Disruptions to business have always been devastating — a fact insurers have understood from the beginning. While business interruption insurance became an essential component of commercial property coverage long ago, it’s continued to evolve with the times.

Today, more and more businesses are seeking protection from technology-related disruptions — including AEC industry firms. Most cyber policies available to firms now offer some form of cyber business interruption insurance, but this complex business coverage can be confusing.

Here’s what to know, including how cyber business interruption insurance works, coverage limit considerations, key policy terms, claims reporting and the common questions and document requests to expect from an insurer after you have a claim.

Business Interruption Coverage in a Cyber Policy

In a technological age where businesses run on computing, cyber threats are recognized for the serious risk they pose and insurance products exist to address them. Today’s business interruption coverage has been adapted to cyber risks and is now an essential component of a cyber insurance policy.

Cyber policies typically include a collection of key coverages for:

• Third-party liability for claims brought by others
• Forensic investigation and data recovery expense
• Breach notification costs for clients and customers
• Cyber extortion losses and ransom reimbursements
• Cyber business interruption for costs and other losses

Available in almost every cyber policy, this cyber business interruption coverage is designed to return the insured business to the position it would have been in if the interrupting event hadn’t occurred, subject to certain limitations and exclusions.

For many businesses, business interruption coverage is the most important yet least understood component of a cyber insurance program.

What Is a Cyber Business Interruption?

A business interruption is an event that prevents a business from being able to operate normally for a period of time. It can be a complete work stoppage or a reduction in typical capacity, and may last days, weeks or months.

During this time of reduced or halted business operations, income and revenue can drop — potentially to zero, while day-to-day expenses continue to add up, and may even increase, as many firms bring in outside experts to assist with assessing and recovering from the event.

Fires, floods, windstorms and other natural disasters, along with thefts and vandalism are all examples of events that may cause a business interruption, but cyber events can also cause a business interruption. Data breaches and ransomware attacks are the most common inhouse cyber business interruption events, but third-party technology outages can also cause an interruption.

Like non-cyber interruptions, these events cause full or partial work stoppages, revenue drops and potentially increased expenses over the days, weeks or months it takes a business to recover and an appropriate response is often complex. The cyber business interruption coverage in a cyber policy is intended to protect against these risks and help firms recover the costs that are incurred.

How Much Coverage Is Needed?

In cyber insurance forms, there are two ways a business interruption loss may be calculated:

• Gross Profit Method: The most common method takes the sum of the net profits lost due to a computer system outage or disruption along with the expenses that must continue during the interruption.
• Gross Earnings Method: An alternate method calculates the loss by determining the business’s lost earning during the disruption and subtracting the variable costs saved when the business was not operating.

In either method, the goal is to cover the business for the actual loss sustained. For example:

• A partial disruption claim would offset continuing expenses against actual revenues earned during the loss period.
• An extended outage of vital computer systems is likely to lead to significant income losses and added expenses.

Therefore, businesses need to quantify their potential losses from different types of cyber events to determine the proper amount of cyber business interruption coverage required.

What Terms to Pay Attention to in a Policy?

Cyber business interruption insurance is often complex. Conditions of coverage can vary between policy forms, while policy language often differs between carriers. Beyond the standard limits of liability purchased and self-insured retentions, these components are important to note when evaluating coverage options:

• Triggering Events – Some policies will cover non-malicious “system failures” as well as malicious “security events,” others will only cover intentional attacks. Some forms also carve out specifics or limit coverage for non-malicious outages.
• Dependent Business Interruption (DBI) – DBI, contingent business interruption and outsource provider coverages are intended to cover computer outages of other organizations that disrupt the policyholder’s business. Coverage scopes can vary. Some cover nontechnical product and service providers, others limit it to IT services. Limits, retentions and waiting periods for differing types of events are also possible.
• Waiting Period – The amount of time a disruption must last before business interruption coverage is triggered is known as the waiting period. Policy waiting periods of eight to 48 hours are common, but can vary depending on the type of event or affected system. Policy forms can also vary in how they treat the waiting period in terms of a monetary deductible.
• Expense Coverage – Coverage for expenses outside of the business income calculation that are the result of the business interruption can vary. Costs to reduce the business income loss are generally covered, but other categories of expenses may also have coverage, such as fees and expenses for a forensic account to prove a business interruption loss has occurred.
• Period of Indemnification (POI) – The POI is the period of time during which income loss is recoverable under the policy and can be defined variously. It may be limited to the time a computer system was not functional, defined as the time operations were interrupted or measured by a set number of days. An extended period of indemnification (EPOI) is also possible which includes a set number of days after a system is restored or normal operations resume.
• Exclusions – Like all policies, cyber business interruption policies contain exclusions that should be carefully noted. Commonly, cyber coverage is not available for an event that involves physical property damage or is caused by a natural peril. Standard business interruption coverage may be available in these cases. Cyber policies also typically have exclusions for events caused by infrastructure failures (such as water, power or internet utilities) and by government actions. Some expenses, such as costs to defend against lawsuits, may be excluded from cyber business interruption but might be coverable under a different part of the same cyber policy or another insurance policy the business obtained.

