A Bit and a Byte About Cyber Losses
Richard Fowler, CPA, CMA, CBV, CFE, CFF
FAS Global
Cyber attacks have made major headlines in the news in recent years, targeting organizations ranging from Sony Pictures to the US Government. Growing awareness of this risk has made cyber insurance a hot topic in the insurance industry. The market for cyber insurance remains in its infancy, with global cyber premiums currently less than 0.5% of the estimated cost of cyber-crime.[1] However, industry analysts such as PricewaterhouseCoopers expect the cyber insurance market to triple in size over the next four years.[2]
The environment in which cyber policies operate is also changing rapidly. Governments around the globe are introducing laws which require data breaches to be reported to regulators. Recent examples include the Digital Privacy Act introduced by Canada in 2015 and the General Data Protection Regulation introduced across the EU last year. We expect these changes will increase awareness of the frequency and impact of cyber attacks and contribute to growth in both cyber policies and claim numbers in the coming years.
There are a variety of cyber policy wordings currently available in the market, and the coverage offered can vary considerably. However, in general there are three key areas where cyber policies frequently differ from property policies.
What is Insured?
The insured events which trigger a claim under a cyber policy can range from a mouse chewing through a computer's wiring, through to highly sophisticated deliberate hacking. [3] Unlike a property policy, there is generally no requirement for physical damage for the policy to be triggered.
Some, but not all, cyber policies will provide specific coverage for items such as public relations and credit/fraud monitoring expenses. Other policies require the insurer's prior consent and approval for certain costs. The wide variety of policy wordings make it critical to understand the coverage in place at the very start of an assessment.
What is the Indemnity Period/Period of Restoration/Duration of Coverage?
Current cyber policies may have shorter indemnity periods than the 12 month maximum indemnity period typically offered under property insurance policies. The indemnity period may also be referred to by another name, such as a period of restoration. In some policies the indemnity period commences on the date of breach. Other policies define the indemnity period with reference to the date of discovery. For example the duration of coverage may end a maximum of 30 days after the date the breach was discovered (as opposed to after the date of the breach itself).
How is the Business Interruption Loss Calculated?
There are a variety of wordings in cyber policies, many of which differ from a typical business interruption wording seen in property policies. One common wording defines business interruption as the actual loss sustained of net income, but does not provide any guidance regarding the details or approach of the loss calculation. This leaves a lot of items open for interpretation, such as the treatment of saved expenses and payroll. One common interpretation is an "indemnity" approach, where all changes in income and expenses caused by the breach during the indemnity period are included in the loss calculation. However, there are numerous ways in which this policy wording could be interpreted.
Summary
Although cyber policies and claims still represent a very small segment in the insurance industry, the number of policies being written is increasing, and cyber claims are likely to become more frequent and more complex in coming years. Cyber policies are still relatively new and there is a wide variety of different wordings and definitions in existence. Engaging a forensic accountant with experience working with these policies can ensure the policy wordings are applied properly to the complex accounting issues on these claims, and that there is effective communication between relevant parties, especially for any items that are unclear and/or open to interpretation.
[1]
Claims Canada - December/January 2017: Cyber Risk - The Great Unknown by Emily Atkins.
[2]
Ibid
3 Ibid