One thing RGL are looking closely at is how to quantify business interruption insurance claims arising from cyber events. The insurance payment will be largely based on our calculations and the analysis we carry out to ensure that the amount lost by a business due to the cyber event is properly measured, taking into account the “waiting period”.
Typical cyber insurance policies include a waiting period of between 4 and 12 hours before the business interruption cover begins to apply. The purpose of the waiting period, which is a type of deductible or excess, being included in the policy is to ensure that cover is provided for major events, not the day-to-day short network interruptions or system failures. Different businesses will purchase a longer or shorter waiting period based on their appetite for risk and how quickly they believe their IT disaster recovery plans can respond.
However, depending on the type of cyber event, the timing of the event on a specific day and the type of business, there may not actually be a sales loss in the first 4 to 12 hours. Alternatively, the loss may be over several days but due to the sales pattern of the business most of the sales loss could fall within the waiting period and therefore not be covered.
In such situations, we would take into account the hourly sales and system data to calculate the appropriate deduction for the waiting period. If this granular data is not retained by the business, then the loss in the waiting period will need to be estimated. One way of doing this is by dividing the total loss suffered by the total number of hours of downtime, to calculate the loss per hour. We find that this is inherently inaccurate and can lead to the policyholder either being under or over compensated.
To avoid this situation, and give more certainty to both the insurer and policyholder, we feel either a fixed monetary deductible or possibly a franchise deductible could be adopted. A clear advantage of such deductibles is that once the losses are in excess of the defined monetary amount, both parties know what will be paid and no hourly calculation is required. Furthermore, with the franchise deductible approach, once the loss has exceeded the deductible the whole amount of the loss would be paid not just the amount above the deductible, giving more cover for the larger losses.
In both approaches, the smaller day-to-day incidents would be excluded. However, insurers would need a lot more information about the value of the potential exposures at the time of underwriting the policy to decide what the fixed monetary or franchise deductible should be. This knowledge is still being obtained as the cyber insurance market continues to mature.
It will be interesting to see how deductibles in cyber policies develop and whether the waiting period will remain, or whether over time this will change to give more certainty to both the policyholder and insurers.