Cyber business interruption, the knowledge gap and Jaguar Land Rover

It was William Henry Davies, the Welsh poet, who composed the lines “A poor life this if, full of care, we have no time to stand and stare”. While this poem is encouraging us all to take time out and appreciate the world around us, I think it also has value in terms of the importance of pausing to think in a professional sense.

As a forensic accountant, I often remind myself that clients are paying for our opinion – in essence, they want to know what we think something is worth. To get to that answer, it is important to create the time to stop and think and make sure that our calculations make sense. Occasionally, a file has a series of more challenging issues that need more thinking time – what Sherlock Holmes would have called a “two-pipe problem”!

I am often reminded of Conan Doyle’s prose when thinking of cyber business interruption (BI). In recent years, this has become perceived as the most challenging area of a cyber claim, with the time taken to resolve claims and the inevitable disagreements on quantum cited as the main issues. As with any perception, there is an element of both truth and fiction, but if these issues are to be addressed, we need to properly understand the problem so the identified cure is fit for purpose.

Having handled cyber-BI claims for the last 10-plus years, it is our experience that the BI element of the policy and any resulting claim is not as well understood as other elements, such as IT security and related controls. Recognising that this could be considered a controversial statement, let me set out why we consider this to be the case.

As we all know, insurance and risk consider likelihood and severity. Following regulator intervention, certainly in the UK insurance market, after the explosion in ransomware cases between 2018 and 2020, the focus has been on likelihood. This means significant attention has been given to cybersecurity controls that prevent an incident from occurring.

Having discussed this with a number of different underwriters, we understand that insurers now receive good-quality information from prospective insureds on these controls as part of the underwriting process. This makes sense given the level of regulator interest on this point.

However, those same underwriters have also commented that they get a much smaller amount of information on potential economic loss exposures arising from a cyber event. This, oddly, also makes sense – there are only so many hours in the day for risk managers, and focus has had to be, by necessity, on the IT element of the cyber risk, in addition to all of the other parts of the risk manager role.

Inevitably, there are consequences. In the absence of much information, underwriters have to make an “informed guess” on the potential BI exposure. Given the soft nature of the current cyber market, this “informed guess” will err on the side of caution so the underwriter does not price at an uncompetitive level.

However, a claim subsequently occurs – the renewal premium that is subsequently quoted will be subject to a significant increase because (a) the insured has now had a claim[1] and (b) the underwriter, for the first time, now has accurate information from the claim itself as to the true economic loss exposure.

To be clear, in a world where there are so many time pressures that already stop us from “standing and staring”, we fully appreciate that asking all participants in the cyber market for more time is difficult. However, it is our view that we all now need to give cyber BI the same level of attention that the cyber market gives to security controls.

To illustrate why, let me turn to Jaguar Land Rover (“JLR”), as this recent incident highlights a number of really important issues.

The first is the importance of insurance. As is now well documented, JLR did not have cyber insurance in place as at the time of the incident. For a business that manufactures about 1,000 vehicles per day and has suffered a production shutdown now being measured in weeks, not days, this will result in a significant hole in the profit and loss account for which JLR will not be compensated. As JLR is owned by Tata Motors, which in turn is quoted on the India stock exchange, there is a definite risk of a shareholder class-action lawsuit occurring.

The second is the impact on the downstream supply chain, namely the car dealers. These have undoubtedly suffered interruption. The supply of new vehicles has likely reduced or ceased, meaning that dealers are unlikely to complete certain sale transactions. As most JLR vehicles are made to customer order, this will more likely result in a delay in sales rather than a loss. But if these delays result in a significant increase in quoted lead times for new orders, then there is a risk of a reduction in future orders occurring. Coupled with this is the ability to perform service and repair works, given that some of the diagnostic tools used by the dealers are JLR-controlled and therefore offline.

The extent to which any of these losses may or may not be insured is an open question. Some cyber policies provide cover for dependent or contingent BI (CBI), where the loss occurs at an outsourced IT service provider (OSP)[2] . In this case, depending on the nature of IT integration between the dealer and JLR, as well as the specifics of the policy wording, JLR could be considered an OSP.

There are also some policy forms that provide CBI cover if an incident occurs at any company within an insured’s upstream supply chain. In this instance, the policy is more likely to respond, albeit there may be sublimits applicable for this cover.

The third area of impact rests with the component suppliers to JLR. Given that most auto production plants operate on a “just-in-time” basis, a production shutdown at JLR now measured in weeks is going to impact component suppliers. Put simply, they are not supplying product to JLR, and a sales loss will have therefore resulted.

The challenge here is that while policy extensions for BI losses resulting from an incident at a customer site are commonplace in the property market[3] , they are rarely, if ever, seen in the cyber market. Consequently, these component suppliers are now suffering significant, uninsured, financial losses.

For both insurers and risk managers, there are immense challenges in understanding and underwriting these sorts of supply chain exposures. In essence, the insurer is underwriting potential losses that may result from an incident at a third party for which there is minimal information to understand the approach adopted to cybersecurity at said third party. In the absence of this information, it is perhaps not surprising that there seems to be limited insurance available for those within the JLR supply chain impacted by the incident.

Now, JLR is an important part of the local economy in the areas where its production plants are located. The component suppliers will also be significant employers. The issue of no insurance has therefore resulted in political intervention in the UK, with government loan of £1.5 billion to JLR with the requirement that this is used to support the supply chain.

The rights and wrongs of government intervention is a separate debate. However, any student of economics will know that government intervention of this nature is usually evidence of market failure. But has the cyber market failed here?

I think the answer to this question is “not yet”. If Marilyn Monroe’s legs, the nose of the lead perfumier at Chanel and David Beckham’s right foot[4] could all be insured, then pretty much most things can be insured providing it is legal! On that basis, the type of supply chain risks highlighted by the JLR case should all be insurable.

However, to get to that point, it is clear that more needs to be done by the whole market to better understand the cyber business interruption risk. Risk managers need help in translating the considerable work already undertaken in understanding cyber resilience into financial consequences if an event does occur. They also need assistance in converting the supply chain analysis already undertaken for property damage insurance into the cyber world. Similarly, underwriters need to be clear on what information they need to receive from risk managers to feed into their pricing models.

Earlier this year, I chaired a panel at a cyber conference we hosted with the International Underwriting Association where an underwriter, risk manager and a broker discussed some of these issues. What became clear as this discussion developed was that (a) there was a lot that both sides of the market needed to discuss and learn from each other and (b) that there was an absolute passion to embrace this part of the journey.

I have often maintained that one of the more curious, and sometimes most frustrating, parts of the human experience is that we only ever learn from experience. And while the JLR incident is certainly an experience that the cyber market needs to learn from, the fact that there have not been a significant number of these types of supply chain events (yet) is, to my mind, evidence that the market has not failed.

However, if we see more and more of these types of supply chain events where insurance is not an option for the victims, then that would be evidence of failure. So, let’s embrace the fact that there is a knowledge gap when it comes to cyber business interruption. But, and more importantly, let’s do something about it.

[1] We have all experienced something similar with our car insurance!
[2] CBI cover addresses losses when an event occurs at a supplier, where the policy would have responded if that event had occurred directly at the insured party.
[3] Albeit potentially subject to some other restrictions and sublimit.
[4] And, to borrow from the film Love Actually, David Beckham’s left foot.