As ransomware and other cyber attacks increasingly hobble victim company’s ability to operate in the wake of an attack, more cyber insurance policies are including business interruption coverage.
When these policies first hit the market, they were mostly focused on covering the costs of notifying individuals whose personal data or credit card information may have been exposed, to any regulatory penalties and other compliance costs.
But many companies, when hacked, suffer far more damage to their operations, including websites or important systems being rendered unusable.
The larger danger to companies seems to be system failures resulting from a variety of novel attacks, including;
- Denial of service
- Brute force (an attack aimed at obtaining passwords)
- Malware or malicious code
- Ransomware
- Backdoor attacks
- Social engineering.
Business interruption policies have traditionally covered loss of income caused by disruptions in supply chains and events like a fire or natural catastrophe that render a business unable to operate.
But, property policies or traditional business interruption policies do not cover income loss from a cyber attack since these policies are only triggered after a direct physical loss or damage.
Meanwhile, for cyber business interruption coverage to be triggered, there must usually be a direct link between a cyber attack and the interruption of business or a loss of sales. For example:
- Criminals lock a company’s computer systems and demand that the company pay a ransom to restore its data. The company may lose income when it can’t use its systems and even when it is trying to recover after paying a ransom.
- A denial-of-service attack renders a website inaccessible to customers and users.
Typical business interruption provisions in cyber policies
- The policy will include a maximum payout for business interruption claims. The cap may apply to each individual event or it may be an annual limit.
- Policies may include a separate deductible for business interruption claims.
- Policies may include a specific waiting period of hours or days before it kicks in to pay a claim. If the event causes losses or a disruption that lasts less than the waiting period, the claim would likely not be paid.
- Policies usually will only pay for business interruption during the period that the company is restoring its systems and getting things running again.
- Coverage usually includes exceptions, like not covering third party liability, fines and penalties and the costs of restoring a network.
- Most policies include exclusions, like loss of market share or damage to computer systems caused by fire or other physical events that were not related to a cyber attack.
For more information, please call us. We are happy to answer any questions you may have.