Insurance companies and policyholders in Canada are facing new risks and challenges, as they always have. Risk resulting from cyber losses and climate change, however, are not merely incremental changes in the insurance world. Rather, they are risks that are both rapidly evolving and difficult to predict. As always in the insurance industry, new risks are met with a creative and insightful underwriting and brokering response. Innovative solutions are required. At the same time, however, existing insurance solutions provide useful foundations for managing emerging risk. Business interruption coverage is a prime example. Business interruption coverage has, traditionally, been included with first-party bricks and mortar property coverage. This insurance has been aimed at protecting the future income stream of protected entities, and has a long history of success protecting policyholders.
However, emerging and unpredictable risks like cyber-risk and climate change pose new challenges for both insurers providing business interruption coverage and their customers. Such new risks have resulted in an evolution of business interruption coverage to ensure that policyholders are protected from the uncertainty presented by modern digital business realities and a rapidly changing climate.
A. CYBER BUSINESS INTERRUPTION
Computer operations and data are at the heart of modern business. Interruption of systems or loss of data would be crippling to virtually every Canadian enterprise. With the advent of data breach, ransomware, and Distributed Denial of Service (DDoS) attacks, the primary risk of business interruption has changed from physical damage to bricks and mortar infrastructure to disruption of computer systems or loss of information. Policyholders are only just beginning to awaken to this risk, and insurers are moving quickly to insure it properly. While these emerging trends are coalescing, however, there is likely to be significant friction between policyholders with traditional first-party coverage or minimal cyber-coverage and their insurers.
This section of the article gives an outline of the problems now seen to be arising, an analysis of the coverage provided by bricks and mortar policies to cyber-losses, and identifies some of the challenges facing cyber-carriers.
1. Cyber attacks and business interruption
Since late 2016 and 2017 we have seen major cyber interruptions in the form of Distributed Denial of Service (DDoS) and ransomware attacks. These attacks, while generally resolved within hours, affected large parts of the world economy.
For example, in late 2016, the Mirai virus was used to attack Dyn, Inc., which provides internet infrastructure to many Fortune 500 companies in the United States including Starbucks, Airbnb, Amazon, Netflix, Visa and many others. The virus had propagated through tens of millions of Internet of Things (IoT) devices. At 7 a.m. on October 26, 2016 those IoT devices were directed to contact Dyn's servers, resulting in an amount of traffic that overwhelmed those servers, such that they could not serve Dyn's clients. The initial attack was resolved in about two-and-a-half hours, but two more attacks were also launched. Dyn had resolved the issue by 6:11 p.m. The total period of the attack was just over eleven hours, but many of Dyn's client's websites and portals had been affected during that time, and could not operate properly. The losses to Dyn's clients were significant.
Similarly, mid-2017 witnessed the WannaCry, Petya and NotPetya ransomware attacks. The ransomware infected many thousands of computer networks, shutting them down until either ransom was paid, or work-arounds were put into place. Again, many companies resolved their issues within hours, but some were out of service for days. Business impacts were significant. WannaCry, Petya and NotPetya are only three examples of a growing problem of ransomware. Many businesses are victims of ransomware viruses, and other forms of data breach, which require the partial or complete suspension of computer operations. Income losses are suffered as the result of such events.
Canadian businesses and other organisations have traditionally relied on first-party property coverage for protection of their earnings stream through business interruption insurance. However, that coverage is not well structured for the electronic age, as they require "direct physical loss" to covered property to trigger business interruption coverage. What direct physical loss has occurred as the result of a cyber-event?
Cyber policies are increasingly being used to fill the gap in coverage for systems or data-based business interruptions.
2. Insurance coverage for business interruption
Business interruption coverage indemnifies policyholders for income lost when damage to covered property disrupts the policyholders' business operations.1 Traditional first-party policies require that three conditions be satisfied to trigger coverage: (1) for direct physical loss or damage; (2) of covered property; and (3) resulting from a covered cause of loss.2 Of significance is the requirement for direct physical loss or damage to the covered property. Some policies have defined covered property to include exclusively "tangible property".3 Economic loss alone is insufficient to trigger coverage under most traditional first-party insurance policies.4
Courts have been called upon to determine whether or not interruptions caused by cyber-attacks constitute "direct physical loss or damage" to covered and/or tangible property.5 Does the temporary detainment of virtual information constitute physical damage for the purpose of a business interruption policy? Canadian case law has, unfortunately, shed little light on the issue. South of the border, however, several American authorities have considered similar issues.
