“The waiting is the hardest part.”
– Tom Petty
In Part 3 of this series, we discussed the wonderful world of legalese in insurance contracts (including cyber policies), the Wild West of cyber insurance, and how vague and ambiguous language in those policies can result in the loss of insurance proceeds. In this installment, we’ll take a look at how you can be blindsided by the waiting periods and business interruption periods which may exist in your cyber policy.
First, let’s look at the waiting periods. Some cyber policies provide coverage immediately following impairment to your network systems due to a cyber event. Others provide that coverage does not kick in until 12 hours after such an impairment, with some policies even requiring up to a 24-hour waiting period. Think about that for a moment. Depending on your operations, especially if you sell through web-based direct-to-consumer channels, the first 24 hours of network interruption could be critical and result in substantial exposure. The insurance you bought, and which you expected to cover you, may not actually be there when you need it the most.
Next, the length of business interruption coverage in cyber policies can vary quite a bit. What is business interruption you ask? Briefly, most insurers will cover lost income for a certain period of time resulting from an interruption to your business due to a cyber event. As with the waiting periods discussed above, business interruption indemnity periods can vary from policy to policy. Failing to understand your exposure to such losses and the coverage provided in your insurance policy can have devastating consequences to your company.
Consider that some insurers may provide a few days of coverage, while others may offer up to 30, 60, 90 or 120 days. Still other insurers may exclude business interruption from coverage entirely. And if there is coverage, the policy may further provide that it is limited in the event the network system is restored in less time. Some policies may even provide that coverage will not be triggered unless and until you have taken “reasonable” steps to minimize or avoid the business interruption event (remember that vague and ambiguous language from Part 3).
Let’s say your business makes consumer products and a significant portion of business comes from direct-to-consumer sales through your website. You have a cyber policy with a 24-hour waiting period that provides business interruption coverage up to either (1) the time when your system is restored, or (2) the time when the interruption in business income ceases up to 90 days, whichever is earlier. Your company suffers a cyberattack on Cyber Monday (hint, it’s a popular time for cyberattacks), and you immediately begin losing online sales as a result. You are ultimately able to neutralize the malicious software and restore your system in 22 days.
Under this scenario, your policy would not provide coverage for lost Cyber Monday income as a result of the 24-hour waiting period. Fortunately, you should have coverage for some of the significant holiday business losses suffered as a result of the cyberattack. Unfortunately, that coverage will likely be limited to the 21 days after the waiting period (another hint, there may be measurable continuing business interruption well after restoration has occurred). Worse yet, what if the insurer determines that your response and mitigation steps were not reasonable? You may find that even the limited 21-day coverage period could be in jeopardy.
Long story short, it is important to have robust discussions with your cross-functional departments (including IT in the process, of course) to determine how your company could be affected by a cyberattack or data breach. Be prepared to discuss issues such as system restoration and recovery time-frames, as well as the full scope of business losses which could occur both immediately and over time. Develop and implement written cybersecurity procedures and provide regular and meaningful training on them. Then take a look at your cyber policy.
Proactive cyber insurance management means understanding the risks specifically facing your business, and then aligning insurance with appropriate business risk transfer. This is where Preventive Lawyers shine. They are skilled at sifting through all the legalese, identifying opportunities and areas of concern, and then working directly with your team, including your insurance brokers and carriers, to ensure that the coverage you purchased for your business will actually react to a loss once it occurs.
As one of the nation’s only practices focused exclusively on Preventive Law, KEEFER is skilled at managing cyber insurance programs, providing business-forward strategies to minimize exposure.
KEEFER is your ounce of prevention.
