There is a lot of talk in the cyber insurance industry about the challenge of systemic risk, and many carriers have announced their intentions to address these exposures with new policy language.
However, most carriers have already taken action to address certain elements of aggregated risk via limitations to the scope of cyber business interruption (BI) coverage.
BI is the most challenging part of cyber underwriting, as it requires understanding of an insured’s resilience to a cyberattack, including incident response, business continuity, disaster recovery, as well as dependencies within the IT and non-IT supply chain.
There is a significant amount of variation in the cyber BI coverage offered across the market. Here are five BI coverage elements to consider when purchasing cyber insurance:
1) Waiting Period Length
Prior to the hard market, waiting periods may have been as low as 8 to 10 hours for most insured, whereas with the hard market conditions of 2021, some carriers began pressing for waiting periods of 24 hours or more.
The market standard is 12 hours, which is generally available in today’s moderating market.
2) Waiting Period Applicability
It is important to consider how the waiting period works.
Many carriers use the waiting period as a “qualifying period” for coverage, and once the business disruption meets the length of time of the waiting period, coverage is triggered and then the dollar retention is then applied back to minute one of the loss.
Other carriers use the waiting period as a retention in terms of the amount of loss incurred during the duration of the waiting period.
In this instance carriers tend to apply the “greater of” the amount of dollar loss due to a business interruption during the waiting period or the dollar retention amount — whichever is greater.
3) Period of Indemnity
This is the period for which the carrier will indemnify for a business interruption, as defined, and can vary from as short as 90 days to as long as 180 days.
Typically, this considers extra expenses incurred by the insured during the business interruption as well as any associated income loss.
In some policies, and extended period of indemnity may be available to consider the continued income loss arising from the business interruption.
4) Dependent Business Interruption
Carriers continue to be concerned about the scope of dependent business interruption (DBI) coverage and are working to clarify what constitutes a “dependent business.”
Dependent businesses typically include IT service providers (including cloud service providers) on which the insured is dependent to run their computer networks.
During the pre-2020 soft cyber insurance market, coverage was available for non-IT providers as well, however this has been largely eliminated given the potential for loss and lack of optics from an underwriting standpoint into the insured’s supply chain.
Additionally, carriers are seeking to define dependent businesses only as those under contract with the insured.
One way that carriers are protecting themselves from loss aggregation relative to business interruption is by applying sublimits.
While full limits are typically available for DBI coverage related to a security failure, many carriers continue to apply sublimits for DBI related to system failure (a technology outage not due to a breach).
However, the challenge with sublimits is with regards to any excess placements, in terms of ensuring that excess carriers follow the sublimit within their layer, and if not, recognize erosion of the underlying limit.
As the cyber insurance market continues to work to clarify coverage for systemic risk, buyers should expect the above coverage elements to be revisited by carriers.
The job of a good broker is to help buyers understand the nuances of cyber coverage and ensure that the terms of the policy make sense relative to the operations of the business, and other lines of coverage that may apply (such as property).
The more information that buyers can include as part of the submission, the easier it is for underwriters to understand business interruption exposures and offer better coverage terms. &