Canada: Insurance & Reinsurance 2018

Last Updated: March 23 2018
Article by David Mackenzie and Dominic Clarke

INTRODUCTION

Insurance companies and policyholders in Canada are facing new risks and challenges, as they always have. Risk resulting from cyber losses and climate change, however, are not merely incremental changes in the insurance world. Rather, they are risks that are both rapidly evolving and difficult to predict. As always in the insurance industry, new risks are met with a creative and insightful underwriting and brokering response. Innovative solutions are required. At the same time, however, existing insurance solutions provide useful foundations for managing emerging risk. Business interruption coverage is a prime example. Business interruption coverage has, traditionally, been included with first-party bricks and mortar property coverage. This insurance has been aimed at protecting the future income stream of protected entities, and has a long history of success protecting policyholders.

However, emerging and unpredictable risks like cyber-risk and climate change pose new challenges for both insurers providing business interruption coverage and their customers. Such new risks have resulted in an evolution of business interruption coverage to ensure that policyholders are protected from the uncertainty presented by modern digital business realities and a rapidly changing climate.

A. CYBER BUSINESS INTERRUPTION

Computer operations and data are at the heart of modern business. Interruption of systems or loss of data would be crippling to virtually every Canadian enterprise. With the advent of data breach, ransomware, and Distributed Denial of Service (DDoS) attacks, the primary risk of business interruption has changed from physical damage to bricks and mortar infrastructure to disruption of computer systems or loss of information. Policyholders are only just beginning to awaken to this risk, and insurers are moving quickly to insure it properly. While these emerging trends are coalescing, however, there is likely to be significant friction between policyholders with traditional first-party coverage or minimal cyber-coverage and their insurers.

This section of the article gives an outline of the problems now seen to be arising, an analysis of the coverage provided by bricks and mortar policies to cyber-losses, and identifies some of the challenges facing cyber-carriers.

1. Cyber attacks and business interruption

Since late 2016 and 2017 we have seen major cyber interruptions in the form of Distributed Denial of Service (DDoS) and ransomware attacks. These attacks, while generally resolved within hours, affected large parts of the world economy.

For example, in late 2016, the Mirai virus was used to attack Dyn, Inc., which provides internet infrastructure to many Fortune 500 companies in the United States including Starbucks, Airbnb, Amazon, Netflix, Visa and many others. The virus had propagated through tens of millions of Internet of Things (IoT) devices. At 7 a.m. on October 26, 2016 those IoT devices were directed to contact Dyn's servers, resulting in an amount of traffic that overwhelmed those servers, such that they could not serve Dyn's clients. The initial attack was resolved in about two-and-a-half hours, but two more attacks were also launched. Dyn had resolved the issue by 6:11 p.m. The total period of the attack was just over eleven hours, but many of Dyn's client's websites and portals had been affected during that time, and could not operate properly. The losses to Dyn's clients were significant.

Similarly, mid-2017 witnessed the WannaCry, Petya and NotPetya ransomware attacks. The ransomware infected many thousands of computer networks, shutting them down until either ransom was paid, or work-arounds were put into place. Again, many companies resolved their issues within hours, but some were out of service for days. Business impacts were significant. WannaCry, Petya and NotPetya are only three examples of a growing problem of ransomware. Many businesses are victims of ransomware viruses, and other forms of data breach, which require the partial or complete suspension of computer operations. Income losses are suffered as the result of such events.

Canadian businesses and other organisations have traditionally relied on first-party property coverage for protection of their earnings stream through business interruption insurance. However, that coverage is not well structured for the electronic age, as they require "direct physical loss" to covered property to trigger business interruption coverage. What direct physical loss has occurred as the result of a cyber-event?

Cyber policies are increasingly being used to fill the gap in coverage for systems or data-based business interruptions.

2. Insurance coverage for business interruption

Business interruption coverage indemnifies policyholders for income lost when damage to covered property disrupts the policyholders' business operations.1 Traditional first-party policies require that three conditions be satisfied to trigger coverage: (1) for direct physical loss or damage; (2) of covered property; and (3) resulting from a covered cause of loss.2 Of significance is the requirement for direct physical loss or damage to the covered property. Some policies have defined covered property to include exclusively "tangible property".3 Economic loss alone is insufficient to trigger coverage under most traditional first-party insurance policies.4

Courts have been called upon to determine whether or not interruptions caused by cyber-attacks constitute "direct physical loss or damage" to covered and/or tangible property.5 Does the temporary detainment of virtual information constitute physical damage for the purpose of a business interruption policy? Canadian case law has, unfortunately, shed little light on the issue. South of the border, however, several American authorities have considered similar issues.

In America Online, Inc. v. St. Paul Mercury Ins. Co6 AOL had released a new version of its software to the public. Unfortunately for the internet provider, that new software caused damage to customers' computer systems and pre-existing software. A class action lawsuit was filed and settled shortly thereafter. AOL tendered the defence to their insurer, under a policy that provided coverage for "physical damage to tangible property". The insurer denied coverage and AOL sued. The Fourth Circuit Court held that damage to software did not constitute physical damage to tangible property, and as such, did not trigger coverage under the policy. In so finding, the Court created a distinction between damage to hardware and software, noting that only damage to the former would constitute physical damage to tangible property, as the latter consists only of recorded data and information.

