Who Knows Where the Time Goes?

January 28, 2019

Business Interruption Recoveries in Cyber

By: Chris Keegan and Britt Eilhardt

It is not enough to know that your business’s cyber insurance policy has business interruption coverage. Cyber policies that cover business interruption can vary widely, and otherwise unremarkable terms may make an enormous difference in recovery for a loss, including the following factors:

  • Length of time for recovery (ranging from a matter of days to a full year)
  • How the policy identifies a “business interruption” (e.g. only while computer system is down or, alternatively, while the business is down)

These policy terms are vital to distinguish. At their most comprehensive, policies can cover the income from lost contracts in addition to lost cash flow. The main structures we currently see under cyber policies are as follows:

Computer System Downtime Only 

The simplest way of measuring income loss under a cyber policy is from the time the network or computer system is degraded or “down” to the time that it becomes fully operational again. Loss covered under this type of business interruption must be the “direct” result of the systems being down, with no intervening causes. Most cyber policies that measure income loss on that basis contains a time period limit that restricts that period from a low of 30 days up to a high of a full year.

Computer System Down, Plus Extended Period or Customer Attrition 

This way of measuring income loss starts with the simple measurement of time from the first point of downtime until the computer system is fully operational but adds an additional period of time for income loss that may be attributable to the original event after the computer system or network has been brought back to its original state.  The income loss during this extended period has to be shown to be caused by the original cyber event, but unlike the above, need not be a “direct” result of it. The “downtime” period can range from 30 days to a year, and the additional period can add 120 days or more (potentially extending the full period where income can be recovered beyond a year).

Business Down

A significant number of policies now provide for income loss from the time that the “business” is down as a result of an insured event until the “business” is recovered to where it was prior to the event taking place.  This can allow for some greater flexibility in adjusting a business interruption loss and means looking at the recovery from the event based upon the business revenue on a day to day basis rather than solely considering downtime of the computer system.  Some underwriters will allow coverage for an event that takes place within any hourly waiting period retention where the system recovers inside the waiting period but the business impact extends beyond it. The time that the business is down can be measured from 30 days to as much as a year.

Financial Loss 

A small number of policies provide cover for “financial loss” resulting from a triggering event. The recovery under this type of policy is similar to the recovery under the policies for business downtime. Similarly, the downtime event could occur within the waiting period with the impact going beyond.

Reputational Loss 

Reputational loss coverage can differ considerably from one policy form to another, which makes it all the more important to distinguish. Some policies provide coverage for reputational loss as an extension of business interruption in that the insured is covered for income loss as a result of damage to the insured’s reputation due to a cyber event. Other policies limit this type of coverage to costs for managing an insured’s reputation post-breach (public relations-type expenses, for example). The former, broader reputational loss coverage can be more flexible and will cover indirect business interruption losses as a result of a cyber event, such as loss of a business contract or other consequential losses that relate to an insured’s damaged reputation. This coverage is typically subject to sub-limits but coverage is developing in this space.

The “business down” and “financial loss” approaches provide a broader opportunity for recovering a greater amount of income.  Individual policies will differ depending upon the length of time that income is allowed to be measured and recovered.  That important factor has to be taken into account in every case. It is unusual for entire networks to be down for long periods of time but not so unusual for degraded networks to impact income over significant period of time.

Last year’s NotPetya attacks show that degradation to networks can last six months or more. As the possibility of more of these types of attacks becomes greater, insureds should pay attention to these policy terms when income is highly dependent on fully functioning systems. Your cyber insurance professional can guide you through the complexities of this new and evolving coverage to align it with the needs of your business.

Download “Who Knows Where the Time Goes?” here.

Britt Eilhardt is a Senior Vice President, Cyber Claims Specialist in Beecher Carlson’s Executive Liability Practice in New York. She is dedicated to working with clients in navigating cyber claims from breach to resolution, swiftly connecting clients with vendors in the event of a breach, reviewing and drafting cyber policy forms and market enhancements, and strategizing with clients on coverage concerns.  Britt is an attorney who previously litigated insurance coverage matters in state and federal courts. She is a member of the New York and New Jersey State Bars. She can be contacted at beilhardt@beechercarlson.com.

This article is intended for informational purposes only. It is not a guarantee of coverage and should not be used as a substitute for an individualized assessment of one’s need for insurance or alternative risk services, nor should it be relied upon as legal advice, which should only be rendered by a competent attorney familiar with the facts and circumstances of a particular matter. Copyright Beecher Carlson Insurance Services, LLC. All Rights Reserved.