What to Do When a Cyber Event Happens?

Quick action is important once it becomes clear a cyber event has occurred that has the potential for an operational or financial impact. If a cyber event requires an organizational response, make sure to take the right actions in the right order:

• Incident Response – Activate any incident response plan that exists. Allow the incident response team to get to work, analyzing events, escalating according to the established criteria and taking action to minimize impacts and fully restore operations.
• Insurance – Contact your broker and insurer to discuss the rights and requirements under your policy. Note that most cyber policies require insurer consent before outside vendors can be retained to assist in forensic analysis and recovery efforts.
• Legal Counsel – Retain legal counsel, with carrier consent, to ensure legal obligations are met and your organization’s rights are protected. Your counsel can retain, in consultation with you and the carrier, a forensic firm or other cyber technical experts to investigate, evaluate and remediate the event.
• Third-Party Experts – Experts retained to assist with a cyber business interruption can help you confirm the cause of the event or loss for a carrier, identify affected systems and their business impact, determine the best corrective action and most efficient recovery timeline and identify common challenges, such as technology upgrades, that could impact the period of recovery.
• Business Continuity – Consider the steps needed to continue conducting business as normally as possible during the cyber event. Or, if continued operations are not possible, chart a plan to return to ordinary operations as quickly as possible.
• Expenses – Keep track of all expenses that would not have been incurred without the cyber event, such as records for temporary hires or added hours of regular employees. It’s suggested to keep records of all expenses upfront and worry about specific coverage determinations later.
• Documentation – Gather the documentation necessary to prove business income loss and hire forensic accountants to review records with your financial team. Consider losses both while computers were not functioning and after they returned to normal. Note whether operations took additional time to return to normal, how quickly client work resumed and if any income was deferred rather than lost.
• Assessment – Discuss with your broker, forensic accountant and the insurer’s forensic accountant the methodology to calculate the business insurance loss before the proof of loss is submitted to the carrier. Claims assessment is a process and takes time with a complex claim like cyber business interruption. Good communication can lead to more efficient resolutions.

What Common Questions Are Asked in a Claim?

If you have a cyber business interruption and report it to your insurance provider, you’ll often be asked for some additional information by the representative handling your claim. In short, your insurance company wants to ensure it understands what happened, what parts of your business were affected, and how that cyber event impacted your business financially.

The following are some examples of the types of questions that are asked in a claim:

• What date and time was the insured business impacted by the cyber event? When exactly was the event discovered? And when did the insured business resume normal operations after the cyber event?
• What are the normal business hours for the insured business?
• How were various business segments impacted by the cyber event?
• Were any operations completely shut down? Were any operations partially shut down?
• How did the shutdown impact business revenue streams and expenses? How did the cyber event prevent revenue generation? Were clients or customers turned away? Was revenue or production able to be made up?
• Does the business have any fixed fee or time and material contracts?
• Was payroll impacted by the cyber event and are employees salaried, hourly or both?
• What work did employees perform during the period of restoration?
• Was overtime paid to employees due to the cyber event? And if so, when and how is it tied to the cyber event?
• Are any employees’ hours billable? And if so, how does the business track their normal billable hours?
• How were operating expenses impacted by the cyber event? And did the business incur any additional expenses due to the event?

What Common Documents Are Requested in a Claim?

Depending on the questions asked and the responses given by the impacted business, the insurance company will then request specific documents from the business that help the insurer verify and process the claim.

While each event and claim is unique, these are some examples of the general types of documentation you may be asked for if you have a cyber business interruption claim:

• Business interruption claim schedules in a spreadsheet, including all the requested supporting documentation.
• Detailed monthly profit and loss statements, by location.
• Daily, weekly or monthly revenue reports, by location.
• Invoices and receipts for major extra expenses incurred.
• Federal income tax returns, including the supporting schedules, in some cases.
• Daily, weekly or monthly production records.
• Daily, weekly or monthly timekeeping reports, with hours worked, hours billed and dollars billed.
• Weekly payroll registers, either by employee or department.
• Listing of any lost clients or lost projects as a direct result of the cyber event.
• Staff utilization reports for professional services firms.
• Inventory records for production or manufacturing entities.

Cyber Business Interruption Coverage You Can Trust

Cyber business interruption claims can be very complex, which is why it’s important to work with experts that advocate on your behalf. With Lockton Affinity Architect + Engineer, you gain access to best-in-class customer service. Our insurance experts can help answer your questions, assess your coverage needs, recommend tailored solutions and advocate on your behalf with carriers when you have a claim.

Lockton Affinity’s industry-leading CyberLock Defense coverage offers protection from financial losses resulting from cyber events, including data breaches, cybercrime, social engineering, ransomware and more. Policies are available to help cover the costs of data recovery expenses, third-party liability, cyber business interruption loss and more. It’s coverage that can protect your business from losses sustained due to system failures, malicious attacks and third-party outages common in business interruption.

Discover more solutions for your firm today. Visit Lockton Affinity Architect and Engineer or call (888) 425-7011 to get started.