In contrast, in Ingram7, Ingram, a wholesale distributor that relied on the use of a computer network known as the Impulse system to track its customers, products, and daily transactions, purchased a primary all-risk policy that covered "[r]eal, and personal property, business income and operations in the world wherever situated except for U.S. Embargo Countries" and insured against "All Risks of direct physical loss or damage from any cause, howsoever or wheresoever occurring, including general average, salvage charges or other charges, expenses and freight". A power outage resulted in a loss of programming information on a number of computers, which in turn resulted in a loss of connection at six locations, at which Ingram was, therefore, unable to conduct business. In coming to its conclusion on the issue of coverage, the District Court ruled as follows:

"At a time when computer technology dominates our professional as well as personal lives, the Court must side with Ingram's broader definition of "physical damage." The Court finds that "physical damage" is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality."

A similar result was reached in Landmark American Insurance v. Gulf Coast Analytical Laboratories8 – a business interruption loss was covered in circumstances wherein the insured could no longer use its computer systems because of a virus. The court's analysis focused on the particular language used in the policy, particularly coverage for "direct physical loss ... of valuable papers and records, including those which exist on electronic or magnetic media for which duplicates do not exist". Such language implied that the insurer regarded lost electronic data as a "physical loss", capable of triggering business interruption coverage.

Despite the inherent incompatibility of the foregoing decisions, each has been referenced in subsequent jurisprudence with both approval and disapproval as the case may be and, as such, the status on the physical damage requirement as it applies to data and electronic information is far from apparent.9 It is, therefore, important for insured parties, who depend heavily on their cyber-networks, to conduct a careful review of their coverage.

In an effort at increased certainty, certain insurance providers have added specific limitations to their policies that address "electronic media and records",10 whereas other policies specifically exclude cyber-related losses.11 Further, even in cases where cyber-related business interruption may be covered, traditional policies often require a complete cessation of operation to trigger coverage,12 leaving businesses exposed in the event of slowdown or brief interruption.13

As companies increasingly depend on the use of data and network connectivity to conduct business, including those who continue to operate traditional brick and mortar locations, reliance on traditional first-party business interruption coverage may leave many businesses at risk in the face of a cyber-attack or network shutdown. Given this heavy reliance on cyber data and services, and the uncertainty of coverage under traditional property policies, it may be time that businesses, in any industry, consider the adoption of a cyber-policy to mitigate their risk and exposure to a shutdown or diminution of production as a result of a cyber event.

3. Cyber Business Interruption Insurance and its Challenges

At the outset of any discussion of cyber policies, it must be noted that not only is there no standard form of cyber policy; there is not even a standard scope of coverage. Different policies may provide vastly different protection from one another. Some may cover business interruption, some may not. The only way to determine the scope of a cyber-policy is through review of the language employed. That said, where it exists, it can be generally stated that most business interruption coverage in cyber policies will share a common goal with such coverage found in first-party property policies: insurance for the future stream of income of the business, resulting from a covered loss.

However, the structure of such coverage in a cyber policy must differ in fundamental ways from its property-based cousin. The business interruption coverage found in traditional property policies was inherently conservative, in that it would only respond to the specific interruption occurring at covered premises resulting from physical damage to covered property caused by a covered peril. If losses were suffered that did not result specifically from the covered loss, but simultaneously with such covered loss, those losses were not recoverable under the policy.

Cyber coverage, however, must hinge on different triggering events. Generally speaking, as there is no physical damage that results from a cyber event,14 it is difficult to say "where" a cyber loss took place, and the perils covered by cyber policies may be "specified" as opposed to "all-risk" in nature. While the purpose of business interruption coverage remains the same as between traditional insurance and cyber insurance, the structure of the coverage is different in a number of fundamental ways.

With respect to the loss itself under a cyber policy, business interruption coverage will generally be triggered if there is a necessary disruption of the insured's own systems. What, however, is the insured's "own system"? This is a particularly acute problem in the cyber world, as many digital services are outsourced. Again, different policies will treat this question in different ways. Does the insured's system include off-site servers owned by others? What if that server is leased in whole or in part to the insured? Is software and data part of the system, or must the interruption be related to hardware alone? Is it necessary that the disruption be complete, or will a partial disruption or slow-down be sufficient to trigger coverage?

With respect to the location of the loss. Given that systems are invariably linked to other computer systems through communications equipment, where does the insured's system end, and the third-party system begin? What connections qualify as the insured's own system? Will a loss that affects the internet, or large-scale communications system, as a whole, be covered or excluded as a catastrophic loss?

As regards the cause of loss itself, what events are sufficient to trigger coverage? Must the event be caused, in its entirety, through the malicious and volitional acts of third parties, or can an accidental event trigger coverage? That is to say, must the disruption to the insured's systems be the result of a malicious virus, hacker or DDoS attacker, or will coverage be available from shutting down a sector of the insured's system, following the accidental loss of an unsecure laptop? Must the shut-down be "necessary", or is it sufficient that the insured make a good faith decision that a disruption of computer operations is in its best interests or those of its clients?

