When organizations face large-scale disasters or other unexpected losses, ensuring business continuity is often a top priority. Yet, various losses may make it challenging for organizations to avoid operational disruptions or temporary shutdowns. In these instances, even brief closures can carry costly consequences. Fortunately, that’s where business interruption (BI) insurance can help. BI insurance can offer much-needed financial protection when an organization’s usual business activities are interrupted due to covered losses. This type of coverage is typically available through a few different commercial insurance policies. Traditional BI coverage can be purchased as a supplement to commercial property insurance or a business owner’s policy (BOP), whereas an alternative form of BI coverage can be obtained via a cyber insurance policy.

There are several differences between traditional Business Interruption coverage and BI coverage that is part of a cyber policy, including when each applies and what losses they may cover. As such, organizations should be aware of these differences to better understand their overall coverage capabilities. The following article provides more details on traditional BI and cyber BI insurance and provides a general comparison as to the different types of coverage that may be offered under these policies.

Traditional BI Insurance

Traditional BI insurance is typically added onto a commercial property insurance policy or comprehensive insurance package, such as a BOP. This coverage generally includes financial protection for the various expenses that can arise if an organization is forced to pause its operations or temporarily close its doors due to a covered loss. Such a policy may contain terms and conditions that would reimburse an insured for the following operating costs:

  • Income that an organization would be earning if it were running under normal conditions, absent the interruption;
  • Commercial mortgage, rent, lease, loan and tax payments due during a disruption;
  • Payroll expenses to maintain employees’ wages amid a closure;
  • Relocation costs related to an organization’s move to a new or temporary location during a disruption;
  • Commission and training costs stemming from an organization having to replace damaged tools or machinery amid a closure and to educate workers on how to operate the new equipment; and
  • Extra expenses that an organization reasonably incurs (beyond typical operating costs) during a disruption to help it get back up and running.

Examples of covered losses under traditional BI insurance include a range of perils, such as fire, theft, vandalism, and certain natural disasters such as hurricanes and tornadoes. For instance, if a fire destroys the kitchen in a restaurant,  traditional BI coverage may help reimburse the business for lost income and employees’ wages while it temporarily closes for repairs. With traditional BI policies, some insurers may also offer contingent business interruption (CBI) coverage, which provides financial protection for operational disruptions caused by covered losses among suppliers and business partners. Some insurers may also provide civil authority coverage, which can help compensate expenses stemming from government-mandated business closures (e.g., a citywide curfew, local evacuation order or temporary road closure).

Cyber BI Insurance

As background, a cyber insurance policy is traditionally designed to assist an organization respond to a cyberattack, data security incident, or breach to the confidentiality, integrity, or availability of information within the organization’s custody or control. These policies primarily focus on assisting organizations remediate the incident and return to their pre-incident IT environment status, and complying with their data breach notification obligations.

As its name suggests, cyber BI coverage is solely available through the purchase of a standalone cyber insurance policy. This relatively newer coverage offering has become increasingly common as organizations expand their digital operations and invest in various technological advancements, thus raising their associated cyber exposure and leaving them more susceptible to disruptive attacks. Not all insurers include BI coverage in their cyber policies so organizations should carefully review their policies for this offering rather than assume they have this coverage. Cyber BI insurance usually provides financial protection for costs stemming from an organization experiencing technology failures (e.g., system shutdowns or network outages) and related operational disruptions due to a covered loss. Such a policy may help reimburse many of the same operating costs as traditional BI coverage, including lost income, employees’ wages and extra expenses.

Examples of covered losses under cyber BI coverage include a variety of security and privacy events, such as data breaches, social engineering scams and ransomware attacks. For instance, if an online retailer’s website gets temporarily shut down due to a ransomware attack, cyber BI coverage may help compensate the business for lost profits incurred while the website is offline. With cyber BI coverage, some insurers may also provide financial protection for digital disruptions caused by human errors (e.g., an employee accidentally downloading a harmful computer virus) or malfunctioning software (e.g., an organization’s network unexpectedly freezing during a routine system upgrade). Further, some insurers may offer cyber CBI coverage, which can help reimburse expenses arising from third-party cyber events that result in software provider shutdowns or cloud vendor outages.

