Examining cover that can protect business operations from cyberattack
As the number of internet-enabled devices continues to increase, Sam Barrett looks at the business interruption and cyber cover.
Businesses have taken steps to protect their operations from traditional perils such as fire, flood and theft for many years. But as more processes are connected to the internet of things (IoT), new risks are emerging.
By 2020, 20.4 billion devices will be connected, according to Gartner, with this technology enabling businesses to automate manufacturing processes and production lines.
With so many operations connected, the ramifications of being hacked can be much broader than losing a piece of machinery in a fire or flood. "If you have an operational risk where you lose your computers, you might bring the whole company to a standstill," warns Frederique Hardy, director of forensic accounting services at insurer Crawford.
For many insurers, the response to this emerging risk has been to exclude non-damage business interruption altogether, to remove the risk of a potentially huge exposure to silent cyber
Restoring systems does not necessarily resolve the problem either, with the potential for much longer lasting effects. As an example, Tom Clayton, senior cyber underwriter at Zurich Insurance, points to a drug manufacturer. "Once the production lines are up and running again, they would need to run through a series of regulatory checklists to be sure they were producing the right drugs," he explains.
These attacks can be incredibly costly. For example, energy company Norsk Hydro suffered a ransomware attack in March 2019, affecting more than 22,000 computers across 170 different sites in 40 countries and forcing it to halt many production lines. "They didn't pay the ransom, which won them some good publicity, but the attack still resulted in a loss of more than €50m (£42m)," says James Burns, cyber product leader at CFC Underwriting.
Unfortunately, while an organisation might regard this as a valid claim, if there is no physical damage, a traditional business interruption policy will not necessarily respond.
For many insurers, the response to this emerging risk has been to exclude non-damage business interruption altogether, to remove the risk of a potentially huge exposure to silent cyber. For instance, from January 2020, Lloyd's requires all insurers to provide clarity by either excluding it or providing affirmative coverage.
Cyber insurance is an option, with policies covering the losses arising from a business interruption caused by an organisation being hacked. As it's a relatively new market, Mr Burns says that policy wordings vary considerably: "The market is very inconsistent. We offer a waiting period of eight hours but on some policies, it can be as much as 24 hours. Brokers and their clients need to be aware of these differences."
It is also important to have the correct indemnity period. While most computer systems can be restored relatively quickly, losses relating to the outage can be felt long after the production lines are back to normal. This could include operational disruption but also cancelled contracts and lost business.
Cover is evolving. Piers Tuggey, underwriter, cyber and TMT at Axa XL, says he sees increasingly frequent requests for coverage extensions to include off-premises third-party technology providers such as cloud service providers and enterprise resource planning software. "Clients are also seeking cover for their supply chain on as broad a basis as they can achieve," he adds. "This poses significant challenges for insurers from an exposure-management perspective."
Another key element of cover is the emergency response service, giving policyholders access to forensic, legal and communications specialists to help mitigate losses following an attack.
32% of UK businesses experienced a cyber breach or attack in the previous 12 months
Source: UK Gov
But, while cyber can support the growth of the IoT in the industrial space, it remains a difficult sell, with penetration only about 11% and concentrated in the larger end of the market, according to Zurich's Mr Clayton. He says it is often seen as an unwelcome additional expense.
"It's not like a hardening market where the risk manager has to justify additional cost, it's a whole new expense line for a business and it often needs board approval. Clients I started speaking to two years ago are taking out cover now. It takes time."
And, while it may be difficult to get cyber insurance on the board agenda, the statistics show there is a real need for cover. Figures from the UK government's Cyber Security Breaches Survey 2019 state that 32% of businesses experienced a cyber breach or attack in the previous 12 months, with 48% of those who were attacked identifying at least one breach every month. "It is a real threat," adds Mr Clayton. "No business would think twice about taking out insurance for fire and flood but, as these statistics show, the risk of a cyberattack is much higher."
The cyber risk associated with the IoT can leave some business owners tempted to return to more traditional methods of manufacture, but the IoT technology can also help to reduce risk.
Smart offices and warehouses deploy a variety of technologies that can help to reduce claims. Sensors can monitor everything from air quality and temperature to water flow, alerting the building manager if something unexpected, such as a leak or increased temperature in an electrical system, are detected.
As well as fewer claims on the property cover, the IoT can also lead to fewer accidents, with benefits for liability and health cover. For example, by using sensors to understand how employees work, an organisation can provide appropriate training or design a more ergonomic production line.
Sam Barrett is a freelance journalist