Whitepaper
Cyber business interruption report
Cyber business interruption: What has changed since 2018?
Feb. 11, 2025 · Authored by Ben Hobby, Bernard Regan, Hillary Hogan, Luke Smith-Adams, James Long
The International Underwriting Association (IUA) has released an updated report titled "Cyber Business Interruption: What Has Changed Since 2018?" in collaboration with Baker Tilly.
This comprehensive analysis examines the evolving landscape of cyber risks and business interruption policies, emphasizing the critical need for cyber business interruption risks to receive the same level of attention as IT security controls and ransomware threats. The report provides valuable insights into the complexities of cyber business interruption claims, the challenges faced by insurers and policyholders, and the potential for market innovation. With detailed case studies and expert commentary, this report is a must-read for anyone involved in cyber risk management and insurance. Don't miss out on this essential resource to stay informed and ahead in the ever-changing world of cyber risks.
The International Underwriting Association (IUA) has recently published an insightful report titled "Cyber business interruption: What has changed since 2018?" in collaboration with Baker Tilly. This report explores the evolving landscape of cyber risks and business interruption policies, emphasizing the need for cyber business interruption risks to receive the same level of attention as information technology security controls and ransomware threats.
The report begins with a foreword by Helen Dalziel, Director of Public Policy at the IUA, who highlights the importance of continued education about cyber risk exposures at both the market level and within the wider business community. The IUA's Cyber Underwriting Group, with the assistance of Ben Hobby from Baker Tilly, has updated the paper to illustrate how cyber business interruption has evolved since the initial report in 2018.
The introduction provides a historical context, noting the significant increase in business interruption claims since 2018, driven by high-profile events such as the WannaCry and NotPetya attacks in 2017. The report also discusses the impact of the ransomware pandemic from 2019 to 2021, which coincided with the global Covid-19 pandemic, leading to a hard market and tightening of policy wordings and limits. The year 2024 alone saw major incidents involving Change Healthcare, CDK and CrowdStrike, underscoring the importance of dependent or contingent business interruption cover and the challenges posed by systemic risks.
One of the key sections focuses on the indemnity provided under business interruption policies. It explains the two primary forms of policy wording used in cyber business interruption policies: the "net profit" approach and the "gross profit" approach. The report provides an illustrative loss scenario to demonstrate how losses are calculated under each approach, highlighting the differences and common issues encountered in cyber business interruption claims.
The report also addresses the complexity of insurance versus accounting gross profit, particularly in the context of property business interruption (BI) and cyber BI. It discusses the challenges of calculating insurable gross profit and the potential for over-indemnification if payroll costs are included in the overall indemnity settlement. The report cites a recent Arkansas court judgment in Heritage Company, Inc v. Hudson Excess Insurance Company, which underscores the need for clearer policy wordings to avoid misunderstandings and disputes.
Another significant topic covered is the treatment of stock in business interruption losses. The report highlights the differences between property insurance and cyber insurance in terms of stock coverage and the potential for debates around coverage. It emphasizes the importance of pre-loss economic loss modeling and the need for clear policy wordings to address issues related to stock losses and buffer stock management.
The report also explores the concept of indemnity periods, which are critical in business interruption calculations. It discusses the challenges of calculating losses within the indemnity period and the potential for disputes when considering loss of opportunity and delayed revenues. The report suggests that longer indemnity periods may be necessary to adequately cover cyber business interruption losses, but this requires detailed economic loss analysis and careful consideration of the underlying risks.
In conclusion, the report acknowledges the progress made in understanding cyber business interruption since 2018 but emphasizes that there is still much work to be done. It calls for greater attention to be given to cyber business interruption risks, similar to the focus on IT and security controls, to improve the claims experience for both insurers and policyholders. The report also highlights the potential for further market innovation in addressing these challenges.
Overall, the IUA's updated report provides a comprehensive analysis of the evolving landscape of cyber business interruption and offers valuable insights for insurers, policyholders and the wider business community.
