When a company’s network goes down or is significantly impaired for sustained period, it can incur significant costs in getting the network back up and running to substantially the same level as it was before the incident. It can also suffer significant impairment to its business income both during the outage and for quite some time afterward.
Cyber-initiated business interruptions can be caused by malicious or non-malicious events. Examples of malicious causes are ransomware, DDoS attacks or crypto-jacking. Most of the media’s recent ransomware focus has been on the escalating amounts of ransom demanded and paid, and the cost of data recovery when the victim’s network is not properly decrypted, but the affected company can also suffer a substantial loss of business income (as well as incur significant extra expenses) before even a decrypted network is fully restored. Non-malicious cyber business interruptions can occur during system upgrades or network patches, or from software coding errors or incompatibilities. A software coding glitch crashed the network of a prominent company in the travel industry in 2017, and was reported to have caused a loss of more than $100M.1
Malicious and non-malicious cyber business interruptions
There are various ways in which a company’s income can be affected by a cyber business interruption, either malicious or non-malicious in nature. The principal ones include:
- Its own network is impaired;
- The network of one of its outsourced IT providers (cloud providers of IT services) is impaired;
- The network of its critical supply-chain providers is impaired; or
- The network of some other critical third-party provider (e.g., electricity, gas, Internet services) is impaired.
Cyber insurance can provide insurance coverage for the first three causes listed above; it is very difficult to obtain coverage for the fourth listed cause. Insurers normally ask companies to identify their key outsourced providers during the underwriting process. Insurers sometimes limit the cyber insurance coverage they will provide for outages, especially non-malicious outages, incurred by the insured’s outsourced providers. Insurers also generally require “waiting periods” -- the minimum amount of time that the business interruption must last before the loss becomes payable – and “restoration/indemnity periods” -- the time boundaries for measuring the loss. Not all insurers define these terms the same way, and the differences can significantly affect coverage.
Cyber business interruption insurance risk exposures
A company’s exposure to cyber business interruption loss will depend on many factors specific to its own operations and practices. A major factor includes the extent and effectiveness of its cyber risk management practices, as well as of its response to a cyber business interruption, guided by its Incident Response, Business Continuity and Disaster Recovery Plans. Some others are:
The nature of its business model (e.g., will income be provably lost or primarily just delayed until the network is restored);
- The rapid and smooth coordination among its internal first responders, its outside breach response providers, and its cyber insurers;
- The recency and availability of network backups, and whether its backup process is as effective when needed as it seemed on paper;
- With respect to business interruptions at a company’s outsourced IT providers or critical supply-chain providers, the ready availability of adequate alternative sources of IT services or critical supplies, as well as those IT service providers or critical supply-chain providers that themselves suffer cyber business interruptions and are therefore unable to comply with their own obligations to provide the company with services or products;
- Contractual indemnification rights and protections, as well as other legal remedies, it may have with respect to third parties responsible for causing the interruption (e.g., for transmitting ransomware or other malware to the company’s network);
- The degree to which the company’s business income is susceptible to impairment from lost customers or bad publicity.
The foregoing is a brief and necessarily incomplete general description of cyber business interruption and of the availability and extent of cyber insurance to address the full range of potential losses. Talk to a Gallagher cyber specialist today, and learn more about how your business may be affected by a cyber business interruption, cyber insurance coverage options and available risk management solutions.
Gallagher provides insurance, risk management and consultation services for our clients. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer general information about risk mitigation, loss control strategy and potential claim exposures. Any statement or information provided is for informational purposes only and is not intended to be, nor should it be interpreted as, medical, legal or client-specific risk management advice. The general insurance descriptions and other information contained herein does not include complete insurance policy definitions, terms and conditions and should not be relied on for coverage interpretation. Policy-specific terms and conditions dictate whether coverage applies to any particular risk or circumstance, and this information in no way reflects or promises individual client or policy-specific insurance coverage outcomes.
Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. Gallagher claims no responsibility for or endorsement of the content of any linked website, as we have no responsibility for information referenced in material owned and controlled by other parties.
1. CNN Money, “Computer Meltdown May Cost British Airways over $100 Million,” https://money.cnn.com/2017/05/29/news/british-airways-cancellations-compensation-cost/index.html