Understanding risk managers' biggest headache

Understanding risk managers' biggest headache | Corporate Risk & Insurance

Understanding risk managers

Business interruption (BI) is a major concern for all commercial entities. According to the Allianz Risk Barometer 2018, which collects insight from more than 1,900 risk management experts in 80 countries, BI is considered the most important corporate peril around the world – a title the exposure has held for the past six years.\

It’s hardly surprising that corporate risk managers get headaches over BI. The risk is evolving rapidly, and commercial entities are facing an increasing number of BI scenarios, ranging from traditional fire, extreme weather and supply chain disruption, to new intangible triggers like network systems failure and cyberattacks.

The crossroad where BI and cyber converge is clouded with ambiguity. Lots of corporate risk managers are unsure how BI coverage responds in a cyber context, and many rely on their commercial property policies to cover a BI loss. However, property and cyber insurance policies respond to BI events in different ways and both coverages exist to meet specific needs.

“Physical damage BI is easy to prove. Your service goes down as a result of a fire, and that’s a relatively straightforward claim. Non-physical harm is much harder to evaluate. Property policies usually provide all risk BI cover, whereas cyber policies generally require a specific trigger. That trigger might be a system failure, network disruption, involuntary shut down, contingent BI and so on. The issue is that each of those definitions can differ from insurer to insurer. There can be all sorts of nuances with respect to different insurers’ analysis of when a non-physical damage trigger has been met, whereas physical damage BI is a lot more straightforward to cover,” said Charlotte Warlock, senior associate at global law firm Clyde & Co.

Cyber BI has become a much louder topic of discussion due to digitization in the global commercial landscape. There’s a huge reliance today, especially among SMEs, on out-source providers, and more and more companies are choosing to hold their critical business systems in external online cloud networks. If a business’s critical systems are held on an external platform, and, through no fault of their own, that platform fails due to a cyber event, there’s a very real need for insurance coverage. As David Umbers, co-founder and CEO of Ascent Underwriting pointed out: “As an insured, you’re not totally self-contained anymore.”

The past few years have seen a shift in the underwriting of cyber BI, with more underwriters looking at the unique exposures of a company as opposed to underwriting to the controls a company has in place, according to Lindsey Nelson, international cyber team leader at CFC Underwriting Ltd. She said: “We’ve seen a positive shift towards underwriting [this peril] on a case-by-case basis, and equally with educating clients about that and letting them know what their exposures are. They’re starting to realize the value of expanding their cyber coverage beyond just that cyber event trigger.

“Whereas a couple of years ago, a cyber event trigger was essentially any electronic attacks or cyber event as defined in the policy leading to a system outage and therefore a loss of profits […] now most insureds are requesting coverage for full systems failure and all non-physical perils [including slipper finger syndrome – human error] leading to a systems outage and therefore loss of profits. The amount of SME clients in particular asking for full systems failure coverage is really what I think is going to drive the cyber market and broaden it out further.”

Despite growing interest in cyber insurance policies, there’s still a lot of confusion among insureds about the differences between cyber BI policy wording and property BI policy wording. One difference is the indemnity period. A standard property policy typically has a minimum indemnity period of 12 months (sometimes it’s 24 or 36 months), whereas a cyber policy might have a three- to six-month indemnity period.

Nelson explained the issue: “A large US hospital suffered a malware attack on their systems, which rendered all of them inoperable and meant they had to revert to manual work. As a result, they had to go on red alert and they had to end up telling patients there will be much longer than the anticipated wait times, which inevitably pushed patients away. Not only were they faced with the assistant damage costs that came with the BI, but their indemnity period for all that lost patient revenue lasted several months. Had they only had a three-month indemnity period [on a cyber policy], they wouldn’t have been paid out even half of what ultimately would have been paid out with a 12-month indemnity period [on a property policy].”

Another key differentiation between property and cyber coverage is the waiting period, according to Worlock. A lot of BI claims Worlock has seen are generally resolved within 72-hours, which would fall nicely under the waiting period of property BI coverage. However, a waiting period for a cyber BI claim is generally much shorter – around 8-12-hours – and fast reaction can be critical, particularly for SMEs where a BI loss can be catastrophic. If a small business’s systems go down for three whole days and they’re not able to make any income during that period or get any coverage under their insurance policy during that period, that can be business-destroying, Warlock explained.

“I think it’s difficult to make a comparison in some ways with what the property market is offering versus the cyber market,” Nelson added. “There are different profiles of loss between a burning building and systems going down, and more importantly they happen with different frequencies. The chances of you having a cyber event and a systems outage is going to happen a lot more frequently than your building burning down. There’s a lot of distinction between indemnity periods and waiting period, but both are appropriate to what the loss is and should really be adjusted to reflect what the actual insured is doing to help mitigate that loss from a control perspective.

“I think there’s also a bigger question as to any overlap between a cyber and property policy. This gets brought up frequently in terms of property damage being covered under a cyber policy. Property policies are now stepping up and removing electronic attack exclusions to help bring in that coverage, but I think it goes back to making sure that the tangible and intangible are kept separate from one another but growing parallel to each other. When it comes to claims adjusting after a cyber event has happened resulting in property damage, I think the last thing you want is a privacy lawyer or a breach coach going in to talk about GDPR when the building is burned.”