Article November 16, 2018

Business interrupted: Part three

Following on from our previous posts on indemnity periods and time retentions, we're concluding our business interruption series by looking at the issue of reputational harm.

The concept of reputational harm in cyber policies is essentially about the business interruption losses that can be incurred as a result of a data breach. The basic idea is that if a business suffers a data breach and their customers become aware of this, some of their customers will lose faith in the company’s brand as they no longer trust them to look after their data. This can then result in a loss of customers, contracts and, ultimately, income.

Simply put, cyber business interruption losses aren’t just caused by system outages. Systems outages are events in which an organisation’s computer systems are rendered incapable of performing their normal business function. This is not necessarily the same as a data breach, whereby an organisation’s network is compromised and data is either accessed or stolen. We recently had a case where an online retailer had their computer systems compromised and a database containing the credit card details of 90,000 customers was exfiltrated from their systems by the hackers. After notifying their customers of the breach, the insured saw a noticeable drop-off in sales over a 12 month period, resulting in a business interruption loss of some $475,646.

The problem is that there is currently a lack of consistency in cyber wordings as to whether reputational harm is covered or not. The trigger for BI coverage under many policies is a system outage, but a lot of data breaches won’t involve any meaningful downtime, leaving the insured totally exposed to any income loss that the data breach might bring about. By contrast, other insurers may choose to cover this risk via endorsement only, while others provide it in their base form as standard.

Simply put, cyber business interruption losses aren’t just caused by system outages. James Burns, Cyber Product Leader, CFC Underwriting

Let’s take a look at this point of difference in a little more depth by considering the example of an online retailer. As a part of their business operations, they collect PII from their customers, such as full names, dates of birth, home addresses, email addresses, and credit and debit card information. Looking to make some money on the side, a rogue employee with access to this data decides to start selling it on the dark web. At no point do the rogue employee’s actions result in any system downtime.

Several months later, an audit of access logs to the data files is conducted which reveals that the data was exfiltrated by the employee and a subsequent investigation reveals that he has been selling this data online. The area that this business is located in is subject to data breach notification laws and the business is required to notify the affected customers of the breach. In the immediate aftermath of the notification, the business notices a sudden and dramatic fall off in sales caused by the loss of customer faith in the brand, resulting in a sizable loss of income over the course of the year.

Following this, the company turns to their cyber insurer for the reimbursement of their financial loss during this period. Depending on the type of cyber policy that the business has purchased, the policy will generally respond in one of two ways:

  1. System outage BI trigger only The policy will provide cover for the costs of dealing with the data breach itself, such as obtaining legal advice, notifying customers, setting up a call centre to deal with queries about the data breach and so on. However, in order for the business interruption section to respond, there has to have been an outage of the insured’s computer systems. As there was no system downtime associated with the data breach, the policy will not pay for the loss of income that the business has incurred.
  2. Data breach BI trigger included As above, the policy will provide cover for the costs of dealing with the data breach itself. But in this case, the policy also includes a reputational harm section under the business interruption insuring clause. This section does not require the insured to have suffered a system outage in order to respond. Instead, it can be triggered by a data breach and covers the direct loss of income resulting from reputational harm following the breach.

This is an important distinction. With the first option outlined above, the insured’s business interruption loss is not covered due to the lack of a system outage. With the second option, the business will have their income loss covered by the policy. And this could make a big financial difference to the organisation affected.

The importance of having reputational harm cover is becoming more and more apparent. With notification requirements having already been introduced across all 50 states in the USA, the EU, Australia and Canada, notifying customers of data breaches will become far more frequent and the risk of consequential reputational harm will increase substantially. And it’s not just data breach notifications that could result in a business interruption loss. Adverse media attention following a data breach could also result in a loss of customers and private contracts between companies with non-disclosure agreements in place could also be at risk of cancellation if some form of privacy breach is discovered. It is therefore imperative that businesses that collect or process data have this cover on their cyber policies.