Insurance When the Internet Goes Down
Originally published in Risk Management, February 2017. Posted with permission
Business interruption coverage is now a staple of many companies’ insurance programs. One of the “optional” first-party property coverages included in standard property policies, it is intended to compensate companies for income or profits lost as a result of an inability (or reduced ability) to transact business as usual because of a covered physical loss, such as fire or collapse. Over the years, the coverage has developed and typical business interruption forms now have a number of options—direct coverage only (the covered loss must happen on your own premises); contingent coverage (expanding coverage to include losses at a supplier’s premises or some other business your company is dependent on, such as an anchor store in a shopping mall that your small shop relies for passing trade); and off-premises power interruption, either with or without coverage, for failure of power transmission lines.
This last example is in some ways the precursor to an exposure faced by many businesses today: reliance on the internet. Most businesses rely on the internet to an extent they probably do not fully appreciate. The internet is now almost as ubiquitous as electricity, and businesses can be crippled without it, as highlighted by recent attacks.
On Oct. 21, a series of coordinated distributed denial of service (DDoS) attacks began on domain name system (DNS) provider Dyn, a cloud-based internet performance management company that essentially acts as a switchboard for internet traffic. The attacks on Dyn were of a different scale from the typical DDoS attacks seen by many companies. The attacks started at around 7 a.m. EDT and were not fully resolved until after 6 p.m. Many internet companies and internet service providers (ISPs) were affected by the outage and the extreme internet slowdown the attacks caused. Because ISPs were affected, companies all over the country were also impacted and thus unable to transact business normally, at least to some extent. Business income and profits suffered.
So what can companies do to manage these risks? Clearly, risk control measures at individual companies can do little to nothing to avoid or prevent the effects of a coordinated attack on a service provider, especially one that the company has no direct contact or connection with, such as Dyn. This leaves risk finance as the only measure, either through self-insuring the risk (basically ignoring it and suffering the consequences) or through insurance.
A typical cyber policy bought by small- to medium-sized businesses most likely does not cover such an event. These policies usually cover losses (often including business interruption losses) caused by attacks on an insured’s own computer system and network, but do not provide coverage for business interruption losses caused by attacks on third-party providers. The cyber products offered by insurers are changing rapidly, however, and a few insurers are now beginning to offer something similar to contingent or off-premises power supply business interruption coverage for the internet.
Cyber policies are non-standard and can be long, complex, difficult to understand, and often offer myriad coverages in one policy. Different insurers’ products offer different coverages, or sometimes the same coverages with different language, clauses and definitions.
A few insurers are now starting to broaden the business interruption coverage by changing the definition of “computer system” or “system” for purposes of business interruption coverage to include not just the insured’s own network, but also the hardware and systems owned by third-party providers to which the insured is connected via a network (which includes the internet). Thus, attacks that impact the computer system of a third party on which the insured relies (such as an ISP or a company like Dyn, as well as an insured’s more immediate business partners) would trigger business interruption coverage under such a policy.
This is not a panacea, however. There are at least two significant limitations on these policies. The first is the “waiting period” deductible. Most policies (with the broader language or not) have a 12-hour waiting period, starting from the time the insured reports the disruption. But 12 hours is a very long time to not be able to transact business over the internet. Even the Dyn event, the largest such attack yet on a U.S. company, was fully resolved in a little over 11 hours. Additionally, that attack was actually at least three separate attacks and the 11 hours was the total time from the start of the first to the resolution of the last. A carrier could argue that the three separate attacks were separate incidents and thus separate claims, none of which came near the 12-hour waiting period. Further, very few companies were affected for the full 11 hours. Larger companies may be able to negotiate a shorter waiting period, but underwriters might not be willing to do so.
Second, the amount of business interruption coverage can be very limited under such policies. Typical limits for this coverage are $100,000 and, again, underwriters are reluctant to increase this amount unless the insured is a very large company. If the carrier does increase limits, expect to find a significant deductible as well.
So is self-insurance a viable alternative? For some companies, particularly those with a smaller dependency on the internet, the answer may well be yes. It might even be the only alternative, depending on the rest of a company’s insurance program and reasons for using a particular insurer if that insurer does not offer the broader business interruption coverage.
The good news is that attacks of this scale are still rare, and the cyber products offered by insurers are still developing. As a result, insureds need to find brokers who understand the intricacies of cyberrisks and coverages, as well as the insured’s industries and businesses. It is also important that insureds work with brokers with access to a broad market. Insureds need to make a real effort to understand their cyber policies and ask pointed questions.
The Dyn attack is a great example of why insureds need to stay informed and vigilant: Simply renewing your cyber policy from one year to the next, without exploring alternatives, could end up costing you in the event of a substantial cyberattack. As the types of coverages that cyber policies offer and the complexity of the policies themselves increase, it is becoming more common for companies to suffer cyber losses for which they do not have coverage despite its availability.
The broader business interruption coverage discussed above is in its infancy and will continue to develop as more insurers offer similar coverages and adapt to developing risks. Risk managers, therefore, need to monitor this area to ensure they are aware of the evolving coverages that may be available to meet their company’s needs.