Cyber Business Interruption vs. Dependent Business Interruption
Most companies would be damaged by a network interruption event, some would result in severe damages. What we want to highlight is what scenarios may cause these type of events and what coverage need to be in place to provide adequate protection. Often we see firms that have this exposure and they do not elect to carry cyber business interruption coverage or any dependent business interruption coverage.
Many older cyber insurance policies covered you for a cyber business interruption event. What this meant was that after a waiting period of 6-12 hours you would have coverage for an hourly loss amount which was generally equivalent to the profits you would have lost over that time period. In addition to this, the event needed to result in a degradation of “YOUR” website, intranet, networks computer systems, programs, etc. as a “Direct Result of” a 3rd Party that malcicously blocks access to your website, intranet, networks, computer systems, etc. or as a result of a rogue employee that causes the same.
What these policies do not cover are cyber business interruption events caused by an error or an event that occurs at a 3rd party but affects the insured. The clear example is a cloud provider or any 3rd party software provider the offers their services via a hosted environment – which is a lot these days. So if you are a travel agent and use a 3rd party booking system that goes down due to a problem at the 3rd party, you would not be able to take reservations and you would be suffering from a business interruption event, but would have no coverage under your cyber policy.
Currently a broad cyber business interruption policy will cover you for any system outage, regardless of the cause, that results in lost profits as well as reimbursement for other incurred costs. Many policies today that are ahead of the curve still dramatically sub-limit the dependent business interruption coverage from a few hundred thousand dollars to $1M unless you are a very large account. This is understandable as underwriters have no way of knowing what the exposure looks like at the 3rd parties you might outsource to.
If Cyber Business Interruption is a concern for your client and if they outsource a lot of these services, this will be critical to address in the cyber policy, and more difficult to get placed.