Cyber attacks are happening with an alarming frequency, impacting mostly small to medium-sized businesses. According to Statistics Canada, in 2017 more than 20 per cent of Canadian businesses reported they were impacted by a cyber security incident. As fears of an attack mount, businesses are spending billions of dollars on IT resources to avoid becoming a target.
However, cyber attacks are becoming more sophisticated, leading to an increase in the size and volume of cyber insurance claims. This article discusses how cyber losses can result in a business interruption loss and how companies should go about documenting and quantifying these losses should they occur.
Cyber insurance policies provide coverage for losses caused by a cyber related security breach, the most common being a ransomware attack. Losses claimed under these
policies can include ransom payments, theft of personal or commercially sensitive information, business interruption during network downtime and costs to notify third parties of the breach.
Business interruption loss
The quantification of a business interruption loss caused by a cyber attack is similar to the approach you would use in a traditional business interruption calculation. Below are a few examples of common areas of loss:
While the company’s systems are being restored, a company may not be able to access its data or other critical IT functions such as e-mail. This can result in lost sales if the company is unable to receive or process orders, send out shipments or operate certain types of production equipment. Some companies may offer customers a discount to compensate them for delays in delivery.
(Note that if the claim is made for lost sales, it will be important to determine what expenses have been saved as a result of the reduction in sales. This reduction in expenses will be offset against the sales loss in much the same way a “gross profit rate” or “gross earnings” rate is applied to a sales loss under a typical business interruption policy).
If a claim is made for lost sales based on the inability to bid on projects, the company should attempt to document its historical success rate to show the frequency with which they win bids. Details of the bids that were missed (e.g. how many vendors were asked to submit a bid) can also be useful in documenting the likelihood that the company would have obtained the project.
For manufacturing businesses, certain tasks on the production line may need to be performed manually until systems are restored, causing labour inefficiencies. If a company can establish that more labour was required to earn the same amount of revenues, those inefficiencies could form part of the business interruption loss. For example, inefficiencies can be measured by comparing the historical difference between budgeted and actual hours, as a percentage, for a period prior to the cyber attack. This percentage can then be compared to the actual hours spent on manufacturing tasks during the loss period to determine the extent to which more time was required for production. Any excess hours can be claimed as a labour inefficiency. Some labour inefficiencies may be recovered once IT systems are restored, if employees are able to work overtime and efficiency improves during this period. Depending on the policy wording, those recoveries may need to be considered.
Employees may need to work additional hours to catch up on delayed projects/production or to perform tasks manually. Companies can claim any overtime costs that exceed historical levels where the overtime is related to the cyber attack. Historical overtime hours for employees should be reviewed in detail to identify whether any overtime may be seasonal or related to other factors.
Period of loss
Cyber policies will normally define the loss period as beginning from the date of the attack (subject to a waiting period) to the date the network is restored, up to a maximum number of days. While some attacks have an immediate impact on the IT system, others may have a delayed response, with the repercussions emerging later. It is generally useful to obtain from the company a timeline of events in order to understand when the attack occurred, when operations were first impacted and when the various IT systems were brought back into operation. This information can be used to determine the length of the loss period.
Quantification of business interruption from cyber losses involves applying the same general principles that govern a typical business interruption loss calculation. The goal is to understand, document and quantify how the cyber event impacted the revenue and expenses of the company’s business.