Risk & Business Magazine Spectrum Insurance Spring 2017

CYBER RISK COVERAGE Business Interruption Meets Cyber Risk Coverage COSTANTINO P. SURIANO AND BRUCE R. KALINER A s more businesses come to realize that cyber attacks pose a serious threat to business operations, revenue streams and contingency planning, the market is starting to expand and develop new products to address business interruption, or BI, resulting from a cyber attack. Some of the more common cyber attacks against businesses include denial- of-service, brute force (to obtain passwords), insertion of malware or malicious code, ransomware, backdoor attacks and social engineering. This article provides a primer on the issues that may arise when the traditional concept of first-party BI coverage is married to cyber coverage. BI coverage is a time-element coverage offered under first-party property policies. In the first-party context, for BI coverage to be implicated, there must be insured direct physical loss or damage by a covered cause of loss that causes a necessary interruption of the insured’s operations, either wholly or partially as specified in the policy. Once these conditions are met, then the actual loss sustained is measured to determine the loss of business income from the interruption. It is important to remember that first- party property policies do not traditionally 6 extend property loss or damage to electronic data, as data is not considered a physical or tangible object subject to loss or damage. When BI coverage is offered for cyber policies, the direct physical loss or damage requirement may be substituted with an electronic data driven event — a specified type of cyber attack. THE SCOPE AND ELEMENTS OF WHAT CONSTITUTES A CYBER ATTACK IN THE POLICY IS THEREFORE OF CRITICAL IMPORTANCE. In other words, what triggers BI coverage for a network attack? As noted above, BI coverage was originally intended for physical loss and is now being imported into the ethereal and nonphysical world. As part of a triggering event for BI coverage, there must be a direct causal connection between the cyber attack and the interruption of business and loss of revenue. For an active attack, where an adversary or perpetrator destroys or alters data that brings down the computer system, or a denial of service takes place and business operations cease, the causal connection to any business loss should be fairly straightforward to establish. However, the causal connection is less clear in a situation involving a passive network attack, when a computer system is infiltrated but the perpetrator is only gathering data or exploring the system, and no data is disturbed, altered or destroyed. In such a situation, a network attack took place and remedial measures are necessary, but computer operations may continue uninterrupted while the security of the system is being restored and any malicious software is neutralized. Although the cyber policy may respond and pay for the expenses to restore the network security under other coverages, a BI loss has not been established inasmuch as there would be no interruption of operations. Another scenario could involve a passive attack combined with a public disclosure that an insured’s network has been

Risk & Business Magazine Spectrum Insurance Spring 2017 | Page 6