Next to “you’re on mute”, perhaps one of the most common phrases of this past year has been “don’t click on that link”!
The risk of suffering a severe financial loss due to a cyber event has never been greater. According to Allianz’s Risk Barometer, it was the top risk facing businesses; not long ago, it barely registered in the survey (1).
The cost of a cyber-attack can be absolutely paralyzing for a business. In fact, Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 (2). The costs to businesses can include direct out-of-pocket costs (such as damage and restoration of data, ransom payments, stolen money), post-attack disruption to the normal course of business, lost productivity, theft of intellectual property, theft of personal and financial data, as well as indirect costs such as reputational harm and potentially even lawsuits for data leaks involving sensitive information.
In response to this reality, more and more insurers have begun offering cyber coverage to businesses to help them protect themselves against this very important risk. Specialty insurance coverage for cyber risks is still relatively new and continually evolving. Cyber insurance often covers ransom payments, breach response and data recovery costs, liability to third parties, as well as business interruption (BI) and additional expenses.
As forensic accountants specializing in quantifying business interruption and lost profits, we have seen a large explosion in the number of cyber losses in our caseload in the past couple of years. The purpose of this article is to summarize some of our experiences, and in particular to answer the following question: How are BI losses under cyber policies different than those that have been around for decades in property policies?
Based on experience handling dozens of these losses in recent years, here are a few key factors that make quantifying losses due to cyber-attack different from other types of BI losses:
1. Variety of Impacts on Business
IT systems are so pervasive that a cyber-attack can have a seemingly infinite range of impacts on a business. We have seen impacts to online ordering, impacts to client records, impacts to inventory records, and impacts to automated manufacturing machinery.
Each of these IT problems will impact the financial results of a business in different ways. Some of these issues will lead to a loss of revenue; others will lead to an increase in operating costs; still others may not have any discernible impact on either revenues or costs, and will only create idle employee time.
What becomes particularly important in a cyber loss is understanding the cause and effect relationship between the incident and the financial impact. In a physical damage scenario, the impact is usually obvious: for example, a fire has caused a retailer to close down for a period of time affecting its ability to make sales. However, if that same retailer is the victim of a cyber incident, it does not necessarily mean they will have to close down. The retailer may be unable to access inventory records or accept automated payments while its systems are down, but it may still be able continue to sell products in the store and either accept cash or take down clients’ payment information for later processing. Revenues may be affected, but not to the same extent as if the store was completely closed down.
2. Types of Businesses Impacted
This exponential growth in cyber threats is partly as a result of a shift from a “brick-and-mortar” type of economy to a digital economy. Entities’ increasing reliance on their IT systems, as well as the emergence of more sophisticated and organized hackers, have resulted in more and more cyber-attacks.
No company is safe – attackers target large multinationals such as Marriott Hotels (3) and Equifax (4), as well as small- to medium-sized enterprises (SMEs). In some ways, SMEs are more vulnerable to cyber-attacks as they often do not have robust IT security policies and technology.
Cyber-attacks can impact a wide range of businesses, and the variety of businesses for which we have reviewed cyber losses is much broader than the types of business that suffer losses due to physical damage: examples include government bodies, not-for-profits, and professional services firms.
Consider an accounting firm. In the case of a physical damage to their offices, the business can normally continue to operate with minimal disruption and avoid or minimize business interruption losses by having employees work remotely or at another location. As the Covid-19 pandemic has shown, many professional services firms can be easily set up to work remotely. However, if the same firm loses access to its servers (e-mail, file storage servers, VPN connection), this can have a crippling effect on its ability to operate, and there may be losses of revenue, labour inefficiencies, or both.
3. Data Issues
The types of data we analyze with cyber losses can pose unique opportunities, as well as some pitfalls.
Take for example a retailer. Unlike brick-and-mortar retailers which record revenue when the customer makes a purchase, online retailers often have a lag of several days between a sales order being received and the recording of revenue (which typically does not occur until shipment). Looking solely at revenue based on shipments when analyzing losses for an online retailer may therefore yield misleading results, especially when the affected loss period is only a few days (which can often be the case with cyber losses). A more useful metric might be website traffic or revenue by order date, data that online retailers have readily available unlike their brick-and-mortar counterparts.
4. Scope of Losses
A business interruption resulting from a cyber incident is often shorter in duration than a business interruption resulting from physical damage. While in a physical damage scenario, the property needs to be rebuilt or replaced which may take some time, digital data loss can often be restored using recent back-ups. In a ransomware scenario, an expert in cyber-attacks may even advise the insured to pay the ransom and gain access to its servers right away in order to avoid or minimize any interruption to operations.
Most businesses have some form of disaster recovery protocols and back up their digital information frequently. A company’s ability to restore digital damage from back-ups often depends on how sophisticated their IT systems are and how recent the last back-up was. In some cases, it can take a few days (if back-ups are done frequently) while in other cases, it can take months (if the back-up servers were in some ways affected by the attack or if the back-ups are infrequent).
In some cases, restoring the servers does not necessarily mean that the business is no longer impacted. This is an important issue, as cyber policies normally limit the indemnity period to when the systems are restored. This may result in uninsured losses for insureds in some industries. Consider a hotel whose ability to make reservations was impacted due to a cyber incident for a period of a few weeks. Many people making hotel reservations tend to do so weeks or months before their anticipated stay. As revenues are usually only recorded once the guests have completed their stay, the inability for the hotel to make reservations does not impact its revenues until much later in time, long after the systems are restored and its maximum indemnity period has been exhausted.
Finally, while cyber business interruption losses can often take place over shorter timespans, these losses can be more extensive in geographic scope. Physical damage is unlikely to impact more than one or two locations of a business at a time, whereas a cyber-attack can cripple an entire network.
5. Insurance Policy Issues
The wording of cyber policies can be quite different than that of standard property business interruption policies. This sometimes creates confusion for insured parties. Some notable differences include:
a) The definition of “loss”
Typically, business interruption coverage that forms part of a property insurance policy will begin the calculation with the reduction in a business’s revenue, which is then adjusted to consider saved variable and fixed costs. By contrast, many cyber policies refer directly to continuing expenses, without referring to revenue losses.
b) Indemnity period
For most businesses, a network interruption is often much shorter than a property-related interruption. As such, while property policies often have a 12 month maximum indemnity period, cyber BI coverage is often limited to 2, 3 or 4 months. Although this is usually sufficient to cover the period needed to restore the network, it may not be long enough to capture the full impact on the insured’s business, especially for businesses whose revenue recognition timing is a bit different, such as the hotel example above.
c) Waiting period
The impact of a waiting period deductible tends to be much more important in a cyber loss as the loss period tends to be shorter; therefore the losses incurred during the waiting period are more pervasive.
In conclusion, cyber-attacks are becoming more and more prevalent and prominent, and businesses are wise to protect themselves against this very real and potentially extremely damaging risk. Insurers are responding to this demand by underwriting more and more cyber policies. As a relatively new insurance product, many insurers have seen claims increase exponentially over the last few years. The number and magnitude of claims are only expected to grow with the impact of the Covid-19 pandemic on businesses who now rely more than ever on their IT systems to remain connected and continue operating (5).
This article has attempted to outline some of the particularities in quantifying cyber business interruption losses compared to standard property damage losses. As hackers continue to develop their craft, we can only imagine how this field will evolve over time.
Until then – don’t click on that link!