Being forced to suspend trading due to cyber interruption can cause bigger losses than the event itself. This article identifies key business vulnerabilities and offers risk management solutions.
When a company’s network goes down or is significantly impaired for sustained period, it can incur significant costs in getting the network back up and running to substantially the same level as it was before the incident. It can also suffer significant impairment to its business income both during the outage and for quite some time afterward.
Cyber-initiated business interruptions can be caused by malicious or non-malicious events. Examples of malicious causes are ransomware, DDoS (distributed denial of service) attacks or crypto-jacking. Most of the media’s recent ransomware focus has been on the escalating amounts of ransom demanded and paid, and the cost of data recovery when the victim’s network is not properly decrypted, but the affected company can also suffer a substantial loss of business income (as well as incur significant extra expenses) before even a decrypted network is fully restored.
Non-malicious cyber business interruptions can occur during system upgrades or network patches, or from software coding errors or incompatibilities. A software coding glitch crashed the network of a prominent company in the travel industry in 2017, and was reported to have caused a loss of more than $100M, according to news network CNN Money.
Malicious and non-malicious cyber business interruptions
There are various ways in which a company’s income and operations can be affected by a cyber business interruption, either malicious or non-malicious in nature. The principal ones include
- its own network is impaired
- the network of one of its outsourced it providers (cloud providers of it services) is impaired
- the network of its critical supply-chain providers is impaired
- the network of some other critical third-party provider (eg: electricity, gas, internet services) is impaired.
Cyber insurance can provide insurance coverage for the first three causes listed above; it is very difficult to obtain coverage for the fourth listed cause. Insurers normally ask companies to identify their key outsourced providers during the underwriting process. Insurers sometimes limit the cyber insurance coverage they will provide for outages, especially non-malicious outages, incurred by the insured’s outsourced providers.
Insurers also generally require ‘waiting periods’ ‒ the minimum amount of time that the business interruption must last before the loss becomes payable – and ‘restoration/indemnity periods’ ‒ the time boundaries for measuring the loss. Not all insurers define these terms the same way, and the differences can significantly affect coverage.
Cyber business interruption insurance risk exposures
The extent of a company’s exposure to cyber business interruption and loss will depend on many factors specific to its operations and practices.
Main factors that contribute to the cyber impact on business interruption are the extent of its cyber risk management practices, and the ability to respond or react to a cyber business interruption — including incident response, business continuity and disaster recovery plans.
Other factors that come into play with cyber incident impacts on business are
- the nature of its business model (eg: will income be probably lost or primarily just delayed until the network is restored)
- the rapid and smooth coordination among its internal first responders, its outside breach response providers, and its cyber insurers
- the recency and availability of network backups, and whether its backup process is as effective when needed as it seemed on paper
- with respect to business interruptions at a company’s outsourced IT providers or critical supply-chain providers, the ready availability of adequate alternative sources of IT services or critical supplies, as well as those IT service providers or critical supply-chain providers that themselves suffer cyber business interruptions and are therefore unable to comply with their own obligations to provide the company with services or products
- contractual indemnification rights and protections, as well as other legal remedies, it may have with respect to third parties responsible for causing the interruption (eg, for transmitting ransomware or other malware to the company’s network)
- the degree to which the company’s business income is susceptible to impairment from lost customers or bad publicity.
The foregoing is a brief and necessarily incomplete general description of cyber business interruption and of the availability and extent of cyber insurance to address the full range of potential losses.
Talk to a Gallagher cyber specialist today, and learn more about how your business may be affected by a cyber business interruption, cyber insurance coverage options and available risk management solutions.
Gallagher cyber experts
John Doernberg, National Director, Cyber Practice, Gallagher US
Robyn Adcock, Gallagher Cyber/Technology Practice Leader, Gallagher Australia