Insights
J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025
Read MoreOver the past 20 years, technology has changed the way we communicate, conduct business, and live. It is rare to walk down a city street and not see a person using some type of technology. It has become an integral and indispensable part of our everyday lives.
The important role technology plays in business cannot be understated. Businesses worldwide rely on digital interconnectivity for growth. Organizations rely on the internet, video conferencing, accounting, and project management apps to stay connected. Technology is the key to efficiency for most businesses, helping to streamline processes, maintain data flow, and reduce operational expenses.
This reliance on technology, however, does not come without risks. Companies that rely on digital interconnectivity are targets for cybercriminals. These threat actors have found ways to disrupt the digital environment and wreak havoc on businesses across the world.
For example, companies that rely on interconnected digital systems for their supply chains are susceptible if those digital systems are compromised. A cyber event affecting any part of such a network can cause widespread disruption, delaying product deliveries and leading to penalties, lost contracts, or damage to business relationships and reputations. Companies need to understand that the consequences of a cyber event can be far-reaching, impacting not just their financial health, but their long-term viability and competitiveness.
This Cyber Business Interruption (BI) Playbook is intended to help companies navigate the unique complexities they face in preparing for cyber business interruption events. The Cyber BI Playbook provides insights on how to take a proactive approach to business interruption, which includes risk assessment, insurance coverage, incident response and recovery planning.
Most organizations recognize that unplanned events can disrupt operations. Resilient organizations make the investment in time, money, and other resources to plan how they will minimize and react to disruptions.
Planning for business disruption typically involves the development of an incident response plan, disaster recovery plans, and business continuity plans. Although these plans all deal with how an organization should act in the face of an event, there are distinct differences that warrant developing each. In some cases, for example, organizations will consider implementing incident response and continuity of operations programs to oversee resilience and response activities across the enterprise, with separate plans for various parts of the business (for example, cybersecurity or environmental).
Incident response plans focus on how an organization detects, responds to, and recovers from incidents. Disaster recovery plans are typically specific to a system (for example, an application server), are developed by the system owner, and are outside the scope of this document. Business continuity plans focus on how an organization will maintain critical operations, possibly in a reduced capacity, during a disruptive event. Ideally, all three of these plans will be developed in collaboration and will complement each other.
Why should organizations prepare for business interruption?
Although preventing all disruptions to a business is not possible, an organization can significantly reduce the costs related to a disruption, and in some cases, enable it to survive a crisis.
For example, assume a small tire manufacturer uses a third-party software and machine to track lot numbers and stamp finished tires with traceability numbers (such as lot or serial numbers). If this supplier goes down due to its own event (for example, ransomware), the tire manufacturer can no longer ship tires. If the tire manufacturer is responsible for supplying tires to a major OEM auto manufacturer, it could be looking at penalties and may not survive days, let alone weeks, absent effective planning.
If this tire manufacturer conducted planning for business disruptions before the disruption to its supplier, it would likely have identified lot traceability as a key aspect of production. It could have identified a secondary supplier or developed a manual process for keeping the manufacturing process going while an alternative could be found.
Developing an effective incident response plan is a time-consuming task. It requires a solid understanding of an organization’s business, its operating environment, its staff and resources available, and the types of events that might affect it. Purchasing a complete plan or template and adopting it without customization is not advised.
Although an organization can hire experts in the field of incident response to help develop an incident response plan, these plans are best developed with the involvement of key stakeholders from across an organization. This will ensure relevancy of the plan and help speed up its adoption.
Most incident response plans include three major components, which follow the sequence of how an organization will react to events. These include detecting events, analyzing events, and responding to events.
Before an organization can respond to a cyber incident, it must first be able to detect when a cyber event occurs. A cyber event can be any computer activity that affects the organization or its assets — for example, a user logging in to their email, a website outage, or the opening of a sensitive area after hours. Organizations typically identify events through monitoring of their systems, subscribing to third-party information sources, such as the critical vulnerability alerts published by the Cybersecurity and Infrastructure Security Agency (CISA) or industry-specific advisories, communicating with key clients and suppliers, and other means.
It is not uncommon for a company to learn from an external entity, such as law enforcement, that it has a malware infection it was previously unaware of. Establishing relationships with local and federal law enforcement and CISA representatives is always a good idea.
Ideally, an incident response plan will document how an organization will:
Once an organization can regularly detect most events, it must have a mechanism for analyzing and reacting to those events. No organization has the time, money, and resources to treat every event the same. Incident response plans should document the criteria for classifying events and determining what is an incident versus a crisis — in other words, the difference between an event that requires a response and one that may threaten the survival of the business.
The process of developing this criteria must consider an organization’s operations, finances, obligations — for example, to provide a critical service to subscribers — and similar factors. Criteria should be developed with leadership’s involvement and approved by the company’s executive management team. This will be one of the standards used to determine when executive leadership needs to be notified of incidents.
Often, incident response plans will define various criteria and then provide a table of example events to help staff better understand how to categorize events (see Figure 1). In some cases, organizations may create separate tables for employee, operational, and financial impacts. Criteria should be regularly reviewed and updated to ensure alignment with the business.
