Cyber Claims: Why Every Hour Matters

In the past few years, cyber incidents have been occurring more frequently with increasing impacts on organizations. Unsurprisingly, Allianz has ranked cyber incidents as the top business risk for 2022, followed by business interruption at number two. The two risks go hand-in-hand as cyber incidents are now causing more significant business interruption losses. Up until recently, the biggest concern for an organization stemming from a cyber breach was the data privacy and regulatory implications. Now, there is a greater focus on the direct financial harm that can be inflicted on an organization.

Before insurance coverage for business interruption losses kicks in, many policies contain a “waiting period” which is an amount of time that must pass before the insurance company will provide coverage, similar to a deductible. Traditional property policies contain waiting periods defined by a number of days (e.g. 3 days or 72 hours). However, cyber policies define waiting periods in increments of hours (e.g. 8 or 10 hours). This means that organizations need to be able to track their business on a more granular level than ever before and makes the first 24 hours after a loss some of the most critical. Key metrics such as sales or customer activity should be captured on an hourly basis which will allow for a more precise calculation. This difference can have significant consequences for the recovery of a business interruption loss.

Consider this situation – an online retail business operates 24-hours per day with average daily sales of $100,000. However, sales vary considerably throughout the day ranging from a low of $500 from 3:00 – 4:00AM and peaking at $10,000 between 1:00 – 2:00 PM. The graph below illustrates how sales are distributed during a typical day.

This business has a cyber policy that includes an 8-hour waiting period before the business interruption coverage will respond. Now, a cyber incident has occurred at midnight. Therefore, losses incurred during the first eight hours of the cyber incident from midnight to 8:00AM will not be covered. Luckily, this organization tracks their sales on an hourly basis and can easily quantify the total sales incurred during the waiting period - $8,000 or 8% of the total daily sales as highlighted below.

However, what if this organization only tracked their sales on a daily basis? How would the lost sales during the waiting period be quantified? One way insurance carriers have done this is by simply taking 1/3rd of the daily sales to estimate the sales generated during the waiting period. This amounts to $33,300 in this instance, which is more than four times as high than if hourly data was available. The graphs below illustrate the difference in the recoverable lost sales under both scenarios.

The difference is significant. Organizations need to be prepared to evaluate their exposure should a cyber loss occur on an hourly basis. At RCG, we specialize in calculating and presenting cyber business interruption losses. We also work with companies to evaluate their potential cyber BI exposure before a loss occurs to help guide the insurance purchasing process.