Coverage Comparison

Despite some similarities, traditional BI and cyber BI policies are not the same. Here’s a coverage comparison to highlight the main differences between these coverage offerings:

  • Coverage triggers—Both traditional BI and cyber BI policies have a waiting period, which refers to the amount of time that must pass once a loss occurs before coverage can be triggered. Under traditional BI coverage, the waiting period is typically 72 hours. With cyber BI coverage, however, this period is often shorter. Since cyber events happen quickly and are generally resolved faster than losses caused by property-related perils, the waiting period for such coverage is almost always less than 24 hours, usually between six and 12 hours.
  • Period of measurement—In the scope of BI coverage, the period of measurement pertains to the calculation of lost income caused by an operational disruption. Traditional BI policies primarily apply to commercial property losses that pause typical business activities for long periods, making it relatively easy to determine the period of measurement. On the other hand, digital disruptions stemming from cyber losses may only last for hours or days, making it more difficult to calculate lost income correctly. To accurately determine the period of measurement and ensure sufficient reimbursement of lost income with cyber BI coverage, it is best to collect more detailed loss data, such as hourly profit statements and sales records.
  • Period of restoration—One key factor in determining the overall value of any BI loss is the period of restoration, which refers to the total length of an operational disruption. In most cases, the period of restoration is measured from the start date of a loss (e.g., when property damage occurs or a cyber event initially strikes) until the affected organization fully recovers and resumes normal operations (e.g., when property repairs are completed or digital assets are restored). The period of restoration is often fairly simple to determine when it involves property damage, but cyber events are not as straightforward. There can be far less certainty regarding when cyber events start and end, as there could be minimal evidence of physical recovery. Additionally, some cyber insurers may define the period of restoration differently than others, as opposed to more market-standardized wording that may be found in traditional BI policies. Accordingly, it is advisable for organizations to closely review policy wording to understand the scope of coverage, consult forensic accountants and assess additional loss elements (e.g., how and when cyber events were detected and resolved, what technology was affected, and which operations were paused) to correctly calculate this period following digital disruptions.
  • Reputational losses—When organizations encounter traditional BI losses, they usually are not concerned about reputational damage, as these losses generally stem from perils out of their control. Yet, with cyber BI losses, stakeholders may sometimes shift blame to the organization that was the victim of a cyber event for its occurrence in the first instance, especially if these events involve a breach of confidential data or are caused by what may be perceived as preventable security failures. For instance, unlike property damages causes by a natural disaster, stakeholders may view a cyberattack as evidence that an organization failed to implement and maintain security controls to protect and safeguard its IT environment from malicious activity. Consequently, organizations may experience prolonged profit losses due to diminished customer loyalty even after recovering from cyber events and associated digital disruptions. This potential exposure is why cyber BI policies may offer coverage for reputational losses, whereas traditional BI policies do not.

Conclusion

While there are a number of differences between traditional BI and cyber BI policies, both forms of coverage can prove invaluable and offer significant financial protection to organizations facing operational disruptions. Organizations can consult trusted insurance professionals to learn more about these coverage offerings and discuss their specific BI insurance needs. Contact us today for further insurance solutions.

Meet the Authors

Headshot of John Butler.John Butler, Cyber Product Lead, E-Risk Services

John has worked in the Insurance industry for 20 years in various underwriting and leadership roles. He has achieved two insurance designations, RPLU+ and CPLP, from the Professional Liability Underwriting Society, reflecting his commitment to the Professional and Cyber Liability insurance industry.

 

Headshot of Steve Stransky.

Steve Stransky, Partner, Thompson Hine LLP

Steve Stransky is the co-chair of the Privacy and Cybersecurity Practice Group at Thompson Hine LLP. Steve helps clients develop and implement data governance frameworks and internal policies and procedures to address evolving data privacy and digital marketing laws. Steve is also a Data Breach Coach and frequently assists clients in responding to ransomware attacks, business email compromises, and other cybersecurity incidents.

News Type

PLUS Blog

Business Line

Cyber Liability

Topic

Professional Liability (PL) Insurance

Contribute to

PLUS Blog

Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.

Related Podcasts

Related Articles