IUA calls for greater focus on cyber BI

By Rebecca Delaney

Feb 10 - (The Insurer) - Cyber business interruption (BI) risks must receive the same level of attention as information technology security controls and ransomware threats, a new report by the International Underwriting Association (IUA) has argued.

Research conducted by the market body in association with Baker Tilly analysed claims experiences since the IUA’s cyber underwriting group first published a BI report in 2018, which provided an overview of the subject and the principles of how a loss would be calculated.

Since 2018, the cyber insurance market has seen a significant increase in the number of BI claims, in terms of both value and volume. The report noted that while there has been progress in the understanding of cyber BI, there is still work to be done to improve the claims experience for both insurers and policyholders.

There are currently two forms of policy wordings used in cyber BI policies to determine indemnity: the loss of net profit plus continuing fixed costs (net profit); and the loss of gross profit.

"Generally, the loss of gross profit approach is more widely understood by non-BI specialists, e.g. policyholders, given that it starts at the top of the profit and loss account and, in effect, works downward. However, there can be issues, given the difference between insurance and accounting gross profit," said the report.

"In cyber, the sum insured is typically an aggregate limit applicable to all insuring clauses. Consequently, a standalone sum insured for BI under a cyber policy isn't required, nor is there a need to identify which costs are expected to be saved and therefore defined as an uninsured working expense."

The report continued that the net profit wording – which is the more commonplace approach used in the cyber market – also faces a common problem in that the specific reference to "continuing normal expenses incurred including payroll" is often misinterpreted as indemnifying policyholders for the loss of (insurance) gross profit and the ordinary costs the business continues to incur following an incident, such as payroll.

However, as the IUA noted, the insured business would have paid these costs but for the incident, and there is therefore no change in the level of costs incurred as these are fixed costs.

The IUA has therefore recommended a simpler, alternative BI wording that is focused on the standard turnover and how that has changed due to the insured event.

"This approach makes it clear to non-BI professionals as to how the indemnity will be calculated, which reflects the fact that the forensic accountant is considering how revenue and cost transactions have changed. It also removes any confusion or ambiguity around continuing operating expenses, principally payroll," said the report.

"It is important to emphasise that this is not a change in the cover provided by the policy. Rather, this wording amendment actually makes the policy easier to understand for all market participants. It is to be hoped, therefore, that adoption of a wording of this type will contribute to an easier process for cyber BI claims."

Stock treatment

The report also noted that, while practices around the treatment of stock in BI losses are well established in the property insurance market, wordings in the cyber market are less clear, and can often lead to debates around coverage.

BI insurance considers the losses from sales that did not occur as expected due to an incident. Once the stock has been identified as being in an unsaleable condition, the value of the stock is written off and the value is transferred from the balance sheet to the profit and loss account as an expense.

These transactions are separate and distinct from the recognition of any loss of revenue or gross profit.

Debates around stock can also arise when a policyholder maintains buffer stock to manage its supply chain risk.

"Most cyber policies remain silent regarding cover for stock used to mitigate BI losses," said the report.

"As with damage to stock following a cyber incident, this buffer stock issue should be picked up as part of a pre-loss economic loss modelling process that can then be used to facilitate a discussion with insurers on the suitability of an accumulated stocks clause as part of the underwriting process."

Indemnity period

For cyber policies, the typical maximum indemnity period is between 90 to 180 days. The issue of loss of opportunity and delayed sales plays a significant role in discussions over longer indemnity periods for cyber insurance.

"Longer indemnity periods always lead to a shift in the risk exposure that is shared between the insured and insurer," said the report.

"To properly consider this issue, it follows that the insured needs to have performed a detailed economic loss analysis that would indicate the consequences of increasing the indemnity period from 6 months, say, to 12 months or even longer.

"This applies both in terms of delated revenue and loss of opportunity. In any event, without this analysis the insurer will be unclear as to the consequences of increasing the period of cover, which will likely result in difficulties in setting a premium that is reflective of the actual underlying risk."

The IUA concluded that it is optimistic that greater attention will be given to cyber BI over the next few years to match the level given to IT and security controls, as this would enable progress on the issues highlighted in the report.