One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.
Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan. Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.
1. Know your insurance coverage
The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored. Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.
It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.
2. Plan, plan and plan some more
When faced with a cyber event, successful recovery often depends on good preparation. Companies now recognize that they must be proactive in managing cyber exposures and risk, and that doing so requires a comprehensive crisis management plan for responding to an adverse cyber event. Addressing business interruption and insurance recovery should be included as an important part of that exercise.
The immediate aftermath of a cyber attack is the time to implement the game plan that the organization has already prepared and practiced. A proactive strategy helps reduce the impact of the business interruption and enables an efficient process for seeking recovery for lost income and incident-related mitigation expenses. As part of the planning process, a variety of possible business interruption scenarios should be examined to determine the types of losses that may be incurred and how those losses will be tracked and then calculated.
It is important to include all of the stakeholders in this process, including IT, risk management, legal and finance. Risk managers should therefore work with their IT and finance departments to understand the potential operational costs and financial exposure resulting from the failure or outage of a particular network system. Such advance planning will allow risk management to more accurately evaluate the potential risks and understand the possible levels of recovery. This process will also facilitate the identification and collection of the documentation that may be needed to support the business interruption claim.
3. Identify your team members
As described above, it is important for risk management to communicate with members of both the IT and finance departments with respect to business interruption losses. As part of that process, specific contacts within each department should be identified, and those individuals should understand their role in helping in the preparation of a business interruption claim.
The planning process should also include consideration as to whether the assistance of a forensic accountant will be helpful – if not essential – in preparing the business interruption claim. If so, that accountant should be identified in advance so that they can be retained promptly after the adverse cyber event. Some cyber policies require companies to select a forensic accountant from a pre-selected “panel” or may require the insurer’s written consent prior to retaining a forensic accounting firm. Companies should review all potential applicable policies for any such requirements, and, if necessary, should seek pre-authorization for the company’s preferred accountant.
A similar analysis should occur for technical advisors and vendors. Will it be sufficient to rely on the company’s in-house IT personnel, or should an outside technical consultant be retained who can assist in determining the nature of the attack, its impact on the company’s network systems, and when those system have been fully restored? Again, some cyber policies may require the use of “panel” companies or prior authorization to retain a particular advisor or vendor.
Internal and external legal counsel are critical to these processes. Consideration should be given to having all technical and financial retentions made by counsel in order to protect confidentiality, especially given the possibility that such cyber events may give rise to third party litigation from customers, business partners and/or investors. Including coverage counsel in the process is also helpful to understanding how to structure and best present the claim to align with policy language and maximize the likelihood and promptness of recovery. Finally, identify who within the organization will be responsible for managing this team and making sure that appropriate attention is being paid towards timely preparation and submission of the business interruption claim.
4. Preparing the claim
Business interruption coverage generally aims to indemnify loss of profit and the cost of mitigating losses. A claim for business interruption does not require that the business suffer a complete shutdown to make a claim for coverage. Instead, a system slowdown due to an adverse event may be sufficient to support a claim. It is also important to recognize that not all impacts from a cyber-related adverse event may be immediately obvious.
Because cyber incidents may not result in physical damage, it is critical that the claim submission establish the connection between the incident and the resulting losses. Include with the claim submission a technical evaluation that confirms the cause of the adverse incident, identifies the systems impacted and corrective action taken to resolve that impact, and sets forth the timeline for those events. These details will help establish the causal relationship between the adverse event and the claimed losses.
When calculating business interruption loss stemming from a cyber attack, there are different factors to consider depending on the type of organization affected. A demonstration of historic performance typically will be necessary to establishing a baseline against which the post-incident performance – and thus, the extent of the loss – can be established.
5. Engage with the carrier
First, ensure compliance with the notice requirements under the company’s cyber coverage and all other potentially applicable policies. Although notification and consent provisions differ among policies, engaging with the insurer as soon as possible minimizes the risk that some or all of the claim may be denied on the basis that the company failed to satisfy those conditions. It is also beneficial to maintain consistent communications with the insurer. Where an insurer has been made aware of a company’s intent to take certain action, its consent, or failure to raise an objection, to that action minimizes the opportunity for the insurer to use that conduct as a basis for reducing or rejecting the claim.
With respect to the business interruption claim submission, effective presentation of the loss to the insurer is essential. As an initial step, educate the insurer about the nature and operation of your business. Further, a description of the adverse cyber event and resulting loss is important to establish causation and a foundation for the claimed damages. The submission should include specific explanations of the costs incurred and how they relate back to the incident so that the insurer understands why the loss fits within the scope of coverage. A description and timeline of the steps taken to mitigate the loss should be included as well. Finally, all supporting documentation should be provided with the submission. Because it is the policyholder’s burden to establish a right to indemnity, the failure to include adequate support provides an insurer with an easy justification to delay payment.
Careful preparation prior to a cyber event and executing that plan in the face of such an event will put the organization in the best position to get the full benefit of its insurance coverage. Experienced insurance coverage counsel should be engaged to assist your organization in adapting this framework to meet its specific needs.
- Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’
- Kronos ransomware attack: what every entity should know and do
- Hardware taken hostage: Ransomware attacks may result in property damage, and property insurance may cover that damage
- Cyberliability insurance considerations for the Cannabis Industry following data breach exposure