In America Online, Inc. v. St. Paul Mercury Ins. Co6 AOL had released a new version of its software to the public. Unfortunately for the internet provider, that new software caused damage to customers' computer systems and pre-existing software. A class action lawsuit was filed and settled shortly thereafter. AOL tendered the defence to their insurer, under a policy that provided coverage for "physical damage to tangible property". The insurer denied coverage and AOL sued. The Fourth Circuit Court held that damage to software did not constitute physical damage to tangible property, and as such, did not trigger coverage under the policy. In so finding, the Court created a distinction between damage to hardware and software, noting that only damage to the former would constitute physical damage to tangible property, as the latter consists only of recorded data and information.
In contrast, in Ingram7, Ingram, a wholesale distributor that relied on the use of a computer network known as the Impulse system to track its customers, products, and daily transactions, purchased a primary all-risk policy that covered "[r]eal, and personal property, business income and operations in the world wherever situated except for U.S. Embargo Countries" and insured against "All Risks of direct physical loss or damage from any cause, howsoever or wheresoever occurring, including general average, salvage charges or other charges, expenses and freight". A power outage resulted in a loss of programming information on a number of computers, which in turn resulted in a loss of connection at six locations, at which Ingram was, therefore, unable to conduct business. In coming to its conclusion on the issue of coverage, the District Court ruled as follows:
"At a time when computer technology dominates our professional as well as personal lives, the Court must side with Ingram's broader definition of "physical damage." The Court finds that "physical damage" is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality."
A similar result was reached in Landmark American Insurance v. Gulf Coast Analytical Laboratories8 – a business interruption loss was covered in circumstances wherein the insured could no longer use its computer systems because of a virus. The court's analysis focused on the particular language used in the policy, particularly coverage for "direct physical loss ... of valuable papers and records, including those which exist on electronic or magnetic media for which duplicates do not exist". Such language implied that the insurer regarded lost electronic data as a "physical loss", capable of triggering business interruption coverage.
Despite the inherent incompatibility of the foregoing decisions, each has been referenced in subsequent jurisprudence with both approval and disapproval as the case may be and, as such, the status on the physical damage requirement as it applies to data and electronic information is far from apparent.9 It is, therefore, important for insured parties, who depend heavily on their cyber-networks, to conduct a careful review of their coverage.
In an effort at increased certainty, certain insurance providers have added specific limitations to their policies that address "electronic media and records",10 whereas other policies specifically exclude cyber-related losses.11 Further, even in cases where cyber-related business interruption may be covered, traditional policies often require a complete cessation of operation to trigger coverage,12 leaving businesses exposed in the event of slowdown or brief interruption.13
As companies increasingly depend on the use of data and network connectivity to conduct business, including those who continue to operate traditional brick and mortar locations, reliance on traditional first-party business interruption coverage may leave many businesses at risk in the face of a cyber-attack or network shutdown. Given this heavy reliance on cyber data and services, and the uncertainty of coverage under traditional property policies, it may be time that businesses, in any industry, consider the adoption of a cyber-policy to mitigate their risk and exposure to a shutdown or diminution of production as a result of a cyber event.
3. Cyber Business Interruption Insurance and its Challenges
At the outset of any discussion of cyber policies, it must be noted that not only is there no standard form of cyber policy; there is not even a standard scope of coverage. Different policies may provide vastly different protection from one another. Some may cover business interruption, some may not. The only way to determine the scope of a cyber-policy is through review of the language employed. That said, where it exists, it can be generally stated that most business interruption coverage in cyber policies will share a common goal with such coverage found in first-party property policies: insurance for the future stream of income of the business, resulting from a covered loss.
However, the structure of such coverage in a cyber policy must differ in fundamental ways from its property-based cousin. The business interruption coverage found in traditional property policies was inherently conservative, in that it would only respond to the specific interruption occurring at covered premises resulting from physical damage to covered property caused by a covered peril. If losses were suffered that did not result specifically from the covered loss, but simultaneously with such covered loss, those losses were not recoverable under the policy.
Cyber coverage, however, must hinge on different triggering events. Generally speaking, as there is no physical damage that results from a cyber event,14 it is difficult to say "where" a cyber loss took place, and the perils covered by cyber policies may be "specified" as opposed to "all-risk" in nature. While the purpose of business interruption coverage remains the same as between traditional insurance and cyber insurance, the structure of the coverage is different in a number of fundamental ways.
With respect to the loss itself under a cyber policy, business interruption coverage will generally be triggered if there is a necessary disruption of the insured's own systems. What, however, is the insured's "own system"? This is a particularly acute problem in the cyber world, as many digital services are outsourced. Again, different policies will treat this question in different ways. Does the insured's system include off-site servers owned by others? What if that server is leased in whole or in part to the insured? Is software and data part of the system, or must the interruption be related to hardware alone? Is it necessary that the disruption be complete, or will a partial disruption or slow-down be sufficient to trigger coverage?
