This piece is by Laetitia Fouquet, global head of cyber at Charles Taylor Adjusting, who looks at how insurers can match Business Interruption cover to a digital world full of cyber risks.
Cyber business interruption cover is an increasingly important insurance for businesses of all sizes in today’s digital operating environment. Property-related business interruption insurance is a fully developed and tested offering, whereas cyber-related business interruption insurance has only really started being used in the last 4-5 years.
This has meant that while risk managers and insurance buyers within companies are confident about the property-related business interruption cover they need, and how to present their loss and the level of protection offered by the insurance they purchase, this isn’t always the case with cyber-related exposures.
As the market matures we’re seeing a persistent number of cases where there’s a mismatch between what insureds think their cyber-related business interruption insurance will provide and the settlement they’ll receive.
Inconsistency around methodology
The business interruption coverage in cyber insurance is not adapted for all the activities. As the wording is coming from the industrial property traditional policy wording, the method will fit perfectly with a cyber BI affecting a production site for instance. Unfortunately, it will not be adapted to the service industry.
Some policies offer cover based on the gross revenue lost due to the insured cyber event and the associated increased cost of working required to minimise the loss. Others provide cover relating to the loss of net profit and the ongoing operating costs. The level of detail in the BI method’s description in the policy definition can have a massive impact on the BI calculation and result.
There are numerous different accounting standards used globally and individual insurers have their own take on how they calculate the profit and loss attached to cyber business interruption claims. For companies with international revenue streams and insurance policies at local and group level, agreeing a settlement generally requires significant negotiation.
The first thing we do when we’re instructed to adjust a loss is to meet with the insured, understand the impact of the cyber incident and discuss the methodology of the coverage. Too often these meetings throw up significant surprises for the policyholder, so they’re essential to managing expectations from the start.
One way of preventing this is for more detailed scenario planning during the insurance purchasing journey and better quantification of the loss stemming from these scenarios. Working with their brokers and insurers, insureds should understand exactly what level of cover is being offered, whether it would be sufficient and how it’s triggered and a loss calculated.
Stress testing a policy should also inform the insureds what documentation they will need to provide in support of a claim.
Documentation
In the wake of a cyber event, access to systems can range drastically. In some situations, the impact on access is restricted to a single system. In others, insureds can find themselves completely locked out of their entire network. They’re unable to communicate internally and externally, manage HR systems, run production lines or logistics.
In these worst-case scenarios, the impact of the cyber event can be utterly debilitating on the performance of a business. It also makes it difficult to gather the information required to estimate and substantiate the scale of the business interruption loss.
Could you access data relating to past and forecast future performance? Could you maintain supply chain orders and communications to support ongoing activity? Could you invoice customers? Are your sales generated from online channels and if your sales system was compromised, could you take orders by alternative means? Could you respond to tenders? What stock do you have in place to fulfil existing orders? And what next if you use the stock? Do you need more human resources including temporary or agency staff? The list can go on and on. In short, do you have offline workarounds to keep your business afloat?
In addition to the documentation required to support and substantiate a claim, loss adjusters need to get a granular understanding of a business’s operations and the impact of factors such as seasonality, inflation, currency exchange rates and business growth plans. Assessing these in relation to the insured’s activities allows adjusters and forensic accountants to make accurate assessments about how the business would have performed, but for the cyber event.
For example, a retailer might expect to have a very busy fourth quarter in the run up to Christmas, while the first quarter might be very slow for sales as they gear up for the year ahead. This means the timing of a loss can have a significant impact on the scale of the business interruption loss suffered.
It’s also important to remember that in some cases there are several savings created by a cyberattack – energy usage or reduced orders for supplies – and these also form the considerations around the loss.
Understanding the impact these factors have on a business interruption loss will help insureds maintain the appropriate records to detail what their business performance would have been, without the cyber event. It will also help develop crisis management and response plans that minimise the disruption and mitigate the size of loss.
Underinsurance
While an organisation’s security measures will prevent a huge number of potential attacks, the reality is that it’s a matter of when and not if a business will be affected by a cyber incident. Once an attack breaches an organisation’s defences, it will typically mean their systems aren’t operating properly for between five and 10 days.
To make sure there’s an appropriate level of insurance in place, businesses should assess their cyber business interruption exposure with this timeframe in mind. If they don’t, they risk being significantly underinsured with losses mounting significantly in a very short space of time.
As the cyber insurance market matures, insureds will have a greater understanding of their potential exposures. Policy wordings and loss calculations will also become more standardised, reducing the potential for a mismatch between the cover in place and the cover insureds believe they’ve bought.
The more the market can do to highlight these issues, the sooner it will overcome them.
Be the first to comment