Let’s face it – Business Interruption (“BI”) remains one of the more complex areas of property insurance.
It requires a subjective opinion and prediction of how a business would have performed “but for” an event. Without a crystal ball to give us the exact answer, we must rely on the most relevant information and data available. However, this exercise almost always leads to a difference of opinion depending on who is interpreting this data. Industry veterans often say that if 10 forensic accountants review the same data, the result will be 10 different calculations. This isn’t necessarily a bad thing, but it demonstrates the challenge of accurately quantifying business interruption.
Risk management-focused businesses are putting a greater emphasis on trying to determine their potential BI exposure when purchasing insurance, before an actual loss occurs. The best way to do this is to perform a Business Interruption valuation, which will help estimate how a worst-case scenario loss would/could impact the business. A BI Valuation helps to ensure that the proper limits of insurance are set, providing businesses with greater confidence that their insurance will respond as expected should a loss happen. Pre-loss valuations have been more common for property coverage because it is fairly straightforward with construction / rebuild costs.: Armed with current replacement cost data, should a factory burn, or a hotel become damaged by a category 5 hurricane, a policyholder should be in a good position to recover appropriate insurance funds. And from a BI perspective, these types of losses normally can be assessed fairly quickly because these are typically isolated, one-off events, making it easier to quantify the impact they have on a business. The focus will be on the financials of the single location that was damaged as well as potentially any impact to sister locations. But where do businesses even start to try and assess their potential business interruption from a cyber peril?
Based on discussions with risk managers, brokers and even insurance carriers, there is no consensus on an acceptable method for accurately quantifying the potential Cyber BI exposure of a business. In fact, most do not have any idea where to begin. And here’s why…
The most challenging aspect in determining an organization’s Cyber BI exposure is the very nature of the cyber world: there are no longer any physical restraints to a potential loss. Property claims are tied to physical events that are geographically isolated. However, cyber perils have no boundaries.
What if a cyber incident impacts software responsible for running the manufacturing operation not just at a single plant, but at every plant in the United States, or even across the globe. What if the impact extended to a non-revenue producing segment of the business (for example, Human Resources, payroll)? While not having a direct tie to a profit center, the delay or distribution caused by a cyber-attack to one of these departments has cascading effects across the entire organization in worst cases rendering the business inoperable. Physical assets and operations around the globe can be impacted to various degrees at the same time. With companies integrating more and more systems, the impacts of a cyber-attack can ripple through a business quickly and cause severe losses in a short period (think hours and days instead of weeks and months).
So how does a company try and assess their Cyber BI exposure? There needs to be a substantial expansion of their risk management mindset; the business needs to stop thinking in terms of physical locations. Rather, the focus should be on which networks, applications, software, hardware and websites are relied upon to make the business run. All of these are vulnerable to a cyber peril that can impact the entire business immediately. Instead of just relying on the risk manager and finance department to assess BI exposure, it is imperative that the business’ IT personnel and the CISO/CTO be involved in this process. These stakeholders have the ability to provide important input and feedback on how the cyber-attack could negatively harm the business and, just as critically, for how long. The key to having a relevant and accurate assessment of Cyber BI exposure is collaboration among multiple departments within the organization.
However, if a loss occurs prior to an internal evaluation and alignment has been completed, remember quality documentation and forensic analysis is the cornerstone to effectuate a positive result on a cyber claim. Most cyber risk policies include coverage for business interruption or loss of income and extra expenses associated with a breach, which typically can make-up some of the more significant costs. When a cyber business interruption loss occurs, it is the responsibility of the Risk Manager or Policyholder to lead the development and presentation of losses caused by the event. Immediately after a loss, significant attention, leadership and data analysis are required to fully document a claim.
This article was written by Chris Mortifoglio, SVP and Director of Forensic Account, Procor Solutions + Consulting. Connect with Chris on LinkedIn>