Accounting for Cyber Business Interruption: Issues and Observations

As property insurance claims slowed due to COVID-19 lockdown measures and quarantines, the frequency of cyber-attacks exploded. A study of more than 6,000 businesses by Hiscox, Ltd found that 43% of the companies had suffered some type of cyber-attack in 2020, with the victims of these attacks ranging from small businesses to Fortune 500 companies.

One of the most common attacks on businesses involves ransomware, where an attacker infects the victim’s computer system with a form of malware that encrypts files and then demands a ransom to restore the data. Just recently, the Colonial Pipeline, which carries jet fuel and refined gasoline from Texas up the East Coast, was shut down for five days due to a ransomware attack. It has now been confirmed that the Colonial Pipeline made a $4.4 million Bitcoin payment to the criminal gang that was responsible for the attack. Other notable payouts due to ransomware include a reported $40 million payout by CNA Financial Corp. in March 2021, a $10 million payout by Garmin in August 2020, and a $1.14 million payout by the University of California in June 2020. While large payouts make the headlines, a 2021 report conducted by Purplesec, a cyber security consulting firm, found that 29% of small businesses had experienced a ransomware attack.

Remote work during the pandemic has not only brought operational challenges to businesses, but also an increased risk of cyber-attacks. Weak at home IT controls and a trend for people to move their lives online has put companies at constant risk of attack. In the healthcare industry alone, according to the 2021 SonicWall Cyber Threat Report, attacks increased by 123% from last year. In the 2020 Internet Crime Report, the Federal Bureau of Investigation reported a 69% increase in total complaints in 2020 compared to 2019. The World Economic Forum reported that approximately one million people join the internet every day, compounding the amount of data potentially exposed to bad actors.

Now, in 2021, a new reality from the pandemic is that some form of the work-from-home model is likely here to stay. While some businesses are pushing to re-open and welcome staff back into the office, other companies such as Twitter and Spotify are offering permanent work-from-home policies. Wherever employees are located, it’s clear that the threat of cyber-attacks isn’t going away, and many businesses do not have the expertise or resources to protect themselves. A recent survey conducted by Munich Re found that 81% of C-level executives thought their company was not adequately protected against cyber threats.

Facing the imminent threat of significant financial losses due to a cyber-attack, companies of all sizes are turning to cyber-insurance. According to Fitch Ratings, direct written premiums for cyber coverage in standalone and package policies increased over 22% in 2020, or approximately $2.7 billion. Munich Re estimates that the global cyber insurance market will reach a value of approximately $20 billion by the year 2025.

Over the years, cyber insurance has grown from a niche product to one of the most debated topics in the industry. With a limited claims history, many of the costs and potential losses are unknown and cover unfamiliar ground. The Harvard Business Review reports that insurers have insufficient data and lack the experience to develop the analytics they would typically use in more mature lines of business, such as property. In addition, the payment of ransomware and the publication of intent to pay may invite more attacks and will therefore impact the risk each business (and their insurer) accepts. The amount of insurance that the business carries for ransomware may also increase their risk as the bad actors are no doubt attempting to gather this information when identifying their targets.

In January 2021, Forbes predicted that regulatory bodies across the globe will begin to enforce a higher standard of data collection with specific requirements to establish a comprehensive reporting system. This will no doubt enhance insurer’s ability to perform cyber exposure analysis and develop a greater understanding of cyber risk.

Depending on the business model, some companies can continue to operate on a pen and paper basis with limited impact on their ability to generate revenue. In accounting for these claims, where the business interruption is expected to be minimal, we typically will review payroll and other documentation in order to calculate an extra expense or increased costs measurement. This could include reviewing consultant invoices relating to data recovery or analyzing time spent by employees inputting data and restoring systems. A common issue that we see in this instance is when the insured uses their salaried personnel for the rebuild and includes their time as an extra expense. Typically, fixed salaries are not covered as an extra expense because there was not an incremental cost to the business, and employee payroll would only be included for hourly employees working over and above their normal hours to input data and rebuild the systems. One way to overcome this issue is by communicating clearly and early with an insured about the potential costs involved and how the policy reacts.

For other businesses, an attack can result in a complete shut-down of operations, and in this case, the question arises as to whether ransom should be paid, or, if possible, should the system be rebuilt from backups? In most cases, cyber insurance will cover the value of the ransom, subject to a sublimit and possibly other restrictions. Other restrictions that we have seen include specific language in the policy that the payment of the demand needs to be recommended by a law enforcement agency. In the event that all conditions are met, the insurance carrier and the insured will still evaluate the reasonableness of paying the ransom or rebuilding from back-ups. When evaluating whether to pay the ransom or not, key items that insurer’s consider include: how long will the rebuild take, whether the business can continue to partially operate while systems are impacted, and most importantly, what is the anticipated business interruption claim versus the value of the ransom demand. We have seen instances where the ransom demand is over and above what the business makes in one year or even longer. In these cases, the insurer and insured will likely agree to rebuild the system and monitor the business interruption impact over time.

One of the primary complexities in measuring a cyber business interruption loss involves determining the applicable indemnity period. In the property and casualty arena, when a business suffers a loss, the period of indemnity is well defined and often supported by other experts involved in the adjustment. For example, for property claims, the period of indemnity may be based on the repair period. With a cyber claim, the period of indemnity is more difficult to identify. This issue can be further complicated by the fact that some businesses, even though their systems are back online, will continue to suffer business interruption losses. With these cases, we continue to review the sales data, and consider how the incident impacted operations, how the rebuild was conducted, and whether customers were aware of the attack. If customers are aware of the attack, the resulting reputational impact could be another potential trigger for business interruption coverage. The reputational impact and ensuing losses would be looked at separately from any systems shutdown.

Another common issue concerns “delayed” versus “denied” sales. For example, even if an insured loses access to their systems for several hours or days, customers may still be able to access the website or place an order by other means. When systems are back online, the insured may input the data and process the sale after the downtime period. During our review, we will ask the insured how they accounted for sales during the shutdown period and review the sales data to confirm whether these sales were processed at a later date. If we identify an uptick in sales after the loss period, we would review this with the insured and confirm whether this relates to “delayed” sales, potentially a pre-loss contracted sale kicking in, or an extraordinary sale. A similar issue we encounter on a variety of cyber claims includes the insured’s inability to collect accounts receivable during the outage period. An insured may take a narrow focus and submit a large claim consisting purely of a cash collection short-fall which resulted in a cash-flow impact rather than a business interruption loss.

The threat of a cyber-attack has become a new reality for both multinational corporations and small businesses alike, and there is no doubt that substantial ransomware payouts will continue to hit the headlines in years to come. While the cyber insurance industry is still in its infancy, and struggling with a lack of claims history, new data collection requirements may help insurers to develop a better understanding of cyber risk. In addition to the lack of claims history, further complications include the impact of paying a ransom or even carrying ransomware insurance on the risk each business (and their insurer) accepts. When measuring the business interruption loss resulting from a cyber-attack, common issues to consider include: whether to pay the ransom, determining an indemnity period, and lost vs. delayed sales.