To say the face of cyber and the nature of cyber attacks continues to evolve would be redundant. This is particularly evident with the latest trend in cyber-attacks taking the form of ransomware on a global scale.
It is important for the industry to identify and recognize the evolving financial impact of such attacks. As the types of attacks change, so do the impact and nature of the resulting financial damage.
From a U.S. perspective, the initial fear of cyber has been the loss or release of personally identifiable information (PII). This is the information that can lead to identity theft — names, addresses, account numbers, social security numbers and the like. The concerns associated with the loss of data have not dissipated, nor have the attacks which are focused on obtaining personal data. The impact on business continuity due to business interruption and the adverse effect on business value and revenue generation are additional concerns.
…now comes disruption
As the nature of cyber attacks evolve, they are now increasingly resulting in interruptions to companies’ ability to conduct business as usual.
If a cyber event jeopardizes a company's ability to generate revenue, it can suffer a financial loss. It's comparable to a store's front door being locked so that customers cannot enter. The result is no sales until the business reopens, and even then the customers may have gone to another store. Whether a loss is covered by insurance depends, but businesses are taking a very close look at the impact a cyber event has on their ability to generate revenue and keep their doors open. There are risks associated with an intrusion and by the actual disruption.
The insurance response
Risk managers are looking for ways to prevent losses by enhancing security with in-house or third-party cyber specialists and cyber consultants, and providing continued cyber awareness education for employees. They are also using insurance to transfer the risk from the loss of business income.
Business income loss endorsements and contingent business income loss coverage are becoming more common.
But as with all insurance, coverage often depends on the cause. For example, if PII is stolen or leaked from a company but business operations are not impacted, the insurable financial losses would likely be limited to costs associated with investigating and remediating the breach, and any related liability issues. Business income losses are unlikely to be a part of the insurable loss.
Contrast this with a scenario where an attack prevents normal operations or causes a total shutdown. The company's activity is directly affected and an interruption has occurred. There is now a potential trigger under which the business interruption (and possible reputational harm) losses may be insurable.
At this point, most insurers are not looking to provide cover associated with revenue loss purely caused by a loss of reputation due to the bad PR resulting from a cyber-event. There must be a triggering event, an actual interruption to service, after which a business income loss might be measured.
Some insurers respond to reputational risk by providing some form of expense cover for PR efforts undertaken by the insured in an attempt to limit negative coverage and reputational harm. Such brand rehabilitation expense has been used effectively in other crisis management products.
As cyber risks continue to evolve, so too must the risk transfer options.
Simon Oddy (firstname.lastname@example.org), a partner at RGL, quantifies large, complex losses in fraud and liability claims cases, with a specialization in product recall, product liability and cyber-related claims.