Cyber business interruption exposures add up

PHILADELPHIA — Business interruption claims can add substantial costs to cyber incidents and take time to reconcile, insurance and technology experts say.

Carefully crafted policy wordings and prudent response and restoration decisions can help mitigate the costs, they said last month at the 2024 NetDiligence annual cyber summit in Philadelphia.

In 2023, the average cyber claim involving business interruption was 270% more than one that did not include lost income claims. In addition, the five-year average cost of a claim with a business interruption element was over 450% higher than a claim without those losses, according to the 2024 NetDiligence Cyber Claims Study.

The study was based on an analysis of about 10,500 claims between 2019 and 2023, with 98% of those claims submitted by small and medium-sized enterprises.

Cyber-related business interruption losses occur when an organization experiences an event such as a ransomware attack that wholly or partly disables its operations or when an entity a business relies on experiences an incident causing that business to experience a loss, known as contingent business interruption, said Julia Verdi, San Francisco-based manager, claims, and head of claims education for At-Bay Inc.

Most cyber policies cover both types of losses, Ms. Verdi added.

One frequently disputed area is coverage for “extra expense,” which is ancillary costs incurred by a policyholder due to a cyber incident, said Jane Warring, Atlanta-based partner with law firm Zelle LLP. She recommends agreeing on precise policy wordings to avoid disputes between insurers and policyholders, using language such as “reasonable and necessary” to define covered expenses.

Cyber breach victims sometimes rush to replace compromised hardware, said Lee Trotter, Austin, Texas-based director of cyber security company Moxfive LLC. This sometimes costly approach can be avoided through precise analysis of a policyholder’s existing assets and careful consideration of alternatives.

The first 24 to 48 hours after an incident is the “storming phase,” when things can be the most hectic and decisions get made hastily, he said.

“Most recently, we had a scenario where we were working with an insured that wanted to go out and buy new storage. We really encouraged them to take a step back. They had hardware on site that they could use,” Mr. Trotter said in one example of an extra expense that could be avoided.

Communication with policyholders and other stakeholders is vital in seeking to understand the figures, said Harriet Bateman, New York-based director with consulting firm Baker Tilly’s forensic, litigation and valuation services practice.

“We have the numbers side of things, but that’s worthless without having those conversations with insureds, making sure we fully understand exactly what’s happened in the business and that we’re interpreting the data correctly. We need time to make sure we’re educated,” she said.

The process can be time-consuming, Ms. Bateman said.

“Those conversations do take time, and there’s the back and forth” over any additional requests for documentation and subsequent negotiations, she said.

There is no standard list of documents to request or a checklist because each business and incident is different, Ms. Bateman said.

“There’s not a one-size-fits-all,” she said, emphasizing different businesses may require other documentation and data.

---

Insurers urge pricing discipline as losses rise, but soft market conditions continue for buyers

Underwriting discipline must persist in the commercial cyber insurance market as the frequency and severity of losses rise, according to insurance industry executives who spoke last month at the 2024 NetDiligence annual cyber summit.

Meanwhile, cyber pricing and rates have softened and remain favorable to buyers.

Longer term, executives see the market continuing to grow but say it will require fuel in the form of capital to do so.

Current market pricing is sustainable, “but deterioration of underwriting discipline and market conditions is starting to show in some really concerning areas,” such as the large account space, said Jeff Kulikowski, New York-based executive vice president, professional lines, for Westfield Specialty, a unit of Westfield Insurance Co.

Mr. Kulikowski said insurers are putting out bigger limits at lower price points as the loss environment worsens from a frequency and severity point of view.

Larger and more frequent events could hinder the sector’s profitability, the executives said.

“There’s a little bit of uncertainty that could sort of tip some of these carriers from a profitable territory into an unprofitable territory,” said Killian Brady, New York-based chief underwriting officer for Resilience Inc. “It doesn’t take much for us to start to get close to that unprofitable territory.”

Commercial cyber insurance buyers are also taking steps to make pricing sustainable.

Some are turning to structured programs in an attempt to avoid any substantial single-year volatility in pricing, said Matt Chmel, Chicago-based chief broking officer of Aon PLC’s cyber solutions group.

“This year, I’ve seen more of us than ever put longer-term and multiyear deals in place,” Mr. Chmel said.

Simon Shreeve, Roseland, New Jersey-based director, client account management, for CyberCube LLC, sees growth for the cyber market but says it will require further capital commitments from insurers, reinsurers and others.

“There’s so much opportunity still in the market. The other piece to think about is how much capital is required from a long-term perspective. So, there’s definitely a capital requirement to sustain that growth.” Mr. Shreeve said.

“I think we need new capacity in certain areas,” Mr. Chmel said, noting that in the small and medium enterprise space there is “plenty” of capacity.

“There are still a number of Fortune 250 buyers that don’t purchase coverage because they don’t feel there’s enough limit there,” he said.

---

Recovery costs, regulation drive breach expenses

Cyber incidents are becoming more expensive due to higher recovery costs, experts say.

Increased regulatory scrutiny also adds costs as regulators seek more detailed information regarding cyber incidents, they said, discussing the 2024 NetDiligence Cyber Claims Study at the cyber security organization’s annual conference in Philadelphia.

The study is based on a statistical analysis of about 10,500 claims between 2019 and 2023. Ninety-eight percent of those claims came from small and medium-sized enterprises.

The average claims cost ballooned from $211,000 in 2019 to a “pretty staggering” $636,000 in 2022, said Alyssa Watzman, a Denver-based partner and vice chair of the cyber team at law firm Constangy, Brooks, Smith & Prophete LLP.

The complex nature of each policyholder’s system requires “a lot of time and attention from various vendors,” including forensics and restoration services, which adds to costs, said Jaime Palumbo, New York-based vice president, claims, for Corvus Insurance, a unit of Travelers Cos. Inc.

Obtaining quotes from multiple response vendors can help manage escalating costs, said Diane Fazzolari, New York-based senior claims specialist, cyber, technology and media claims, at Axa XL, a unit of Axa SA.

“What we’re trying to do is match the vendor to the claim,” she said.

Increased attention from regulators is also adding legal fees and other costs as organizations are pressed for more information about cyber incidents, said Carolyn Purwin Ryan, Philadelphia-based partner at Mullen Coughlin LLC.

“The regulators are getting out there, and they’re asking a lot more substantive questions,” she said.

“We’ve seen a huge increase in data mining cost,” said Katherine Heaton, Denver-based claims focus group leader – cyber services and information security claims at Beazley PLC. The increase is partly driven by regulators’ questions about organizations’ cyber procedures.

“You can’t just always do blanket notices,” she said.