When people think of cyber losses and cyber insurance, they tend to think of privacy breaches. The exposure of personally identifying information and concomitant risk of identity theft, which is followed by notification costs and regulatory fines is a recognized threat. More and more, though, the interruption of day to day business is the highest cost of a breach. These losses can lead to lost sales, lost productivity, reputational damage, and missed deadlines leading to breach of contract.
Commercial property insurance often includes business income insurance. This coverage helps companies recover their losses caused when a covered loss prevents them from being able to access their business premises. Cyber insurance policies have evolved to offer a similar type of coverage. Business interruption coverage can help cover losses experienced by a business due to a network outage.
Cyber business interruption coverage faces many of the same difficulties as business income coverage. It can be quite difficult to calculate actual losses from this type of event. Defining the restoration period can pose unique challenges depending on the nature of a company's operations. Additionally, limits might be relatively small due to insurance company concerns about risk aggregation.
One significant aspect of business interruption coverage in cyber policies is that it often includes contingent business interruption coverage. This protection means the insured business can obtain coverage and reimbursement - even if the cause of the interruption did not originate with their system or network. Take, for example, cloud-based solution providers. Many companies are increasingly relying on the cloud for vital aspects of their day to day operations. If the cloud provider experienced an outage due to a distributed denial of service (DDoS), or another similar attack, those companies would face significant interruption to their day to day operations even though the weakness wasn't the insured's computers that faced the attack. Contingent business interruption coverage ensures that even in this situation, businesses can recoup some of their losses.
There is still a lack of standardization concerning cyber insurance policies. As a result, policies can diverge in how they offer business interruption coverage. Some policies offer it as a matter of course, in all cyber policies. Others include it as an option available for purchase at the price of increased premiums.
Companies would do well to review the level of their exposure to a business interruption loss. If your company lost access to vital functions like email and bid generating software for weeks at a time, how much would that cost you? Having a real understanding of the size of your exposure and taking active steps to manage that risk can save your company when cyber outages hit.