Lost income and expenses related to business interruptions account for some of the most significant damages incurred during an intrusion. In fact, the damages can be so significant that one of the primary considerations organizations make when deciding whether or not to pay a ransom demand, is the potential lost income that would result from refusing such a payment. While almost all cyber policies provide coverage for breach related business income losses, there are some critical differences among carriers’ coverage triggers and the damages they insure against. Here are some coverage items to consider when performing a cyber insurance policy assessment along with some tips in dealing with such losses.

Almost all policies are triggered by intrusions that render a network entirely useless, however the majority of insurers also provide coverage for attacks that result in any partial disruption or degradation of services as well. Organizations should be cognizant of this should they experience any such losses, as it can be easy to overlook less crippling attacks. In addition to intrusions that affect network capabilities, coverage should also be extended to include voluntary shut downs (to mitigate losses in connection with breaches in progress), and ideally computer system failures as well. Some carriers will further extend coverage to include business interruption costs associated with privacy events as well. Given that most companies’ operations regularly rely on numerous 3rd party software providers, it’s also critical that any purchased cyber policies include coverage for business interruption losses occurring as a result of network disruptions that affect those 3rd party vendors – a coverage element readily available in the marketplace.

When performing a cyber policy assessment, as a first matter of review, it’s important to ensure the business interruption insuring agreement is actually providing coverage for losses to any net profits incurred during the outage. There are a few policies on the market that limit “business interruption expenses” solely to expenses incurred with mitigating damages, while omitting any actual lost income. In addition to lost business income, the cyber policy should also provide affirmative coverage for forensic and accounting costs (incurred with determining the amount of said loss), and extra expense costs. These extra expense costs are often very broad and can include (but are not limited to) items such as, costs associated with:

• Procuring products or services from alternative vendors
• Changes in production or service procedures
• Utilizing 3rd party services
• Having to repurchase software licenses
• Renting or leasing equipment
• Misc increased labor costs, overtime wages and meal costs
   

Due to the broad nature of the “Extra expense” coverage provided by the policy, organizations may understandably have some confusion as to what is and what is not covered when a claim occurs. In order to maximize the amounts recoverable under the insurance policy, organizations should submit any and all invoices for which coverage could even remotely apply, and let the carrier allocate coverage accordingly. 

Since many policies define the covered period as beginning from the end of the “waiting period” until the end of the “period of restoration”, it’s important that the “period of restoration” is broadly defined in the insured’s favor. As opposed to some policies which may define that as the point in which the company’s network is restored, broader policies define that as the point in which the company’s operations are restored. This is a seemingly small but important distinction, as operations may not be able to resume immediately following the company’s network(s) being restored. Furthermore, some policies may contain clauses allowing the insurer to cease coverage as of the date the interruption could have ended should the insured have acted with due diligence – such clauses should be avoided due to their ambiguity and ease of ability to bypass.

Lost income can however stretch far beyond just the period in which networks were interrupted. A highly damaging event can ultimately result in prolonged lost income, and most cyber policies don’t cover those lost revenues attributed to any future lost business relationships. Many policies do however include public relations expense costs to help mitigate such damages. The PR coverage provided by cyber policies is generally triggered following a breach related media event (such as a news, TV, or radio publication), at which time the carrier will provide costs associated with hiring a PR firm or miscellaneous publication costs required to mitigate the damages associated with any negative PR.

Lastly, it’s important to stress the importance of accurate accounting and detailed record keeping. Intrusions create chaotic environments where accounting can become somewhat of an afterthought. But it’s important to remember that the insurer will require detailed financial records in order to calculate any damages. Detailed record keeping will not only ease the claims process but can also result a larger reimbursement from the insurer.