be fully aware of these shortfalls in cover prior to entering into a cyber insurance contract.


Extra Expenses

We have only addressed the loss of income exposure in this blog.  We would point out this is only one element of the First Party exposure an organisation faces following a cyber attack on their business.  Other key risks to consider include Forensic Investigation Costs, Crisis Management Costs, Remediation Expenses and other extra expenses association with a loss.

We will be addressing these in upcoming blogs so be sure to follow our LinkedIn feed for these upcoming posts.


Contact Us

To properly protect your business from the financial consequences of a cyber attack on your business contact NWC Insurance today on 1300 400 707 or email us at info@nwcinsurance.com.au