Business interruptions due to cyber events
A challenging cover component
Property damage, natural catastrophes, rule violations: the triggers for business interruptions are diverse, and the insurance products currently available vary accordingly. And since WannaCry and NotPetya (at the very latest) it has also been clear that cyber attacks can seriously disrupt or even halt business operations all together. Thus, “business interruption” is an indispensable coverage component in cyber policies.
The great frequency of business interruptions after cyber attacks has shown the need to integrate this coverage component in cyber policies.
Special aspects of insuring cyber events
Globally, today’s cyber polices are generally offered as combination products. These are a mixture of first- and third-party risk components, such as data recovery, forensics, crisis communications, ransom payments, third-party liability claims and financial losses caused by business interruption. As in other liability insurance lines, contracting parties normally agree a lump-sum cover for all elements.
There are, however, differences concerning the calculation of the sums insured: in conventional property business interruption insurance, these are based on a detailed breakdown of an enterprise’s planned operating profit and fixed costs, with both determined prior to concluding the policy. In cyber insurance – by contrast – one fixed, maximum limit applies to all coverage components. Often, the sales figures of the insured enterprise are the only known factor. Determining the policy benefit due in the event of a loss can thus involve considerable effort. Consequently, to simplify processes, insurers often revert to a pre-defined daily compensation rate – especially in the commercial sector.
Another difference is that whilst traditional business interruption covers (triggered e.g. by fire or natural catastrophe losses) can remain in place for several years, business interruptions under cyber policies are usually defined with much shorter coverage periods. The former thus provide for time deductibles of days and months, where cyber covers deal in hours. The two policy types are also distinguished by the spatial component: property business interruption losses have regional boundaries. Cyber attacks, on the other hand, can trigger simultaneous interruptions globally across all an enterprise’s operating sites and offices, thus considerably increasing the extent of losses.
Focus on systemic risks
Contingency covers only for direct contracting parties
If a cyber policy also includes contingent business interruption losses, this can further exacerbate the aforementioned systemic risk. In this case, the insured enterprise would receive indemnification for business interruption losses caused by a supplier being unable to deliver services or products as a result of a cyber loss. As an example, take a cloud service provider which is temporarily unable to provide its capacity in the wake of a cyber attack, in turn leading to production stoppages for commercial clients.
Contingent business interruption losses of this kind should not be covered as standard and only be included under certain circumstances. It is crucial that the risk situation of the suppliers concerned be transparent and that the risk be assessable. For this reason, it is wise to include only contingent business interruption losses for direct contractual partners of the insured, and to explicitly exclude second- and third-tier suppliers.
Accordingly, when assessing the business interruption risks from cyber attacks, underwriters should pay particular heed to the coverage catalogue for contingent business interruption losses. A network security breach by malware, for example, could still be covered, but insuring a supplier’s system outage would be tantamount to extreme risk creep. Prudent sublimits help restrict contingent business interruption risks. Conversely, a risk with no limits is almost incalculable owing to its accumulation potential.
Reputational risks require defined loss triggers
The challenge in this coverage concept lies in defining appropriate loss triggers and giving prior thought to loss adjustment policy. At present, however, we envisage this cover primarily as individual solution in the corporate client segment.
In the course of digitalisation, cyber risks and loss scenarios change quickly and continuously. To offer adequate insurance products for business interruption caused by cyber events, ongoing monitoring of current developments and the markets is essential. Given this, the new cyber risks are no insurmountable obstacle, but instead a challenge that, as the market leader, Munich Re is happy to tackle.