When we think of cyber attacks, stories come to mind like the Russian hackers who broke into Nasdaq’s computer networks, or hackers from the same country who reportedly captured more than a billion email and password records. News like that is certainly front page – and it seems to be ever increasing.
But there’s another side to cyber threats and security that is reported on less frequently, and that is what could happen if a business is unable to operate due to a cyber breach or malfunction.
This threat is being thoroughly analyzed at the national level, as the U.S. government is increasingly concerned about what might happen if a “critical infrastructure” entity experiences an interruption due to a cyber failure; think financial systems or utility/energy providers, and the resulting losses (not to mention chaos and panic) that could occur if they went “dark.”
This is what we call network or business interruption in the cyber insurance world, and yes, insurance can cover it. In this post, we’ll go over the basics of business interruption due to cyber failure, and what businesses can do to prepare.
Your Business is Likely at Risk
The “Internet of Things” continues to creep into our daily lives. More and more, devices are connected to the Internet, giving users the ability to access and control those devices remotely.
As consumers, this translates to the ability to adjust heating or cooling systems remotely, detecting a water leak in your home while on vacation or setting your DVR to record “Game of Thrones” when you get pulled into a last-minute client dinner.
Businesses are also benefitting from this trend. Old-line companies in manufacturing, transportation and others have increasingly added network connectivity to their operations. Service providers have moved all sales and CRM functions online. And obviously, many consumer-facing companies rely on a Web interface for direct sales, advertising revenue and more.
The downside is thatany business operation on a network is vulnerable to cyber attacks or failure. And this can be devastating when those operations are critical to your business. Put another way, there are very few businesses in the modern world that would not be severely crippled if their network were unavailable.
As an example, take Sabre, the online reservation system used by major airlines worldwide. Sabre has gone down from time to time, causing significant delays in air travel. Another example is the IT glitch that left customers of The Royal Bank of Scotland (RBS) without access to their accounts for more than a week.
Or, it could be something as simple as a website going down, like Amazon.com. When this happened in 2013, Amazon theoretically lost more than $66,000 per minute.
Those are all examples of where technology failing has prevented a business from operating in its normal manner.
So, What’s Covered Under Cyber Insurance?
Insurance works in many business interruption scenarios. But, the reason why a network goes down is important to the insurance discussion. If a network goes down because there’s a fire, for example, rendering the servers inoperable, that’s a property insurance matter. If it is purely a network issue, then a good cyber insurance program might respond.
So we need to look at the reason for the technology failure to understand what coverage might apply.
Security Failure Business Interruption
The most “insurable” aspect under a cyber policy right now – meaning most policies can provide an option for coverage – is a network security failure leading to business interruption.
Examples include a Distributed Denial of Service or “DDoS” attack (your website being overloaded with requests organized by a malicious party) or a hacker accessing your network and deleting critical files, or adding malicious code that causes the system to fail.
Importantly, these would be failures on your own networks and systems – unlike coverage for privacy breaches, cyber business interruption coverage does not automatically extend to the cloud or outside vendors.
System Failure Business Interruption
Some insurance policies will go beyond a security failure and cover a system failure. A typical system failure definition would be an “unintentional or unplanned outage” on your network.
The failure could be due to human error, system error or both. An example would be a company upgrading their accounting system and unexpectedly causing the entire network to freeze in the process. Very few insurers offer this coverage extension now, but the market is starting to expand.
Third-Party Failures: Contingent Business Interruption
Many businesses rely on systems and networks outside their own to operate. When these systems fail, where does the responsibility lie?
As I discussed in this previous post about cyber liability and the cloud, outside vendors often contractually limit their liability for outages. The further challenge is that very few insurers are willing to cover cyber business interruption when it is caused by the failure of a cloud network (aka Contingent Business Interruption or CBI).
There are some cyber policies that will offer this coverage, however; so if a cloud failure would be catastrophic to your operations, be sure to ask about those options.
The Waiting Game: Time Delays for Coverage
Whether we are talking about security failures or system failures triggering insurance coverage, we are always talking about major outages. Businesses will typically need to wait at least six hours and often up to 12 hours before an outage is considered a business interruption “event” under a cyber policy.
Insurers want to make sure they are not covering short outages that might happen frequently.
Larger companies will typically have longer waiting periods consistent with the higher dollar deductibles they carry on other insurance policies. That’s because they can afford more loss before they need the insurance to kick in.
Obtaining Business Interruption Coverage: Be Prepared
Not everyone will be offered business interruption coverage under a cyber policy just because they have systems that are vulnerable or could fail. A business will need to apply for coverage by demonstrating to the insurer that it has a business continuity plan in place that will kick in if and when a system fails, reducing the likelihood that a short outage becomes a major problem.
So while not always easy to obtain, as coverage expands to meet the changing face of exposure and the “Internet of Things,” cyber business interruption will be an increasingly valuable tool in your cyber risk management program.