UK & Europe
Insurance & Reinsurance
In their 2018 Survey of Cyber Insurance and Market Trends, Advisen reported that, for the first time, cyber-related business interruption coverage had replaced data breach coverage as the most sought-after cyber insurance coverage. In this article, as forensic accountants, we analyse the cyber business interruption wordings in the insurance market and highlight the weaknesses we have seen in some of the wordings.
Business Interruption Coverage
Under a typical cyber-related business interruption insurance policy ("Cyber BI policy"), the insurer will pay the insured's loss of business income, during the indemnity period resulting from a cyber event, that is discovered during the period of insurance. The indemnity period typically begins after a waiting period.
Business interruption coverage has existed as an element of property insurance policies for over 100 years. Over those years, property insurers have converged on common forms of policy wording to insure a business's loss of business income during the indemnity period after an insured event. In the UK, the most common form of wording is the "Gross Profit" form and in the US, the most common forms of wording are the "Business Income" and "Gross Earnings" forms.
Stand-alone Cyber BI policies have only existed for a handful of years. Based on a recent review of Cyber BI policies, we found that the wordings for loss of business income could be classified as either Gross Profit or Business Income.
Gross Profit is a common form of wording found in Cyber BI policies. One explanation for this may be that many Cyber BI policy wordings in the UK are developed from UK Property BI policies.
Gross Profit wording provides business interruption cover from the top down. That is it covers earnings less savings. The business interruption loss is calculated as:
Less any sum saved during the indemnity period in respect of the charges and expenses of the business payable out of Gross Profit as may cease or be reduced in consequence of the incident.
Reduction in Turnover and Increase in Cost of Working are defined in the policies.
Increase in Cost of Working is subject to an economic test. Under the economic test, the insured has to justify any additional expenditure and ensure that they do not spend more than a pound to save a pound on their business interruption claim. For example if an insured outsources manufacturing at a cost of £1,000,000, it will have to ensure that the Reduction in Turnover avoided is at least £1,000,000.
Review of Gross Profit Wording in Cyber BI Policies
During our review of Cyber BI policies using Gross Profit wording we noted two policies with the following weaknesses:
Business Income is a common form of wording found in Cyber BI policies. One explanation for this may be that many Cyber BI policy wordings in the UK are developed from existing US Cyber BI policies.
Business Income wording provides cover from the bottom up. That is it covers a loss of net profit before taxes and the standing charges of the business. Business Income is commonly defined as:
The standing charges are those operating expenses, including any payroll expenses, necessary to resume “operations” with the same quality of service that existed just before the direct physical loss or damage.
When additional Extra Expense coverage is not provided then the equivalent of increased cost of working applies.
Whether Gross Profit or Business Income wording is taken in a Cyber BI policy, the coverage should be identical, subject to the indemnity period and the waiting period.
Review of Business Income Wording in Cyber BI Policies
In some Cyber BI policies the Business Income is not clearly defined. For example, we found a definition of Business Income in a Cyber BI policy which was adjusted to take account of any costs savings which the business could achieve.
Business Income should be clearly defined as the loss of net profit before taxes plus standing charges. There is no requirement for a savings clause because the Business Income is based on the net profit before tax.
The indemnity period is the length of time for which compensation is payable under a business interruption policy. Based on our review of Cyber BI policies the indemnity period is either
In Property BI policies triggered by property damage, the Option 1 indemnity period applies to Gross Profit policies and the Option 2 indemnity period applies to Business Income policies. For the Cyber BI policies we reviewed, no such distinction existed.
The typical maximum Indemnity Period in Cyber BI policies is 3 months, which reflects the short duration of most Cyber events. The typical maximum Indemnity Period in Property BI policies is 12 to 24 months, reflecting the time to rebuild a property.
All the Cyber BI policies we reviewed had an Indemnity Period that began after a Waiting Period or Excess Period. The Waiting Period in a Cyber BI policy is typically a number of hours. This reflects the expectation that businesses may suffer short term cyber events that have a limited effect on the business operations.
In Property BI policies we would typically see a Waiting Period associated with Business Income wordings and a monetary deductible associated with Gross Profit wordings. The Waiting Period in a Property BI policy is typically a number of days.
Additional Increased Cost of Working / Additional Extra Expense
Additional Extra Expense insurance may be taken out on Cyber BI policies to cover those non-economic expenses incurred to minimize the loss following the cyber event, which exceed the loss avoided.
For example, as discussed above, under a Cyber BI policy using either Gross Profit and/or Business Income wordings, the insurer will reimburse the insured £1,000,000 to outsource manufacturing if the business interruption claim is reduced by £1,000,000; but the insurer will not reimburse the insured £1,000,000 if the claim is only reduced by £200,000. The non-economic additional expense of £800,000 may be recoverable under an additional Extra Expense insurance policy.
Based on our review of Cyber BI policies, it is not reasonable to assume that the wording in Cyber BI policies is the same as in Property BI policies. As noted above the Indemnity Periods and Waiting Periods may be different.
In addition we noted that some of the wording is unclear and recommend that all insurers and brokers review the wording.
As time passes, we should expect to see greater convergence by insurers on the most transparent and fair wording of Cyber BI coverage, as has happened with Property BI coverage. In the meantime however, it will remain the case that not all Cyber BI policies are created equal.