Cyber business interruption exposures escalate claims

PHILADELPHIA – Business Interruption claims can add substantial costs to cyber incidents and take time to reconcile, insurance and technology experts say.

Carefully crafted policy wordings and prudent response and restoration decisions can help mitigate the costs, they said last week at the 2024 NetDiligence annual cyber summit in Philadelphia.

In 2023, the average cyber claim involving business interruption was 270% more than one that did not include lost income claims. In addition, the five-year average cost of a claim with a business interruption element was over 450% higher than a claim without those losses, according to the 2024 NetDiligence Cyber Claims Study.

The study was based on an analysis of about 10,500 claims between 2019 and 2023, with 98% of those claims submitted by small and medium-sized enterprises.

Cyber-related business interruption losses occur when an organization experiences an event such as a ransomware attack that wholly or partly disables its operations or when an entity a business relies on experiences an incident causing that business to experience a loss, known as contingent business interruption, said Julia Verdi, San Francisco-based manager, claims, and head of claims education for At-Bay Inc.

Most cyber policies cover both types of losses, Ms. Verdi added.

One frequently disputed area is coverage for “extra expense,” which is ancillary costs incurred by a policyholder due to a cyber incident, said Jane Warring, Atlanta-based partner with law firm Zelle LLP. She recommends agreeing on precise policy wordings to avoid disputes between insurers and policyholders, using language such as “reasonable and necessary” to define covered expenses.

Cyber breach victims sometimes rush to replace compromised hardware, said Lee Trotter, Austin, Texas-based director of cyber security company Moxfive LLC. This sometimes costly approach can be avoided through precise analysis of a policyholder’s existing assets and careful consideration of alternatives.

The first 24 to 48 hours after an incident is the “storming phase,” when things can be the most hectic and decisions get made hastily, he said.

“Most recently, we had a scenario where we were working with an insured that wanted to go out and buy new storage. We really encouraged them to take a step back. They had hardware on site that they could use,” Mr. Trotter said in one example of an extra expense that could be avoided.

Communication with policyholders and other stakeholders is vital in seeking to understand the figures, said Harriet Bateman, New York-based director with consulting firm Baker Tilly’s forensic, litigation and valuation services practice

“We have the numbers side of things, but that’s worthless without having those conversations with insureds, making sure we fully understand exactly what’s happened in the business and that we’re interpreting the data correctly. We need time to make sure we’re educated,” she said

The process can be time-consuming, Ms. Bateman said.

“Those conversations do take time, and there’s the back and forth” over any additional requests for documentation and subsequent negotiations, she said.

There is no standard list of documents to request or a checklist because each business and incident is different, Ms. Bateman said.

“There’s not a one-size-fits-all,” she said, emphasizing different businesses may require other documentation and data.