Insights
Publications

Insurance When the Internet Goes Down

2/2/2017 Articles

Originally published in Risk Management, February 2017. Posted with permission

Business interruption coverage is now a staple of many companies’ insurance programs. One of the “optional” first-party property coverages included in standard property policies, it is intended to compensate companies for income or profits lost as a result of an inability (or reduced ability) to transact business as usual because of a covered physical loss, such as fire or collapse. Over the years, the coverage has developed and typical business interruption forms now have a number of options—direct coverage only (the covered loss must happen on your own premises); contingent coverage (expanding coverage to include losses at a supplier’s premises or some other business your company is dependent on, such as an anchor store in a shopping mall that your small shop relies for passing trade); and off-premises power interruption, either with or without coverage, for failure of power transmission lines.

This last example is in some ways the precursor to an exposure faced by many businesses today: reliance on the internet. Most businesses rely on the internet to an extent they probably do not fully appreciate. The internet is now almost as ubiquitous as electricity, and businesses can be crippled without it, as highlighted by recent attacks.

On Oct. 21, a series of coordinated distributed denial of service (DDoS) attacks began on domain name system (DNS) provider Dyn, a cloud-based internet performance management company that essentially acts as a switchboard for internet traffic. The attacks on Dyn were of a different scale from the typical DDoS attacks seen by many companies. The attacks started at around 7 a.m. EDT and were not fully resolved until after 6 p.m. Many internet companies and internet service providers (ISPs) were affected by the outage and the extreme internet slowdown the attacks caused. Because ISPs were affected, companies all over the country were also impacted and thus unable to transact business normally, at least to some extent. Business income and profits suffered.

So what can companies do to manage these risks? Clearly, risk control measures at individual companies can do little to nothing to avoid or prevent the effects of a coordinated attack on a service provider, especially one that the company has no direct contact or connection with, such as Dyn. This leaves risk finance as the only measure, either through self-insuring the risk (basically ignoring it and suffering the consequences) or through insurance.

A typical cyber policy bought by small- to medium-sized businesses most likely does not cover such an event. These policies usually cover losses (often including business interruption losses) caused by attacks on an insured’s own computer system and network, but do not provide coverage for business interruption losses caused by attacks on third-party providers. The cyber products offered by insurers are changing rapidly, however, and a few insurers are now beginning to offer something similar to contingent or off-premises power supply business interruption coverage for the internet.

Cyber policies are non-standard and can be long, complex, difficult to understand, and often offer myriad coverages in one policy. Different insurers’ products offer different coverages, or sometimes the same coverages with different language, clauses and definitions.

A few insurers are now starting to broaden the business interruption coverage by changing the definition of “computer system” or “system” for purposes of business interruption coverage to include not just the insured’s own network, but also the hardware and systems owned by third-party providers to which the insured is connected via a network (which includes the internet). Thus, attacks that impact the computer system of a third party on which the insured relies (such as an ISP or a company like Dyn, as well as an insured’s more immediate business partners) would trigger business interruption coverage under such a policy.

This is not a panacea, however. There are at least two significant limitations on these policies. The first is the “waiting period” deductible. Most policies (with the broader language or not) have a 12-hour waiting period, starting from the time the insured reports the disruption. But 12 hours is a very long time to not be able to transact business over the internet. Even the Dyn event, the largest such attack yet on a U.S. company, was fully resolved in a little over 11 hours. Additionally, that attack was actually at least three separate attacks and the 11 hours was the total time from the start of the first to the resolution of the last. A carrier could argue that the three separate attacks were separate incidents and thus separate claims, none of which came near the 12-hour waiting period. Further, very few companies were affected for the full 11 hours. Larger companies may be able to negotiate a shorter waiting period, but underwriters might not be willing to do so.

Second, the amount of business interruption coverage can be very limited under such policies. Typical limits for this coverage are $100,000 and, again, underwriters are reluctant to increase this amount unless the insured is a very large company. If the carrier does increase limits, expect to find a significant deductible as well.

So is self-insurance a viable alternative? For some companies, particularly those with a smaller dependency on the internet, the answer may well be yes. It might even be the only alternative, depending on the rest of a company’s insurance program and reasons for using a particular insurer if that insurer does not offer the broader business interruption coverage.

The good news is that attacks of this scale are still rare, and the cyber products offered by insurers are still developing. As a result, insureds need to find brokers who understand the intricacies of cyberrisks and coverages, as well as the insured’s industries and businesses. It is also important that insureds work with brokers with access to a broad market. Insureds need to make a real effort to understand their cyber policies and ask pointed questions.

The Dyn attack is a great example of why insureds need to stay informed and vigilant: Simply renewing your cyber policy from one year to the next, without exploring alternatives, could end up costing you in the event of a substantial cyberattack. As the types of coverages that cyber policies offer and the complexity of the policies themselves increase, it is becoming more common for companies to suffer cyber losses for which they do not have coverage despite its availability.

The broader business interruption coverage discussed above is in its infancy and will continue to develop as more insurers offer similar coverages and adapt to developing risks. Risk managers, therefore, need to monitor this area to ensure they are aware of the evolving coverages that may be available to meet their company’s needs.

Firm Highlights

Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
News

Farella Braun + Martel Earns 2024 Best Law Firms® Rankings

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

Disputes Between Shareholders May Not Be Governed by Fiduciary Duties but Could Be Covered by Insurance

(As published in Private Company Director ) Disputes regarding ownership interests often arise in the context of closely held corporations, particularly when directors, officers, or majority shareholders sell or acquire ownership interests in the...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part Two)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, Peter J. Georgiton, and J. Mark Hart Part 1 of our two-part article addressed the circumstances in which an insurer can directly pursue malpractice claims against...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part One)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, PeterJ. Georgiton, and John Mark Hart When an insurer accepts an insured’s tender and agrees to provide a defense, it is often an afterthought as to whether...

Read More
Publication

Reporting Dispute Claims Within Closely Held Wineries

Many wineries operate as closely held companies, meaning they’re owned by an individual or small group of shareholders, who are often members of the same family. Disputes regarding ownership interests can arise, particularly when directors...

Read More
News

Who’s Who Legal 2023 Recognizes Farella Lawyers

Six Farella Braun + Martel lawyers have been recommended by Who’s Who Legal 2023 as leading practitioners in their fields. Who’s Who Legal – Environment 2023 James Colopy Robert Hines David Lazerwitz Chris Locke...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More