Malware. Ransomware. Phishing. Wannacry. Petya. NotPetya. The terminology of cyber attacks and cyber losses seems to change at a bewildering pace. As technology continues to advance and businesses become more reliant on their IT systems, cyber attacks will become more sophisticated, leading to an increase in the size and volume cyber insurance claims. This article discusses some of our firm's experiences with how cyber attacks can result in a business interruption loss.
What is Cyber Insurance?
Cyber insurance policies provide coverage for losses caused by a cyber-related security breach. Losses can include ransom payments (threats to destroy data or withhold decryption codes unless a ransom is paid), theft of personal or commercially sensitive information, business interruption during network downtime, and various investigation and response costs.
How can a Cyber Attack cause a Business Interruption Loss?
During the period in which the network is being restored, a business may not be able to access its data, or other critical IT functions such as email. This can result in lost sales orders if the business is unable to receive or process orders.
We were recently involved in a case where a manufacturing company was the target of a ransomware attack. The company generated a large volume of work through single source bids, where a customer would request a quote for a specific project. Due to a cyber incident, the company was unable to submit fee estimates as their staff were unable to access email or any electronic data that would be used to calculate the quote; the company claimed a loss of income as a result.
The business was able to support their claim by providing correspondence from the customer requesting a quote, as well as historical data indicating that their bid success rate with single source bids was close to 100%.
Note that if the claim is for lost sales, it will be important to determine what expenses have been saved as a result of the reduction in sales; this reduction in expenses will be offset against the sales loss in much the same way a "gross profit rate" or "gross earnings" rate is applied to a sales loss under a typical business interruption policy.
For manufacturing businesses, during the time that the network is impacted by the cyber attack, certain tasks on the production line may need to be performed manually, causing labour inefficiencies. If it can be established that more labour was required to earn the same amount of revenues, those inefficiencies may form part of the business interruption loss.
Inefficiencies can be measured by comparing the historical difference between budgeted and actual hours, as a percentage. This percentage can then be compared to the actual hours spent on manufacturing tasks during the loss period to determine the extent to which more time was required for production.
Note that although the affected business may experience inefficiencies early on the loss period, some of these inefficiencies can be recovered once IT systems are restored, if employees are able to work overtime and efficiency improves during this time period.
Employees may need to work additional hours to catch up on delayed projects / production, or to perform tasks manually. The business interruption loss should include any overtime that is over and above typical levels, and can be attributed to the cyber attack.
Some businesses will claim overtime for salaried staff who are not paid for additional hours worked. It is important that they show, for example based on pay stubs, that employees were compensated extra for the claimed overtime hours worked. Historical overtime hours for employees should also be reviewed to determine normal overtime levels, and identify whether any overtime may be seasonal.
Quantification of business interruption from cyber losses involves applying the same general principles that govern a typical business interruption loss. The goal is to understand, document and quantify just how the cyber event impacted the revenue and expenses of the affected business. While new cases will involve new viruses and terminology, the principles set out in this article will continue to hold true over time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.