Most key business processes are now automated and built on technology. Consequently, disruptions from a cyberattack can lead to significant lost sales and productivity, recovery costs and reputational harm. Accounting for business interruption costs is almost as important as mitigating the breach itself, especially as exposure is only expected to increase in the future.
The true cost of business interruption often requires complex calculations to accurately quantify the loss. Business owners must be prepared to objectively track and document losses from business interruption following a breach in order to work effectively with their insurer. Reimbursement of losses from the insurance company can help a business recover, but it is important to understand what insurers require following a breach, thus increasing the likelihood of an efficient claim process:
- Properly scope insurance coverage: In many cases, companies’ policies are incorrectly set up at policy inception and consequently, do not adequately transfer the risk under the policy. This often leads to a circumstance where the business is not properly indemnified for its full loss when an event occurs. For example, a common error at policy inception is a focus on worst case scenario events while a significant amount of money is left on the table for much more common, lesser-loss events.
- Show proximity to the cause: The purpose of most business interruption insurance is to get the business back to the same position as if the breach did not occur. For this reason, you must show the loss estimates are directly related to the breach event. In other words, additional costs or lost sales would not have occurred “but for” the cyberattack. As an example, the mere fact a customer is lost may not be enough to include lost sales in a business interruption claim. One would likely need to show that the customer would not have been lost if the cyberattack had not occurred.
- Have the facts in order: If a cyberattack occurs, documented evidence of the breach and its economic impact must be provided. Affected entities are encouraged to immediately begin tracking unproductive time, lost sales, lost product, additional work hours or other costs associated with a breach. Comparison of trends in costs or sales before and after the breach can also be used to support a business interruption claim. Losses must be documented, and losses calculated or estimated with “reasonable certainty.”
- Duty to mitigate the loss: Most insurers expect a claimant to mitigate the loss following a cyberattack. For example, if employees are unable to perform their work responsibilities following an attack and a business is obligated to pay them, it would likely be considered a business interruption cost. However, it would also be expected that management would mitigate the cost by reassigning the employees to other functions or sending hourly employees home when it became clear they would be unable to perform their duties.
- Actual loss sustained: The business interruption loss suffered should be quantified in a manner that illustrates the actual economic impact. This may mean that the loss claimed under an insurance policy is reduced by successful mitigation measures, or by resources distracted by the claim circumstances but does not result in additional costs. For example, upper management is generally salary remunerated and therefore, a company does not actually incur additional costs despite the inevitable extra hours devoted to the company subsequent to a breach.
Organisations typically, and understandably, focus on getting systems running following an incident, but you also must be prepared to document costs and losses related to business interruptions. Business interruption claims can be complex; therefore, notifying your insurance company, reviewing your insurance coverage and seeking advice regarding identifying and tracking losses related to business interruption following a breach are all critical elements of recovering from a cyberattack.
It is often difficult to go back and recreate the timeline and support for business interruptions after the fact. Inadequate planning and playing catch-up can leave you vulnerable to insufficient insurance coverage and difficulties supporting a business interruption claim.
Sue Evelsizer, Senior Director, RSM US LLP
firstname.lastname@example.org, +1 309 497 1403
Brett Eaton, Senior Manager, RSM South Africa
brett.Eaton@rsmza.co.za, +27 11 329 6000