With respect to the location of the loss. Given that systems are invariably linked to other computer systems through communications equipment, where does the insured's system end, and the third-party system begin? What connections qualify as the insured's own system? Will a loss that affects the internet, or large-scale communications system, as a whole, be covered or excluded as a catastrophic loss?
As regards the cause of loss itself, what events are sufficient to trigger coverage? Must the event be caused, in its entirety, through the malicious and volitional acts of third parties, or can an accidental event trigger coverage? That is to say, must the disruption to the insured's systems be the result of a malicious virus, hacker or DDoS attacker, or will coverage be available from shutting down a sector of the insured's system, following the accidental loss of an unsecure laptop? Must the shut-down be "necessary", or is it sufficient that the insured make a good faith decision that a disruption of computer operations is in its best interests or those of its clients?
There is significant variation in policies as to what time period the policy will cover. Cyber policies will normally reflect protection for a lost profit, through assessment of the actual lost net profit (or increased net loss) suffered. However, assessment of such loss will generally not be based on the same period as in a traditional insurance policy. Some policies insure only income lost in the period during which the disruption is ongoing. The period of interruption will generally begin within a waiting period based upon a set number of hours (often 12 or fewer), rather than days or weeks as is normally the case with traditional business interruption coverage. Once the waiting period has ended, the policy will respond to the business interruption loss. As noted, though, some cyber policies are structured so that once electronic operations are restored, the insurer will no longer pay amounts lost by the insured for the interruption to its business. Other policies, however, are more consistent with bricks and mortar business interruption, in that they cover the insured for a period of restoration, wherein an assessment of the insured's ongoing lost income following the incident is insured, taking into account the trend of the business before and after the disruption and continuing/non-continuing fixed costs. Different businesses will be better served by one policy or the other. Retail operations which may recover quickly from an outage may be better served by paying a lower premium for the limited coverage period. Other businesses that may suffer a reputational harm as the result of an outage may wish to pay more in premium to obtain restoration period coverage.
An additional consideration is whether the insured will need Contingent Cyber Business Interruption ("CBI") coverage. Although there are more than a billion websites on the internet, those websites depend on a relatively small number of companies to keep the infrastructure underlying electronic communications operating.15 The magnitude of this dependence was demonstrated during the Dyn DDoS attack. While typical cyber policies bought by small to medium businesses do not provide CBI coverage, many of the policies provided to larger enterprises do. As a better understanding of the scope of cyber business interruption risk is gained, insurers are beginning to offer CBI cyber coverage on a more widespread basis. At the same time, such coverage is generally subject to notable restrictions. The insured must identify the specific entity whose failure will trigger the coverage. Also, insurers have sought to limit their exposure to a massive cyber event, through catastrophe exclusions. A cyber event affecting a sector of internet service or cloud provider, for example, could result in major losses globally. Insurers are generally not prepared to insure that risk.
Cyber business interruption in Canada closely resembles business interruption coverage in traditional bricks and mortar forms. There are, however, notable differences in the events required to trigger coverage, and the manner in which loss is calculated. This is a nascent area of business interruption coverage, and uncertainties remain. The risk is obvious, but the response from insurers continues to develop.To read this article in full, please click here.
Originally published by The International Comparative Legal Guide to: Insurance & Reinsurance 2018, Global Legal Group.
1. Stuart A Pansky & Richard K Traub, 2 Data Sec. & Privacy Law § 14:3 (2017) at Chapter 14 (WL).
5. Hazel Glenn Beh, "Physical Losses in Cyberspace" (2002) 8 Conn. Ins. L.J. 55(WL).
6. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003).
7. Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. Civ. 99-185 TUC ACM, 2000 WL 726789 (D. Ariz. Apr. 18, 2000).
8. Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., 2012 U.S. Dist.2012 WL 1094761 (M.D. La. 2012).
9. Amy R Wills, "Business Insurance: First-Party Commercial Property Insurance And The Physical Damage Requirement In A Computer-Dominated World" (2010) 37 Fla. St. U. L. Rev. 1003 (WL).
10. Pansky & Traub, Supra Note 1.
11. Hunton & Williams LLP "If You Don't "WannaCry" After a Cyber Attack, Review Your Cyber Insurance Coverage" (2017) Hunton Retail Law Resource (TLA Newsstand).
12. Beh, Supra Note 5.
14. Physical damage caused by cyber events remains normally excluded from all forms of insurance, and is only insurable under specialised policy forms.
15. Anne Freedman "Attacks on Internet Infrastructure, Commence, Leaving Unknown Risks for Insureds and Insurers Alike" (2017) Risk on Insurance: http://riskandinsurance.com/category/2017-issues/april-2017-issue/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.