Understanding Cyber Insurance

Photo:© sarayut_sy / Adobe Stock

A few years ago, a cyber insurance claim was prepared for a well-established manufacturer. By acting quickly after the cyber-attack, the business returned to normal operations within a few weeks, but lost several customers during that time. While preparing their claim, they realized they did not have the right coverage in place. The policy limits were too low, and although they had significant fixed expenses like payroll, their policy did not cover those costs. As a result, a large portion of their losses were borne out of pocket.

This example highlights the consequences of failing to understand cyber insurance coverage or planning properly before purchasing a policy. Having the right policy can help businesses recover quickly from a cyber-attack, from an operational and a financial perspective.

Let’s explore the factors that manufacturers should consider when purchasing a policy:

Business interruption losses
Business interruption losses often make up a large portion of a manufacturer’s cyber insurance claim. They can result from a decrease in sales, an increase in expenses, or a combination.

Lost sales
Manufacturers can lose sales in several ways:
• Existing customers may switch to a competitor following a cyber-attack. This can happen if they are unable to place an order if access to email or a website is disrupted. It can also result from damage to the company’s reputation if customers are aware of the attack. Potential/new customers may be lost for the same reasons as well.
• If manufacturers enter into contracts with customers, they may be cancelled if production quantities or delivery timelines cannot be met.
• Manufacturers typically have a production cycle, creating a time lag between an order being placed and delivery to the customer. If production is delayed or stops, customers may cancel their orders. In this case, decreases in revenue may not be observed until the end of the production cycle; when the revenues associated with those orders would normally be recorded.
• Customers may ask for, or be offered, discounts to compensate them for delays.
• Some manufacturers generate revenues by submitting bids for new work. The opportunity to submit bids may be lost if emails are inaccessible, and notifications about open bids are not received, or if data required to prepare a bid is lost or irretrievable.

Photo:© sarayut_sy / Adobe Stock

As is the case with all insurance claims, documentation must be gathered to support that lost sales were due solely to a cyber-attack. Examples of information that can be used include:
• Comparison of sales earned before and after the cyber-attack. The comparison may be done annually, monthly/weekly, or by season, depending on the nature of
your operations.
• Copies of correspondence from customers indicating that orders/contracts are being cancelled due to the cyber-attack. If discussions take place over the phone, take notes (e.g. details of the order, reasons
for cancelling).
• Copies of customer contracts that have been cancelled along with details of the revenues that were expected to be earned.
• Copies of cancelled orders and their sales value. If orders are typically submitted through a website, compare the number of orders submitted before and after the cyber-attack to estimate the number that was lost.
• If discounts are offered to customers, record them in a separate account for easy tracking. Keep copies of correspondence with customers where a discount is
offered/discussed.
• For lost bids, retain copies of the bid details and prepare an estimate of the value of the work. Provide data on the historical bid win-rate to estimate the likelihood that the lost bids would have been awarded to you.

Increased expenses
For increased expenses, cyber insurance policies will cover the portion that exceeds normal amounts that would have been incurred absent the cyber-attack. Common examples for manufacturers include: (Table 1)

Types of business interruption coverage
Cyber insurance policies generally measure business interruption losses as either the:

• Loss of net income only, or
• Loss of net income, plus all costs that continued to be paid while systems were impacted, including payroll

The difference between these two policies can have a substantial impact on the amount you can recover in the event of a claim.

For example, Widget Inc. suffers a cyber-attack and production is impacted for four weeks. During this time, Widget calculates the following losses and costs:

• Lost net income of $100,000
• Continuing payroll costs of $500,000
• Other continuing costs (e.g. utilities) of $300,000

Under each type of policy, Widget Inc. would recover: (Table 2)
Based on this example, it seems it is always better to purchase a policy that includes coverage for continuing expenses. Not necessarily. Each business must assess the extent to which it can reduce expenses following a cyber-attack.

A manufacturer that has mostly fixed expenses likely cannot reduce its costs significantly after a cyber-attack. In this case, a policy that covers continuing costs can ensure those costs are covered while revenues are impacted. If a manufacturer has mostly variable costs, these expenses will decrease as sales decrease, meaning that coverage for continuing expenses may not be needed.

How much coverage do you need?
An insurance broker can help determine the appropriate amount of cyber insurance for your business’ specific operations. There are also publicly available sources of information that can provide guidance.
Many insurance companies track data on actual cyber insurance claims that have been filed in recent years. Data is tracked based on different parameters such as geographic location, industry, annual revenues, and the type of losses claimed (e.g. business interruption, extra expenses). This data can be used to understand the amount and types of losses claimed by businesses comparable to yours, which can guide policy selections.

Cyber-attacks are happening more frequently, and this trend is expected to continue. With respect to cyber insurance, it is important to:
• Review your current policy to ensure it meets your specific needs
• Work with a broker to buy the right coverage or review your current policy
• Understand the types of losses your policy covers
__________________
Rehana Moosa, CPA, CA, DIFA, CFE, CFF is President of RMFA, a forensic accounting firm based in Toronto. Her website is www.rmforensics.ca.