Business interruptions due to cyber events

In the US, cyber insurance has been a market standard for many years. The comparably high market penetration is chiefly due to strict data protection legislation and the obligation to report leaks or breaches.

The great frequency of business interruptions after cyber attacks has shown the need to integrate this coverage component in cyber policies.

Globally, today’s cyber polices are generally offered as combination products. These are a mixture of first- and third-party risk components, such as data recovery, forensics, crisis communications, ransom payments, third-party liability claims and financial losses caused by business interruption. As in other liability insurance lines, contracting parties normally agree a lump-sum cover for all elements.

There are, however, differences concerning the calculation of the sums insured: in conventional property business interruption insurance, these are based on a detailed breakdown of an enterprise’s planned operating profit and fixed costs, with both determined prior to concluding the policy. In cyber insurance – by contrast – one fixed, maximum limit applies to all coverage components. Often, the sales figures of the insured enterprise are the only known factor. Determining the policy benefit due in the event of a loss can thus involve considerable effort. Consequently, to simplify processes, insurers often revert to a pre-defined daily compensation rate – especially in the commercial sector.

Another difference is that whilst traditional business interruption covers (triggered e.g. by fire or natural catastrophe losses) can remain in place for several years, business interruptions under cyber policies are usually defined with much shorter coverage periods. The former thus provide for time deductibles of days and months, where cyber covers deal in hours. The two policy types are also distinguished by the spatial component: property business interruption losses have regional boundaries. Cyber attacks, on the other hand, can trigger simultaneous interruptions globally across all an enterprise’s operating sites and offices, thus considerably increasing the extent of losses.

Being one of the few coverage components in cyber insurance, business interruption is also highly susceptible to systemic risk because many enterprises use software and control components that are identical or very similar. A targeted attack on these can lead not only to a single facility shutting down; it can bring a large number of enterprises worldwide to their knees at the same time. In particular, a targeted cyber attack on the critical infrastructure, power grids or telecommunications networks of one or more countries would cause business interruption at all local enterprises simultaneously. At Munich Re, we categorise this as a currently uninsurable accumulation risk.

If a cyber policy also includes contingent business interruption losses, this can further exacerbate the aforementioned systemic risk. In this case, the insured enterprise would receive indemnification for business interruption losses caused by a supplier being unable to deliver services or products as a result of a cyber loss. As an example, take a cloud service provider which is temporarily unable to provide its capacity in the wake of a cyber attack, in turn leading to production stoppages for commercial clients.

Contingent business interruption losses of this kind should not be covered as standard and only be included under certain circumstances. It is crucial that the risk situation of the suppliers concerned be transparent and that the risk be assessable. For this reason, it is wise to include only contingent business interruption losses for direct contractual partners of the insured, and to explicitly exclude second- and third-tier suppliers.

Accordingly, when assessing the business interruption risks from cyber attacks, underwriters should pay particular heed to the coverage catalogue for contingent business interruption losses. A network security breach by malware, for example, could still be covered, but insuring a supplier’s system outage would be tantamount to extreme risk creep. Prudent sublimits help restrict contingent business interruption risks. Conversely, a risk with no limits is almost incalculable owing to its accumulation potential.

Often, cyber attacks lead not only to business interruption and the associated revenue losses – they also damage the enterprise’s reputation. The fall in sales resulting from a successful cyber attack, however, is not deemed to be a business interruption. For example, if after a leak of all its customers’ credit card details, a supermarket chain loses part of its customer base and thus revenue, a special cyber reputational loss cover could be deployed.

The challenge in this coverage concept lies in defining appropriate loss triggers and giving prior thought to loss adjustment policy. At present, however, we envisage this cover primarily as individual solution in the corporate client segment.

In the course of digitalisation, cyber risks and loss scenarios change quickly and continuously. To offer adequate insurance products for business interruption caused by cyber events, ongoing monitoring of current developments and the markets is essential. Given this, the new cyber risks are no insurmountable obstacle, but instead a challenge that, as the market leader, Munich Re is happy to tackle.