Business Interruption Now Part of Cyber Policies – Coverage changes

As the full threat of hacking and cyber attacks takes old, cyber insurance policies are evolving so that the primary focus is on business interruption coverage. When these policies first hit the market, they were mostly focused on covering the costs of notifying individuals whose personal data or credit card information may have been exposed, and of any regulatory penalties and other compliance costs.

But many companies, when hacked, suffer far more damage to their operations, including websites or important systems being rendered unusable. The larger danger to companies seems to be system failures resulting from a variety of novel attacks, including;

• Denial of service
• Brute force (an attack aimed at obtaining passwords)
• Malware or malicious code
• Ransomware
• Backdoor attacks
• Social engineering.

Business interruption policies have been around for a while, but they have typically focused on disruptions caused by supply chain issues and natural catastrophes that render businesses unable to operate. Often these interruptions can last for weeks or even months. The downtime for a business that’s been hit by a cyberattack is usually much shorter – a few days to a few weeks at the most.

Also, property policies or traditional business interruption policies have not extended property loss or  damage to electronic data, as data is not considered a physical or tangible object subject to loss or damage. Damage is triggered by a direct physical loss or damage.

Meanwhile, business interruption in a cyber policy is triggered by an electronic event such as a cyber attack, or hacking.  For cyber business interruption coverage to be triggered, there must usually be a direct link between a cyber attack and the interruption of business or a loss of sales. For example:

• Criminals destroy data or alter a website’s or database’s code in order to freeze or render the computer system or website unusable
• A denial-of-service attack renders a website inaccessible to customers and users.

A business interruption claim would not be triggered, however, if a hacker gained access to your database and rooted around for important company information and operations were not hampered and there was no loss of revenue.

Typical cyber business interruption provisions

• The policy will include a maximum payout for business interruption claims. This caps the payout under the policy. The cap may apply to each individual event or it may be an annual limit.
• Policies may include a separate deductible for business interruption claims.
• Policies may include a specific waiting period of hours or days before kicking in to pay a claim. If the event causes losses or a disruption that lasts less than the waiting period, the claim could likely not be paid.
• Policies usually will only pay for business interruption during the period that the company restores its systems.
• Coverage usually includes a number of exceptions, like not covering third party liability, fines and penalties and the costs of restoring a network.
• Most policies include exclusions as well, like loss of market or damage to computer systems caused by fire or other physical events that were not related to a cyber attack.