Cyber Business Interruption - Checklist
By Imperium Consulting Group
Quality documentation and forensic analysis is the cornerstone to effectuate a positive result on a cyber claim. Most cyber risk policies include additional coverage for business interruption, or loss of income, and extra expenses associated with a breach, which typically can make-up some of the more significant costs. When a cyber business interruption loss occurs, it is the responsibility of the Risk Manager or Policyholder to lead the development and presentation of losses caused by the event. Immediately after a loss, significant attention, leadership and data analysis are required to fully document a claim.
Keep in mind that a complex loss will be evaluated for insurance purposes or for a general audit; therefore it is essential to quickly establish a claim validation and presentation process to capture and document all loss-related costs.
Initial Steps After a Cyber Business Interruption Loss Should Include:
- Reporting the loss promptly through your insurance broker or risk manager.
- Taking all reasonable measures to mitigate the impact of the breach.
- Immediately review all insurance policies that may provide coverage.
- Identifying timeline of events, determine (as exact as possible) the time of the breach for each of the impacted systems, locations, etc.
- Review the policy provided panel of experts to determine those that may be necessary to assist in the recovery from the cyber event.
- Confirming if/when the breach has ended, been stabilized or still on going for each of the impacted systems, locations, etc.
- Establishing a separate account number or charge code in your cost accounting system for each of the impacted systems, locations, etc. under which all cyber breach related costs will be captured.
- Securing production/sales budgets/forecasts that can be used to project production/sales had there not been a breach.
- Identify any seasonality affect to production/sales or similar periodic fluctuations.
- Creating schedules to track all costs and expenses potentially associated with the breach including but not limited to attorney fees, crisis management fees, public relations expenses and claim preparation fees.
- Establishing a protocol for the claim presentation and audit by creating a timeline with targeted milestones. This will create a clear path for all parties involved and set expectations for the adjustment process.
- As soon as practical, developing a Rough Order of Magnitude (ROM) that outlines all areas of projected loss amounts by coverage category. Where estimates are difficult to complete early on, be sure to include the amount of loss in a potential coverage category as "to be determined" (TBD). This document will be useful for your team to understand the overall potential impact and for the adjuster as the loss reserve is set.
- Consider potential loss to reputation/brand and loss of trust by customers or business partners.
Differences to consider in Business Interruption Claims Dynamics
Physical Cause of Loss
- Location of Loss: Single geographic area or location
- Identification of Period of Interruption: Tends to be well-defined
- Length of Period of Interruption: Week, Months, Longer
- Policy Deductible/ Retention: Property damage may include fixed amount, percentage of total insured value and/or waiting period
- Time Element Deductible / Retention: May include include fixed amount, percentage of total insured value and/or waiting period
- Discontinuing Expenses: Costs are often saved as part of a Time Element calculation
- Extra Expense vs. Breach Response Costs: Additional expenses that are reasonable and necessary to continue operations
Cyber Cause of Loss
- Location of Loss: Wherever the impacted network or application is accessed
- Identification of Period of Interruption: May be ambiguous, uncertain start and/or end date
- Length of Period of Interruption: Hours, Days, Weeks
- Policy Deductible/ Retention: First Party insuring agreements / Breach Response will be a fixed value and/or waiting period retention amount
- Time Element Deductible / Retention: Typically includes a 12-hour waiting period
- Discontinuing Expenses: May not be relevant as short period of interruption leads to continuing expenses
- Extra Expense vs. Breach Response Costs: Breach consulting / response costs such as forensics, legal, information recovery, notification to affected individuals
Costs Often Covered in a Cyber Policy
- Cost of engaging a digital forensic and incident response (DFIR) firm
- Engagement of a firm to negotiate and/or pay a ransom
- Breach Counsel
- Reconstruction or replacement of compromised property, such as servers or other IT
- Equipment ("Bricking")
- Reconstruction of data and programming
- Cost of rebuilding networks, programs and data
- Cost for notifying customers impacted by the breach (including the cost of credit Monitoring services for a predetermined period of time)
- Employee lost productivity costs
- Crisis management expenses, rapid response security professionals, forensic investigators and accountants
Cyber losses may have a significantly greater proportion of additional expenses, through the breach response and first party loss coverages than more traditional business interruption claims due to the shorter duration of a cyber-outage and the immediate need to incur costs to implement back-up plans, hire outside expertise and replace systems components and software/hardware.
During an interruption, insurance may cover some additional costs such as:
- Costs associated with setting up a warm or hot site to take over processing while the main data centers are not operating
- Overtime pay for IT employees who are required work additional time due to the implementation of a breach response plan
- Engagement of a forensic accounting firm to assist in the preparation and submission of a detailed and fully supported claim/ proof of loss
It is essential that policyholders understand their organization's cyber risk financial, contractual and reputational exposures pre-breach, work with brokers and underwriters to explain the organization's cyber liability exposures and associated controls, carefully review coverage options in all policies, and effectively manage the post-breach claims documentation process to necessitate an expedited insurance recovery. imperium consulting group
For more information, please contact us.