There is significant variation in policies as to what time period the policy will cover. Cyber policies will normally reflect protection for a lost profit, through assessment of the actual lost net profit (or increased net loss) suffered. However, assessment of such loss will generally not be based on the same period as in a traditional insurance policy. Some policies insure only income lost in the period during which the disruption is ongoing. The period of interruption will generally begin within a waiting period based upon a set number of hours (often 12 or fewer), rather than days or weeks as is normally the case with traditional business interruption coverage. Once the waiting period has ended, the policy will respond to the business interruption loss. As noted, though, some cyber policies are structured so that once electronic operations are restored, the insurer will no longer pay amounts lost by the insured for the interruption to its business. Other policies, however, are more consistent with bricks and mortar business interruption, in that they cover the insured for a period of restoration, wherein an assessment of the insured's ongoing lost income following the incident is insured, taking into account the trend of the business before and after the disruption and continuing/non-continuing fixed costs. Different businesses will be better served by one policy or the other. Retail operations which may recover quickly from an outage may be better served by paying a lower premium for the limited coverage period. Other businesses that may suffer a reputational harm as the result of an outage may wish to pay more in premium to obtain restoration period coverage.

An additional consideration is whether the insured will need Contingent Cyber Business Interruption ("CBI") coverage. Although there are more than a billion websites on the internet, those websites depend on a relatively small number of companies to keep the infrastructure underlying electronic communications operating.15 The magnitude of this dependence was demonstrated during the Dyn DDoS attack. While typical cyber policies bought by small to medium businesses do not provide CBI coverage, many of the policies provided to larger enterprises do. As a better understanding of the scope of cyber business interruption risk is gained, insurers are beginning to offer CBI cyber coverage on a more widespread basis. At the same time, such coverage is generally subject to notable restrictions. The insured must identify the specific entity whose failure will trigger the coverage. Also, insurers have sought to limit their exposure to a massive cyber event, through catastrophe exclusions. A cyber event affecting a sector of internet service or cloud provider, for example, could result in major losses globally. Insurers are generally not prepared to insure that risk.

Cyber business interruption in Canada closely resembles business interruption coverage in traditional bricks and mortar forms. There are, however, notable differences in the events required to trigger coverage, and the manner in which loss is calculated. This is a nascent area of business interruption coverage, and uncertainties remain. The risk is obvious, but the response from insurers continues to develop.

To read this article in full, please click here.

Originally published by The International Comparative Legal Guide to: Insurance & Reinsurance 2018, Global Legal Group.

Footnotes

1. Stuart A Pansky & Richard K Traub, 2 Data Sec. & Privacy Law § 14:3 (2017) at Chapter 14 (WL).

2. Ibid.

3. Ibid.

4. Ibid.

5. Hazel Glenn Beh, "Physical Losses in Cyberspace" (2002) 8 Conn. Ins. L.J. 55(WL).

6. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003).

7. Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. Civ. 99-185 TUC ACM, 2000 WL 726789 (D. Ariz. Apr. 18, 2000).

8. Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., 2012 U.S. Dist.2012 WL 1094761 (M.D. La. 2012).

9. Amy R Wills, "Business Insurance: First-Party Commercial Property Insurance And The Physical Damage Requirement In A Computer-Dominated World" (2010) 37 Fla. St. U. L. Rev. 1003 (WL).

10. Pansky & Traub, Supra Note 1.

11. Hunton & Williams LLP "If You Don't "WannaCry" After a Cyber Attack, Review Your Cyber Insurance Coverage" (2017) Hunton Retail Law Resource (TLA Newsstand).

12. Beh, Supra Note 5.

13. Ibid.

14. Physical damage caused by cyber events remains normally excluded from all forms of insurance, and is only insurable under specialised policy forms.

15. Anne Freedman "Attacks on Internet Infrastructure, Commence, Leaving Unknown Risks for Insureds and Insurers Alike" (2017) Risk on Insurance: http://riskandinsurance.com/category/2017-issues/april-2017-issue/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
David Mackenzie
Events from this Firm
17 Jul 2018, Podcast, Toronto, Canada

In this episode of the Blaneys Podcast, the head of Blaney McMurtry LLP’s Family Law Group, and a certified specialist in family law, James Edney provides an advance run down of the changes proposed for a coming major amendment to Canada’s federal Divorce Act;

17 Jul 2018, Podcast, Toronto, Canada

In this episode of the Blaneys Podcast, U.S. immigration law expert Henry Chang considers the issues that Canadians will encounter at the Canada-U.S. border, as a result of recent changes including the Cannabis Act, the Pre-clearance Act, and the new United States Customs and Border Protection policy on border searches of electronic devices.

17 Sep 2018, Webinar, Toronto, Canada

On September 17, Andrea Rush will participate in a webinar by the Intellectual Property Institute of Canada entitled, 'Ethics in Patent and Trademark Prosecution'.

Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions