More and more, the conversation surrounding business interruption (BI) is moving from the physical aspect of BI to the information technology side of things, attendees to the NetDiligence Cyber Risk Summit heard on Friday.
Miki Ho, senior underwriter in the professional indemnity and cyber risk department at Allianz Global Corporate & Specialty noted during a presentation at the conference that “it’s hard to find a company these days that does not rely on IT.”
“Maybe your convenience store down the street, if their point of sale goes down, you can pay with cash, but other than that, it’s almost impossible to find a business that doesn’t use IT every day,” Ho said during a session titled Coverage I: Current Underwriting Issues: Gaps & Intersections, held at the Ritz-Carlton in downtown Toronto. “As businesses evolve and move more into virtual spaces and change that way, you need to think about business interruption and what could happen if those systems go down.”
Ho said that a lot of companies think that if their building burns down, they can move into a temporary location and everybody can simply set up their laptops there. “What happens if a virus comes into your system and takes it down?” he asked. “You still have your office, but nobody can do anything. And most organizations are so reliant on that. All of us, if our email goes down for half an hour, we can’t believe it, we get up and leave the office. Just imagine that happens for a week, a month or a longer period of time.”
The same issues apply to contingent business interruption (CBI), as more and more companies are relying on vendors from a CBI standpoint, Ho suggested.
Traditionally speaking, Ho said that he thinks it’s “pretty obvious” what would trigger a property policy for business interruption – a fire loss, a flood or a tornado, for example. “From a cyber perspective, you’re really thinking about a cyberattack. There’s some extensions that would cover off other things. Those obviously are excluded from a property policy and from a cyber policy, we are also excluding property damage and bodily injury.”
He noted that generally speaking, cyber underwriters are from the financial lines, so they are thinking about things from a loss of income and third-party lawsuit perspective, whereas property is “very much about the other side: physical locations. I think they do align fairly well,” Ho added.
In terms of overlap between cyber and property, “there’s been lots of discussion about what happens if a cyber hacker gets in and they install malware, they install something into that system, that system starts overloading, your server explodes, your building burns down and something happens that starts from the cyber and turns into property,” Ho said. “I think from most property insurers’ perspective, if there’s something that happens that causes the fire, causes an explosion and causes the building to burn down, they would treat that as a cyber loss. From a cyber perspective, we will recreate, we’ll reinstall software, which would not be covered under a property policy.”
The session also discussed a variety of other topics, including the overlap between kidnap, random and extortion coverage and cyber extortion; cyber and crime coverage; cyber and commercial general liability; and cyber and directors’ and officers/errors and omissions coverage.
The panel was moderated by Susan MacEachern, senior vice president of AXIS Insurance. Other speakers included David MacKenzie, partner with Blaney McMurtry LLP, Brian Rosenbaum, senior vice president at the national director of the legal and research practice at Aon Reed Stenhouse, Francine Armel, senior vice president and chief underwriting officer with Creechurch International Underwriters and Matthew Davies, assistant vice president at Chubb Insurance Company of Canada.
More coverage of the NetDiligence Cyber Risk Summit