A Q&A with Simon Oddy of RGL Forensics
Business interruption (BI) can be a costly side effect of a cyber-attack, and insurance companies are responding in kind with BI policies. I spoke with Simon Oddy, partner of RGL Forensics, about how insurers assess BI and what organizations can do to avoid it.
I think people now realize that a cyber breach is not just about losing data but also about system failures, revenue loss and a disruption to operations.
What are the top business sectors impacted by BI?
From our direct experience, it’s typically the service industries, financial services and others who are heavily reliant on internet access to perform transactions. We’ve handled losses affecting businesses who can’t process transactions because of system interruptions or they lose the ability to work with their client. What we haven’t seen firsthand is many retail losses, perhaps because customers simply delay the purchase, coming back to a store / website later. In general, I think more organizations have become better educated in the past couple of years about the risk of BI – reflecting the impact of insurance brokers, the media and the insurance industry’s efforts. I think people now realize that a cyber breach is not just about losing data but also about system failures, revenue loss and a disruption to operations.
What is the typical waiting period for deductibles in cyber claims?
Typically, it’s between 12 and 24 hours. In many cases the service interruption or system outage itself gets dealt with quite quickly. Sometimes it might be more of a case of intermittent service for a few days or weeks after an event rather than a single outage. In those cases we’re seeing losses because the covered period extends beyond simply the period of restoration, and extends to account for lost revenue until the organization gets back to normal, pre incident levels. Given the competition in the market, the coverage is becoming more expansive and broader for business income in these policies.
What are some leading causes of BI loss relating to Cyber risk?
We are definitely seeing the attacks evolve. Obviously, ransomware is a big issue that has recently caused disruption for businesses and an awareness of the potential for business interruption. Unlike a theft of PII, this breach prevents a business from operating normally. We’re also seeing cases which involve third party systems failure. Such cases are where an insured or non-insured organization using a third party for internet hosting access claims that the third party fails to deliver what they’ve promised, and that there’s a breach of contract. The third party gets sued and part of the financial damages are for BI. Contingent business income coverage is evolving to provide protection for businesses who are reliant on others in the data / systems management supply chain.
What factors can make valuing a BI loss challenging?
It can be a real challenge to figure out the correlation between the size of the incident and the ultimate BI loss. Often there isn’t one. A small problem can lead to a large financial problem, and vice versa. It’s the unpredictable element. As accountants we can see the financial side of things but it’s important to understand and appreciate the technical side of the event too. Looking at the financial aspects in isolation may mean it’s difficult to understand the link between the event and any resulting financial damage. Does it make sense? If you don’t understand the technical side it’s hard to come up with that link and an appropriate damages value. It’s also hard to measure the impact of a contract loss due to the event. A contract lost could be replaced again later or by another contract. It would be easy to ignore this and value the lost contract in isolation. We have seen similar cases arising in the property industry and other crisis management sectors (e.g. product recall) with lost contracts, so I expect it to cross over here to the way we think about BI.
What are a few loss control practices you might suggest to a client to reduce their BI?
Preparedness from the response side is important to minimize that period when you are unable to handle revenue generating activity, conduct normal business. Having a solid team of people to assist when a response is needed is key. And test things. Don’t start to engage in dialogue with those who will assist once the event occurs – build those relationships well before the event. Everyone should know their role.
From a financial perspective, it’s important to test some loss scenarios, modeling the potential financial impact of an event. This will help a business better understand the revenue streams and what could happen in the event of a systems outage that lasts 2 hours or a day or a week. How might the subsequent reduced sales levels for 30 days affect your cash flow and so forth. You want to be proactive and know the risks ahead. Additionally, businesses should know the full extent to which they are reliant on systems to run production, for example. If a system goes down because of cyber breach, how will that affect their ability to produce?
Additionally, good PR can be effective. Responding to negative media attached to the event will be important. If there’s a sense among customers that you don’t know what you’re doing or the situation was handled badly, you may lose those customers and clients. If you get it wrong, the BI can get out of control.
In summary…
We want to thank Mr. Oddy for his cyber business interruption/forensic accounting insights. For many clients, the cyber exposure of concern is not a data breach per se, but a BI loss resulting from a system attack (DDoS) crash/outage or degradation of network-dependent supply chain system. We can also confirm that ransomware is one of the leading claims paid out by our cyber risk insurance carrier partners.
One final note: Mr. Oddy was one of the first BI topic speakers at our 1st NetDiligence cyber conferences some seven years ago and we appreciate his willingness to educate our partners and readers.