Cyber blog: Sorry for the interruption

In June 2015, the Department for Business, Skills and Innovation (BIS) published a report on the disruption caused by cyber security incidents. It found that a data breach, theft, or unauthorised disclosure of confidential data were all highly likely to cause serious business disruption.

The soaring cost of breaches

While the ‘serious business disruption’ in itself was no great surprise, the likelihood of a breach and the costs in time and money (including loss in income and profit) were. Actually, the figures quoted were quite astonishing. Here are the highlights:

• 90% of large organisations and 74% of small businesses had suffered a security breach
• The average business disruption costs £75,000 to £311,000* for small businesses and £1.46m to £3.14m for large businesses
• The average length of disruption was 7 to 10 days for small businesses and 5 to 8 days for large companies
• Among small businesses, the average time spent responding to incidents was 13 to 24 days, costing between £3,000 and £10,000*.

Many SMEs are under the mistaken belief that their commercial combined policy (which would likely include a business interruption section) would cover them following a cyber incident.

With figures as eye-wateringly high as these, it’s no wonder most SMEs underestimate the financial impact a cyber incident can have on their business.

This is usually not the case. And here’s why: typically, busniness interuption (BI) policies limit cover to loss or damage to tangible, physical property – and loss of revenue – resulting from an insured physical peril. Think fire or flood, for example. In other words, BI cover always follows on from what is covered in a policy’s Material Damage section. This means if cyber cover is not included in MD section, the BI section will not include cyber either.

The fall-out 

In today’s digital economy even the smallest of companies rely heavily on IT to do business, a data breach, or a virus that corrupts data or renders systems unusable – or any cyber incident affecting third parties – can lead to a significant loss of income or profit.

Being unable to process orders, create invoices, pay suppliers, send or receive emails or service clients, would effectively render almost every business inoperable. Furthermore, in the ensuing fall-out, customers are likely to go elsewhere.

Key questions to ask

When it comes to establishing the need for business interruption cover with cyber insurance, it’s worth asking the following:

• Does the property policy cover damage to data as well as tangible property?
• Is the cloud computing provider treated as a supplier or utility under the BI policy?
• What are the territorial limits – where are the company’s servers located? If they’re in multiple locations, they’ll all need to be covered.
• Does the supplier or utility extension have cover above and beyond just physical damage?
• There may be damage in one place but a loss in another – are there limitations on interdependency?
• Are the territorial limits sufficient? This is important, as service is often provided from locations outside the country where the business is located.
• Is reinstatement of data covered? Often the company has a specific computer covering reinstatement of data – does this include situations where data is not held/controlled at the company’s sites?
• Is data properly valued?

Ensure cover following cyber incidents 

As we’ve noted in previous articles, the frequency and effectiveness of cyber attacks is increasing. We’ve already seen in the 2015 BIS report, 74% of small businesses have experienced a security breach. This is up from 60% in 2014.

The ABI’s own survey also found a staggering 75% of SMEs have suffered a security breach in the last 15 months. Figures that suggest it’s more a case of ’when’, not ‘if’.

So it makes more sense than ever for businesses to check their current BI cover to see if it includes cyber insurance. And if not, take out a specialised cyber insurance policy, to ensure that BI following a cyber incident (whether a crime, attack, or accidental data breach) is covered.