What is business interruption?
Business interruption (BI) covers loss of income after a disaster impacts a business.
For example, think of a fire at a restaurant. After the fire, the restaurant continues to have expenses such as rent and payroll to stay in business. However, because the fire has impacted its operations, the restaurant would be unable to generate revenue. Without income, the restaurant may be unable to cover its expenses. Business interruption insurance would cover the loss of income, making it possible for the restaurant to continue to cover expenses until the restaurant reopens.
Business interruption is not included in all cyber policies
The purpose of business interruption insurance is to soften the blow of the losses incurred when a business cannot operate due to a covered loss. Traditionally, BI insurance coverage only kicks in if there is physical damage, such as fire or a natural disaster.
BI in a cyber insurance policy
In a cyber insurance policy, business interruption intends to cover the income loss after a privacy or security breach impacts a business. It aims to reimburse the business for the difference between the typical income of the business and the reduced generated income during the shutdown caused by a cyber event.
Not all cyber policies include business interruption insurance.
Despite business interruption being a critical coverage in cyber insurance, the risk of system business interruption is often an afterthought. In conventional property insurance, business interruption coverage is based on a breakdown of the insured’s planned operating expenses and fixed costs. In cyber insurance, insurance companies revert to a predetermined daily compensation rate to simplify the process.
If your policy does provide BI coverage, it is crucial to analyze what constitutes a BI loss and under which circumstances the policy would respond. Here are key aspects to consider:
- Coverage limits
- Insuring clause
- Definitions and exclusions
- Waiting period & Recovery period
- Retention or deductible
- Contingent business interruption
BI: A first-party loss
In a Cyber Insurance policy, first-party coverages provide monetary assistance to soften the impact of cyber-attacks and data breaches experienced by a business. Business Interruption is an example of a first-party loss because it covers the loss the insured suffered from a cyber event.
Here’s an example:
A manufacturing facility utilizes computer systems to receive orders, process designs, and set machinery into production. A hacker executes a Denial of Service Attack (DoS) that shuts down the facility. The manufacturer is entirely down and unable to generate any revenue for 3 weeks while it restores its systems.
Analyze your BI Coverage
Is this a covered loss?
A denial of service attack may be considered a network security breach and a covered event under the Business Interruption insuring clause.
If a denial of service attack is a covered cyber event, the insurance company will reimburse the insured for the income lost and expenses incurred because of the breach, subject to the coverage limit and conditions.
Watch the language
Watch out for the language in the insuring clause or insuring agreement. In the example above, we talked about “denial of service attack,” possibly being a covered event. What else constitutes a covered event? What about events like a “security failure” and “system failure” or “human error”? We’re referring to a failure caused by a system upgrade or an employee who caused the system to crash by pressing the wrong key. Could these events trigger the BI coverage? Every policy is different, so the answer will vary.
Another important consideration of BI coverage is the magnitude of the interruption. Some policies require that the business be completely shut down before coverage will kick in. Other policies respond to a partial interruption or a slow down. Read the definition of Business interruption, loss, and any applicable exclusions to understand the extent of the coverage.
Waiting period refers to the time that has to elapse before coverage begins. In the example above, the BI coverage would apply for the 3 weeks minus the waiting period.
Waiting periods in BI insurance range from a few hours to 24 or even 48 hours. You’ll find the specifics in the policy declarations. The waiting period starts when the cyber event impacts operations (i.e., the beginning of the business interruption), and coverage applies to the loss incurred after the waiting period.
The application of a dollar retention amount, in addition to the restoration period, is not standardized. Some policies use the waiting period as a stand-in for retention and do not require an additional dollar retention. Other policies may apply a waiting period and a policy deductible or retention.
‘Restoration Period’ is the time period for which the policy covers income loss.
In the example above, the manufacturer was down for 3 weeks. Now, imagine if the business’s reputation took a hit and this severely impacted sales for over a year. Some policies go as far as covering reputational damage. Regardless, the restoration period would cap any settlement. The restoration period may be any number of months, but you will most commonly see 3 months, 6 months or even a year. Typically, the insured can negotiate the length of the restoration period for an additional premium.
Shortcomings of BI coverage
These are some of the concerns clients have with Business Interruption coverage in a Cyber policy:
Limits available may be too low – coverage would be exhausted before the insured’s operations are restored.
Business Interruption may be too narrowly defined – it’s essential to look at what the policy requires in order to trigger BI coverage. Does the coverage require a complete shutdown of business operations, or is reputational damage enough?
Coverage triggers may be limited – the type of cyber events covered by a policy may be limited to attacks with malicious intent. Malicious intent isn’t always the root of business interruptions. Sometimes it’s the popularity of a business or a website that makes it susceptible to a slow down or complete shutdown. System updates or upgrades, system failure, or even human error may cause systems to shut down.
Contingent business interruption
Contingent Business Interruption (sometimes called Dependent Business Interruption) covers the insured’s loss of income due to an interruption in the service of a third-party service provider caused directly by the failure of that provider’s network.
Example: A loss in sales caused by the credit card processing company’s network being hacked.
Here’s a second example: Think of an online retailer whose website is hosted by an outsourced web hosting provider. Due to the provider’s outage, the retailed wasn’t able to make any sales for an entire day. In this example, the retailer may be eligible for a claim under her cyber policy’s Contingent Business Interruption coverage.
As with BI, cyber insurance policies do not always include Contingent Business Interruption (CBI). If coverage is there, be sure to understand which dependent or contingent businesses would apply. Also note that some policies restrict this coverage to technology service providers while other policies may include a broader range of service providers.
If you are a broker, be sure to understand the ins/outs of Business interruption. This coverage is way too valuable to be an afterthought! We know that Cyber insurance is fast evolving, and BI is a significant component of this evolution.
Want to learn more about Cyber Liability Insurance?
Sign up to view our free Cyber 101 mini course.