Cyber business interruption claims: the unique challenges of the digital realm

March 20, 2024

Cyber business interruption claims scaled
Share on LinkedIn Share on Facebook Share on X

By Gerald Cheang, Senior Manager, Forensic Accounting Services, Asia

Asia is home to more than half of the world’s internet users. Businesses are leveraging Asians’ online activity to make inroads to new and existing customers, create new products, and make processes more efficient. The benefits of this opportunity are accompanied by unique risks not addressed by traditional business interruption (BI) insurance policies. However, they can be managed with BI cover from standalone cyber policies. 

As we move from the physical to the digital realm, cyber BI claims present unique challenges –some familiar, some different, and others dramatically different from traditional BI claims. 

The familiar

As with all insurance claims, a causal link between the incident and the loss must be established. This is known in traditional BI as the material damage proviso. Cyber BI policies are similar, but instead of damage, cover may be triggered by an actual or suspected compromise to a policyholder’s IT systems. For losses to be covered, they must flow from an insured incident. 

The types of cover that both traditional and cyber BI policies provide are also quite similar. Cover may be provided for on a gross revenue or gross profit basis and on the basis of increased costs of working. The aim, therefore, is to place the policyholder in a position but for the cyber incident. These incidents can be either malicious (say, a data breach or malware) or otherwise (perhaps due to accidental acts or omissions). The challenge, as always, lies in isolating the loss solely to that caused by the incident.

The somewhat different

Some subtle differences are noticeable when considering losses under a cyber policy. The indemnity period for a traditional BI policy typically starts when a physical loss occurs. However, with cyber BI policies, the start depends heavily on the policy wording; it could be the assessed time of a system compromise, or the time a security incident report is made. This is subject to the expiry of a defined waiting period (i.e., time deductible), usually about 12 hours. While this sounds like a short time, it may prove to be a costly eternity for an online retailer during a major sale like on Singles’ Day. 

Cyber BI policies generally have maximum indemnity periods of about three months, which is significantly shorter than the 12 months we commonly see in traditional BI policies. This reflects the shorter nature of many cyber incidents, which can be resolved faster through, for instance, a backup restoration. However, it can be challenging to identify and rectify the point of failure in a complex IT system, despite having the assistance of a dedicated incident response team. 

The very different

Since the underlying assets are intangible in nature, some major differences arise. Here are two worth considering: 

  1. Ransomware attacks

While not new, ransomware attacks have become increasingly prominent and complex, making it more likely that a business may face disruptions. Data may be stolen or access to it blocked (or some combination thereof), with the extortionist threatening to release, destroy, or block access to confidential data unless a payment is made. The average ransom in 2023 was reported to be US$1.54 million, nearly double 2022’s figure.

In certain instances, paying the ransom may seem the cheapest and most effective option. Some policies even indemnify a policyholder for such payments. The final decision on whether to make a payment lies with the business — but, should they pay?

While it may be tempting to give in to the demands in the hopes the data is restored quickly, the evidence does not support this. Approximately one in four that pay never recover their data, and even if some data is recovered, most organisations take more than a week to recover from a ransomware attack. There is also no guarantee of an end or resolution to the attack — a point echoed by the 48-nation Counter Ransomware Initiative that strongly discourages such payments. Payments could also serve as a source of funds for criminal activities and provide further incentive to commit future attacks. 

Businesses must decide whether it’s in their best interest to decline making a ransom payment. Should insurers support the decision not to pay, cover would generally extend to recovery costs and any loss of revenue directly resulting from the attack.

As ransomware attacks may be financially costly and cause significant downtime, it would be sensible to proactively prepare for such an incident. These measures may include:

  • Ensuring backups and redundancies are in place and current
  • Conducting regular IT audits
  • Mandating strong passwords and multi-factor authentication
  • Conducting regular IT training and education
  • Developing incident response plans that can be mobilised quickly if needed 

Such plans are only effective if they involve the efforts of the whole organisation.

  • Reputational damage

Following a cyber-attack, public perception of the targeted company may be affected — particularly when sensitive customer data is compromised. Customers may question the company’s ability to protect their personal information, leading to a loss of trust and loyalty. Service outages can also cause users to switch to a competitor promoting its reliability.

Many cyber BI policies provide cover for reputational damage, reimbursing insureds for financial losses arising directly from the incident. Cover for reputational repair costs may also be available to hire PR consultants to mitigate the effects of adverse publicity. The difficulty lies in measuring and attributing the loss of current and prospective customers to the incident. Further, since many cyber policies have short maximum indemnity periods, the ongoing reputational damage beyond this period would not be covered by the policy. 

The jury is still out on whether news of cyber incidents has become so commonplace that a business’s reputation is indeed damaged. People tend to view businesses holding a high degree of trust as more susceptible to reputational loss. An online bank, for example, would be more prone to reputational loss than an online retailer. 

As with ransomware, a proactive approach to managing reputational damage may be more effective and efficient than a reactive stance. In addition to the measures listed above, the cornerstone should be clear and effective stakeholder communication — key to rebuilding trust and defending reputations. 

Conclusion

Cyber BI claims share some characteristics with their traditional BI counterparts, but the digital realm raises some unique questions. When a business is faced with a cyber BI loss, it’s critical to engage a trusted partner with expertise in the nuances of cyber BI claims to help them mitigate its wide-ranging impact.

Learn more — read about Sedgwick’s forensic accounting services and business interruption capabilities in Asia or email [email protected] for further information

Tags: BI, Business interruption, Carrier, Claims, cyber, cyber insurance, Cyber risk, Property, Property loss, Restoring property