"The waiting is the hardest part." - Tom Petty
In Part 3 of this series, we discussed the wonderful world of legalese in insurance contracts (including cyber policies), the Wild West of cyber insurance, and how vague and ambiguous language in those policies can result in the loss of insurance proceeds. In this installment, we’ll take a look at how you can be blindsided by the waiting periods and business interruption periods which may exist in your cyber policy.
First, let’s look at the waiting periods. Some cyber policies provide coverage immediately following impairment to your network systems due to a cyberattack or data breach. Others provide that coverage does not kick in until 12 hours after such an impairment, with some policies even requiring up to a 24-hour waiting period. Think about that for a moment. Depending on your operations, especially if you sell through web-based direct-to-consumer channels, the first 24 hours of network interruption is critical and could result in substantial exposure. The insurance you bought, and which you expected to cover you, may not actually be there when you need it the most.
Next, the length of business interruption coverage in cyber policies can vary quite a bit. What is business interruption you ask? Briefly, most insurers will cover lost income for a certain period of time resulting from an interruption to your business due to a cyber event. As with the waiting periods discussed above, business interruption indemnity periods can vary drastically from policy to policy. Failing to understand your exposure to such losses and the coverage provided in your particular policy can have devastating consequences to your company.
Consider that some insurers cover business interruption losses only up to 30 days. Others may provide up to 60 or 120 days. Others still may offer a full 12 months of coverage from the date of the cyber event. Some of these policies further provide that such coverage may be limited in the event the network system is restored in less time. Some policies even provide that coverage will not be triggered until you have taken “reasonable” steps to minimize or avoid the business interruption event (remember that vague and ambiguous language from Part 3).
Let’s say your business makes consumer products and a significant portion of business comes from direct-to-consumer sales through your website. You have a cyber policy with a 24-hour waiting period that provides business interruption coverage up to either (1) the time when your system is restored, or (2) the time when the interruption in business income ceases, whichever is earlier. Your company suffers a cyberattack on Cyber Monday, and you immediately begin losing online sales as a result. You are ultimately able to neutralize the malicious software and restore your system in 22 days.
Under this scenario, your policy would not provide coverage for lost Cyber Monday income as a result of the 24-hour waiting period, nor would it cover expenses incurred in executing your rapid response plan to assess and neutralize the threat during this critical period. Fortunately, you should have coverage for some of the significant holiday business losses suffered as a result of the cyberattack. Unfortunately, that coverage will be limited to the 21 days after the waiting period (hint, there would likely be measurable continuing business interruption well afterward, especially if there is publicity surrounding the attack). Worse yet, what if the insurer determines that your response and mitigation steps were not reasonable? You may find that even the limited 21-day coverage period could be in jeopardy.
Long story short, it is important to have robust discussions with your IT and finance departments, among others, to determine how your company could be affected by a cyberattack or data breach. Be prepared to discuss issues such as system restoration and recovery timeframes, as well as the full scope of business losses which could occur both immediately and over time. Then take a look at your cyber policy.
If the cyber policy is not adequately covering your business (or the language is not clear), you should negotiate away problematic language as much as possible and also consider purchasing additional coverage to patch up any holes. Consider also getting confirmation from your insurer that your response plan is in fact "reasonable". Make sure to also share cyber hygiene training and other risk mitigation steps you perform in-house, as there should be premium savings for doing so. If there isn't, perhaps consider other insurance carriers at renewal who do respect and reward such steps. In any event, do all of these things before suffering a cyberattack or data breach, which could be catastrophic to your business. As always, we’re here to help.