Insurance and indemnity: what policyholders need to know about cyber losses

December 6, 2023

Insurance and indemnity what policyholders need to know
Share on LinkedIn Share on Facebook Share on X

In the insurance space, the concept of an indemnity period specifies the time frame for which the policyholder (insured) can claim compensation for financial losses resulting from an insured event. It serves as a boundary for the coverage provided by the insurance, limiting it for business interruption (BI) losses to the lesser of when the impact to the business ceases, or the maximum time period stipulated by the policy.

Yet surprisingly, this important aspect of a policy is often overlooked when it comes to renewal time. Let’s explore the reason for that, and what policyholders can do to get ahead. 

How is an indemnity period set?

Firstly, let’s consider how indemnity periods are set in a standard Industrial Special Risks (ISR) program. Being a property policy, physical reinstatement is often at the forefront when considering policy terms and how a claim may operate in practice. This can sometimes be counterintuitive, as the indemnity period should be set to ensure that most of the conceivable financial impacts to the business caused by insured damage would occur within the maximum indemnity period (MIP) placed in the policy.

A typical ISR would set a maximum indemnity period of at least 12 months. This period is usually set based on the required time needed to reinstate a hypothetical total loss, considering the likely repair period for the property insured. However, it is often overlooked that business interruption claims do not necessarily cease upon reinstatement of the damage. 

There are several reasons why a business interruption claim could extend beyond the date insured damage has been rectified. Lost market share, timing issues related to recognition of revenue and use of existing stockpiles, and extended ramp up back to normal operational levels to name a few. Short of a total loss, in most instances the maximum indemnity period should be sufficient to cover losses extending beyond the completion of physical repairs. However, for longer and more complex repairs, losses beyond the end of the indemnity period can become an issue in a claim. 

Cyber policy and how it differs from an ISR

The picture becomes more complex, and the indemnity period exponentially more important, if we apply the above concepts to a cyber policy. The business interruption impact of a cyber breach can be far more difficult to anticipate prior to it happening. There are no physical reinstatement timelines for buildings or other property to use as a base for setting an indemnity period. The damage a breach can cause may also be far reaching and challenging to predict in a pre-loss environment given the potential range and scope of impacts to the business, particularly given the more limited history of cyber breaches compared to traditional property damage and repairs. Further consider that a typical cyber breach is short, sharp, and usually over within a matter of days, or weeks. The effects of the breach though, can often last far longer. 

If we transplant the above school of thought from setting ISR policies, it is reasonable to assume that the indemnity period for a cyber policy will usually be set based on the cyber breach itself, rather than the ongoing impact to the business. A website or server with a major impact can often be back online through backups or recreation within a matter of hours, days, or at most weeks. An indemnity period in a cyber policy will often reflect that and is typically set at around 90 days. Given the complexities that can arise within a business interruption claim, is this enough to adequately capture exposure for both the insured and insurers?

Impact on a claim

Let’s now consider a scenario where a business experiences a cyber breach that leads to a significant disruption in its operations.

If the business successfully recovers and resumes normal operations within the indemnity period, any indemnified losses incurred during that period (whether that be loss of profit, or additional costs incurred) are typically covered by the policy.

However, if the recovery process takes longer than anticipated, or more commonly, the actual financial impact to the business does not crystallise until after the indemnity period expires, the coverage provided by the insurance policy no longer applies. There are a number of ways this could materialise in a claim. For example, an insured could lose long-term contracts as a result of not being able to undertake their normal business, or they may bill quarterly/at project completion and although work is lost, there is no financial impact to the business within the indemnity period. Cyber losses are also heavily publicised and the opportunity for ongoing reputational damage is a significant concern.

Limitations to coverage

Once an indemnity period ends, the insurance policy generally does not cover any additional losses incurred beyond that period. This means that any losses experienced after expiry of the indemnity period would not be compensated by the insurer, even if they resulted directly from the original event.

Importantly, and what is sometimes less considered, is that the inverse is also true, and it leaves insurers exposed. If an insured suffers a loss throughout the indemnity period, but then fully recovers this loss after the end of the indemnity period, insurers are bound to reimburse the insured for the losses sustained, even though a partial or full recovery that would normally offset the losses claimed may have been made.

This is especially pertinent when it comes to cyber losses for two main reasons. Firstly, as discussed earlier, cyber policies typically list shorter indemnity periods. Secondly, it can sometimes be hard to understand the full impact of a breach until well after recovery. Therefore, whilst the insured’s network infrastructure may be fully recovered, operational impacts may still not be apparent.

Summary

In summary, if the indemnity period is too short and the insured’s impact extends beyond that period, the business could face un-indemnified financial losses for the period after the coverage ends. Conversely, insurers need to be aware that whilst a short indemnity period may seem beneficial for the purposes of indemnifying a loss, it may work in an insured’s favour if any recovery is made after the indemnity period has ended.

The correct setting of an indemnity period upon policy inception or renewal can make a material difference to the practical implication in a claim. It is important that experts familiar with business interruption losses particular to the policy in question are consulted in order to ensure that the appropriate considerations are made. Hopefully, this results in a smooth and appropriate claims experience for all parties.

Learn more > Contact [email protected].

Tags: aus, Australia, Business interruption, cover, cyber, cyber insurance, Cyber risk, cyber security, cyber threats, indemnity, Insurance, Insurers, MIP, Policy, policyholder, Property, Restoring property, specialty