Cyber report highlights need for risk managers to carry out risk assessment


The market for cyber business interruption cover is complex and the protection offered by different policies can vary widely, according to a report from the International Underwriting Association.

Most current business interruption coverages are standalone policy extensions, the triggers for which are separately defined in the contract wording. There are many such potential triggers including, for example, unauthorised access to a network, cyber extortion or system failure.

Companies are warned that not all triggers are included in every policy and that it is important, therefore, to perform an effective risk assessment before considering coverage options. Titled 'Cyber Insurance and Business Interruption', the report discusses how business interruption policies may respond to cyber incidents compared to more traditional classes of business.

Matthew Hogg, Chairman of the IUA Cyber Underwriting Group, said: "The continued education of businesses about cyber risk exposures is an essential task, both at an operational risk management level and in the boardroom.

"As cyber is a relatively new and continually developing area of insurance the range of different cover available can be quite extensive. It is not available as standard across the market and so requires a discussion between clients, brokers and underwriters to ensure that policy wordings meet business needs and will respond appropriately in the event of a loss."

Airmic deputy chair Tracey Skinner agreed with the report's advice urging buyers to have detailed discussion with insurers. "As this is a new and developing area of insurance this type of issue should be discussed with the underwriter to attempt to stretch the boundaries of the cover," she said.

"I believe that there could be a common misconception that a 'standard' cyber policy would respond to a loss as a result of a cyber related issue but triggered by brand and reputational impact. Generally, the cyber response would be in respect of the revenue lost during the actual period of interruption only and not knock on reputational impacts."

Among the issues discussed in the IUA's report are the period of loss covered by policies, how they may calculate loss of revenue, waiting periods and deductibles and methods for measuring the period of interruption. The document, produced in association with RGL Forensics, also considers contingent cyber business interruption.