Businesses face the risk of financial loss and disruption due to theft of private or sensitive information, attacks on IT systems, and fraud. MDD’s Norman Kwan shares that cyber risks policies are still evolving and there are issues that need considerations such as the ambiguity regarding the interruption period; the loss of trust among customers; the different types of costs and the types of possible sales recoveries. He also explains the role of forensic accountants.
Cyber exposures are on the increase, as businesses become more reliant on the internet and networking technologies to conduct business and interact with the outside world. A spate of recent high-profile incidents, such as those afflicting eBay and Target, have drawn attention to cyber risks, now considered to be among the top risks to global business.
Cyber Risks Policies
Cyber risks typically fall outside the coverage of traditional business insurance policies, thus a specific cyber risk insurance policy needs to be taken out for protection. As the demand increases for such policies, more insurance products are being developed and offered in the marketplace. Policy wordings differ but typically include coverage for a range of First Party risk exposures and Third Party liability exposures. Examples of First Party risks include Loss or Damage to Digital or Data Assets, Business Interruption from Network Downtime, Restoration Costs, Cyber Extortion, Reputational Damage (with associated costs such as Crisis Management and PR) and Theft of Money and Digital Assets. Losses associated with Third Party risks might include Security and Privacy Breaches, Investigation of Privacy Breaches, Customer Notification Expenses, Multi-media Liability, Loss of Third Party Data, Regulatory Fines and Penalties, and Data Warehouse Breach.
Cyber Business Interruption losses – Some Issues and Considerations
The concept of Business Interruption following cyber crime is not significantly different to Business Interruption resulting from physical damage. However, as cyber risk policies are relatively new and still evolving, we observe a variety of new wordings and believe there is larger scope for policy interpretation disputes compared to traditional interruption policy wordings.
Ambiguity Regarding Interruption Period
For example, ambiguity regarding the interruption period – unlike a property loss whereby the interruption period is usually well-defined, the “start” and “end” date may be less clear in a cyber claim. There may be uncertainty as to when an attack occurred or when the impairment associated with the attack began. It may also be difficult to determine when an attack has ended. To complicate matters further, losses may still be incurred even after systems have been restored. Would this be covered under the policy?
Customers’ Loss of Trust
Another consideration is determining the losses that result directly from an insured cause, as opposed to indirect losses that are outside of policy coverage. For example, it is possible that negative publicity from a high- profile cyber breach may cause loss of trust among customers to the extent that they do not return, even after systems have been fully restored. This type of loss is unlikely to be covered, although this would be subject to the actual wording of the policy.
Investigative Costs and Improvement Costs
This consideration could be extended to claimed costs. Many cyber policies allow for costs to investigate an information security breach. Such investigative efforts may involve a number of different disciplines, including both internal and external personnel. Services may also be required to restore networks and data and to repair or replace equipment damaged in the breach. It is important to distinguish between the costs to investigate and rectify the breach and the costs to improve and strengthen the system, in an effort to prevent a re-occurrence.
Types of Sales Recoveries
Recovery is a distinct possibility through “make-up” sales, particularly if the product or service being sold is relatively unique. A consumer unable to purchase a product from a website one day may well try again later and succeed. In such a scenario, the sale has merely been postponed and not actually lost. Another recovery scenario could crop up in the case of businesses that sell online but also have physical stores, whereby potential buyers unable to purchase online visit the stores to transact instead. This type of sales “migration” would not be picked up by an analysis of online sales alone and would result in the loss being overstated. Likewise, with the earlier example of postponed sales, an analysis of the “downtime” period alone would miss the recovery and overstate the loss. These are only a couple of examples of how loss recoveries could be missed.
Availability of Large Volume of Data both a Plus and a Minus
One advantage of a cyber-environment is usually the availability of electronic data. On one hand, the large volume of data can yield lots of useful information that will be helpful in quantifying the loss. Detailed data broken down by geographic regions, store locations and product lines allow trends and buying patterns, as well as losses directly related to the cyber event, to be determined.
On the other hand, large volumes of detailed data could prove challenging to analyse without the proper software and skills.
The Role of Forensic Accountants in Cyber Insurance Claims
Forensic accountants can assist insurers in the measurement and verification of the loss in cyber claims and can work as part of a wider team of experts including claims handlers, IT analysts, lawyers and adjusters.
Forensic accountants ensure that the losses are measured reasonably, accurately and in accordance with the terms of the insurance policy. Their work helps to provide clarity on the financial figures, which assists in settling disputes and helps safeguard insurers from overpaying. As mentioned earlier, the cyber arena is still relatively new; therefore, there is large scope for disputes to arise.
Cyber claims are typically associated with very large volumes of data, which can be overwhelming for most claim departments. Forensic accounting firms have the depth of resource, expertise and experience to handle large volumes of data and target the relevant data to measure the loss.
Forensic accountants can also assist by reviewing claimed costs and providing insight on whether these costs may meet policy criteria. Depending on the individual policy, it could be necessary to distinguish between costs to investigate a potential breach and costs to “beef up” network security (which would be considered betterment and may not be covered).
By Norman Kwan. Published in Asia Insurance Review – EAIC Special Issue November 2014.