Looking to the future of cyber insurance
In our introduction to cyber insurance, we suggested that a simple way to think of cyber insurance was to consider it data breach insurance. We believe that’s a good place to start, especially when looking back at how cyber insurance developed and gained footing as a line of insurance. While that may be a good place to start, but it may not be a perfect description of the future of cyber insurance.
Cyber insurance is rapidly evolving into more of a first party line of business with a heavy emphasis on business interruption coverage. This is particularly true for insurance buyers in manufacturing, wholesale and business services segments. Entities in these business segments often have a minimal exposure to a data breach involving a loss of consumer or employee information, but they do increasingly rely on the availability of computer systems to maintain continuity of business operations.
A deeper look at business interruption coverage
Traditional property insurance provides coverage for loss of incomes and extra business expenses arising from direct physical damage to tangible property. Boiler & machinery coverage will provide similar coverage for a loss arising from mechanical breakdown of machinery or equipment but, generally excludes a breakdown of computer or computer network. Increasingly, cyber insurance is covering the gap between these two other types of insurance to provide coverage for a loss of income and extra business expenses that result from a loss of the computer system or computer network.
The oldest and most basic business interruption coverage in cyber insurance policies was triggered by some type of failure of computer security. Such a failure of computer security might include, a systems outage caused by:
Systems failure
More recently, however, this coverage under cyber insurance coverage has expanded to include a “systems failure.” Systems failure coverage is triggered generally by an unplanned outage of the computer system or network. This might result from a problem in computer software code, system configuration errors or a breakdown of computer hardware. Quite often, a combination of these factors causes an unplanned outage of computer systems.
Waiting periods
Cyber business interruption coverage is often subject to the expiration of a waiting period before coverage is triggered. That is to say, the outage must exceed the waiting period before coverage will apply to a resulting loss of income or extra expense. The waiting period may act like a deductible, meaning that all loss during the waiting period is excluded, or more commonly as a threshold; that is, if the outage exceeds the waiting period, the insurer will pay all otherwise covered loss in excess of the policy deductible or retention expressed as a dollar amount. Waiting periods of 10 to 12 hours are common; occasionally shorter waiting periods may be available.
Dependent business interruption and contingent business interruption
Cyber business interruption coverage may also be extended to cover a loss due to dependent or contingent business interruption.
Please note that not all policy forms use these terms in the same consistent manner. In very general terms, dependent business interruption coverage (dependent BI) provides insurance for an insured’s loss of income and extra business expenses resulting from a covered loss to a supplier or another business that an insured depends upon to maintain normal business operations.
Some cyber insurance policy forms may limit what is considered to be a dependent business to providers of information technology or computer services. Other policy forms will extend coverage to any third party entity that provides necessary products or services to the insured.
On the other hand, contingent business interruption (contingent BI), generally speaking, extends coverage to a loss of income or extra business expenses incurred due to an otherwise covered loss to a customer of the insured. Coverage for dependent and contingent business interruption is often, but not always, subject to a policy sublimit