This article was originally published by Business Insurance on March 6, 2017.
As more businesses come to realize that cyber attacks pose a serious threat to business operations, revenue streams and contingency planning, the market is starting to expand and develop new products to address business interruption (“BI”) resulting from a cyber attack[1]. Some of the more common cyber attacks against businesses include denial-of-service, brute force (to obtain passwords), insertion of malware or malicious code, ransomware, backdoor attacks, and social engineering. This article provides a primer for underwriters and claims professionals on the issues that may arise when the traditional concept of first-party BI coverage is married to cyber coverage.
BI coverage is a time element coverage offered under first-party property policies. In the first-party context, for BI coverage to be implicated, there must be direct physical loss or damage by a covered cause of loss that causes a necessary interruption of the insured’s operations (either wholly or partially as specified in the policy[2]). Once these conditions are met, the actual loss sustained is measured to determine the loss of business income from the interruption.
It is important to remember that first-party property policies do not traditionally extend property loss or damage to electronic data as data is not considered a physical or tangible object subject to loss or damage. When BI coverage is offered for cyber policies, the direct physical loss or damage requirement may be substituted with an electronic data driven event – – a specified type of cyber attack.
The scope and elements of what constitutes a cyber attack in the policy is therefore of critical importance. In other words, what triggers BI coverage for a network attack? As noted above, BI coverage originally was intended for physical loss and is now being imported into the ethereal and nonphysical world.
As part of a triggering event for BI coverage, there must be a direct causal connection between the cyber attack and the interruption of business and loss of revenue. For an active attack, where an adversary or perpetrator destroys or alters data that crashes a computer system or a denial of service takes place and business operations cease, the causal connection to any business loss should be fairly straightforward to establish. However, the causal connection is less clear in a situation involving a passive network attack, when a computer system is infiltrated, but the perpetrator is only gathering data or exploring the system, and no data is disturbed, altered or destroyed. In such a situation, a network attack took place and remedial measures are necessary, but computer operations may continue uninterrupted while the security of the system is being restored and any malicious software is neutralized. Although the cyber policy may respond and pay for the expenses to restore the network security under other coverages, a BI loss has not been established inasmuch as there would be no interruption of operations.
Another scenario could involve a passive attack combined with a public disclosure that an insured’s network has been compromised. In that situation, daily business operations would continue unhindered, but there might be a loss of customers and revenue resulting from security concerns. On the one hand, the network attack took place and the loss of network security is driving away customers. The insured is likely to contend that network security is an intrinsic service that it provides to customers. On the other hand, relying on traditional concepts of BI coverage, there would be no complete or even partial suspension of the insured’s network operations. The loss of revenue would be based on customers’ decisions and thus the causal connection of what is being insured (suspension / interruption of operations) is not tied to the loss of revenue. Additionally, if the customer no longer wants the insured’s services, that may also be a “loss of market” situation, which is normally excluded in BI policies.
There are countless cyber attack situations that can arise. Therefore, when a cyber attack claim is presented and adjusted, the policy wording and what constitutes the triggering event, as well as the causal relationship of the network attack to the revenue loss, must be examined closely. At times, it may be a challenge to correlate which incurred costs are associated with the covered event versus non-covered costs, such as permanent upgrade to network security. Adding to the complexity of analyzing a cyber BI claim is the insurer’s reliance on the insured’s cooperation on openly sharing what exactly took place in its system from the attack and how these compromised systems tie into its operations and revenue stream(s).
As part of BI coverage, the extent of financial reimbursement for a covered revenue loss is also controlled by other important policy provisions as listed below:
- The specified BI sublimit in the policy will set forth the maximum BI exposure for the insurer. Regardless of the revenue loss, the BI sublimit caps the payout under the policy. The BI sublimit may at times be tied to an annual BI aggregate limit — the maximum payable in the policy period if separate network attacks take place.
- Policies that provide BI coverage will often include a separate BI deductible or BI waiting period (either in hours or days) before liability will arise under the policy. If a BI loss is below the deductible or does not exceed the waiting period, then the policy will not respond. An example of the waiting period not being met would be if a denial-of-service lasts two hours and the waiting period is four hours.
- BI policies will also provide that liability is only for the specified period of restoration. This period is usually a defined time period and requires the insured to use due diligence and dispatch to resume its operations.
- BI coverage for network attacks is usually restricted by excepting certain types of costs that are not covered. Costs that are not covered can include third-party liability, contractual liability, fines and penalties, and upgrades for the restoration of network security.
- In addition to certain types of non-covered costs, there will be certain BI exclusions, including idle periods (when insured is not in operation for other reasons), consequential loss, or loss of market. In addition, cyber policies typically exclude loss by insured perils under a first-party property policy, such as fire, smoke, explosion, earthquake, etc. as these physical perils are not the intended risk being insured. Service interruption of utilities is also commonly excluded.
* * * *
Unlike other types of insurance, BI coverage is more nuanced in that overlapping conditions must be examined as part of the determination of whether a BI claim is compensable. The starting point for making such an analysis is a comprehensive understanding of the cyber attack that took place, what was affected and its impact on operations, along with a careful reading of the policy.
Costantino P. Suriano and Bruce R. Kaliner are both Partners at Mound Cotton Wollan & Greengrass LLP. The views expressed in this article do not necessarily represent the position of our firm or that of any of our firm’s clients.
[1] Extra Expense coverage (i.e. costs an insured expends to reduce its loss that would not be incurred except for the loss taking place) is often offered in conjunction with BI coverage. Extra Expense is sometimes considered to fall under time element coverage. Other time element coverage can include contingent business interruption, service interruption, and interruption by civil or military authority.
[2] The two usual options are whole (complete) or partial. When partial is provided, this necessarily provides broader coverage to the insured as the loss does not need to shut down the insured’s entire business operations.