Figure 1: Identifying examples can help incident response teams better categorize events when they occur.
Once an incident or crisis is declared, an organization needs to respond. This section of the incident response plan will identify roles and responsibilities, recovery timelines, checklists, and other tools the organization will use in response to an event. Incident response will often trigger data backup procedures, crisis communications, assumption of alternate duties for affected employees, and, in some cases, ceasing noncritical operations until an incident is contained.
Best practice is to routinely review and iterate incident response plans to better align them with the business and further reduce the impact of any incident. Many companies conduct after-action reviews following all incidents and crises to capture learnings while they are still fresh.
Key roles and responsibilities that every incident response plan should cover include:
Common Third Parties Involved in Incident Response
- Breach counsel
- Forensic accountants
- Digital forensics (DFIR) experts
- Public relations
- Restoration & remediation consultants
- Cyber extortion experts
- Notification/credit monitoring services
- Insurance brokers
- Insurers
- Law enforcement
As with incident response plans, it is imperative that organizations take the time to develop custom business continuity plans that are tailored to their unique operations. Even two companies in the same industry will have different ways of operating. Organizations can consult with third-party experts, but should not expect them to be able to develop comprehensive business continuity plans without significant internal stakeholder engagement.
Business continuity plans are aimed at maintaining critical operations in the face of an event. Organizations must therefore first identify their critical operations, key dependencies, obligations, and other aspects of their business.
Organizations must then prioritize these aspects to determine those most important to the businesses’ survival and success. This can be done through business impact analyses, quantification workshops to better understand the financial impacts of potential event scenarios, and risk assessments to determine which lines of business are most at risk.
Once analysis and prioritization are complete, organizations can develop mitigation strategies and plans regarding how they will keep critical operations running during disruption. Strategies may include finding alternate vendors for key resources, leasing and equipping alternate sites, eliminating the use of vulnerable technologies, or reducing operations for a period of time.
These processes must be captured in written documents, and their effectiveness should be tested during periodic exercises. Training should also reinforce what employees should do during disruptions.
Business Interruption Insurance: From Property to Cyber
More than 200 years ago, the insurance industry recognized that the loss of tangible property could have financial consequences well beyond the actual value of any damaged or destroyed property. Indeed, a disruption to business operations, regardless of cause, can be devastating to an enterprise.
Over time, business interruption became an essential component in commercial property insurance policies. With the recognition of the risk posed by cyber threats — and the need for insurance products to address those risks — business interruption coverage has been adapted to cyber risks and is now an essential component of a cyber insurance policy.
NOTE: Where a cyber event causes property damage that results in business interruption, a property policy may respond if a cyber policy does not provide coverage.
Cyber insurance is designed to cover financial losses resulting from cyber events, such as data breaches and ransomware attacks. Policies typically includes a collection of coverages, such as:
While all these coverages are important parts of a well-rounded cyber insurance program, our focus here is the business interruption coverage available in almost every cyber policy.
The purpose of business interruption insurance is to return the insured entity to the position it would have been in had the triggering event not occurred, subject to certain limitations and exclusions. For many, business interruption coverage is the most important and yet least understood component of a cyber insurance program.
The business interruption loss in most cyber insurance forms is calculated as the sum of the net profits lost because of a computer system outage or disruption and the expenses that must continue during the interruption. [1] Regardless of the specific language of the policy, the goal should be to cover the organization for the actual loss sustained. [2]
These days, most organizations rely on computer systems to function; an extended outage of these systems is likely to lead to significant income losses and/or expenses. It is important for organizations to quantify their potential losses from different types of cyber events to determine the amount of cyber business interruption coverage — if any — they require.
The scope of business interruption coverage in cyber policy forms has expanded since they were first introduced about 20 years ago. Where coverage was first made available principally for the outage of a policyholder’s computer system caused by a malicious attack, coverage is now routinely available for outages that are not the result of an outside attack — often called “system failure” coverage. Coverage is also now available for a policyholder’s business interruption caused by the outage of computer systems controlled by outsourced IT services providers and possibly many others.
Business interruption insurance is complex. Terminology varies among carriers and terms can vary between policy forms.
Beyond the business income calculation formula itself, limits of liability purchased and self-insured retentions, the following terms can affect the scope of coverage provided and the amount of recoverable loss:
Exclusions should also be noted. Cyber business interruption coverage is generally not available for an event that involves physical property damage or is caused by a natural peril; business interruption coverage may be available for these events in a property policy. Cyber policies also typically exclude coverage for events caused by failure of infrastructure (water, power, internet) and by government actions. Some expenses, such as the costs to defend lawsuits, are often excluded from cyber business interruption insurance but might be covered under a different part of a cyber policy or another insurance policy.
Business Interruption in Healthcare
A large hospital is the victim of a ransomware attack, which encrypts multiple servers, including the hospital’s backups. The hospital must divert its emergency room patients to other hospitals. Imaging machines and other devices are down. Appointments and surgeries are rescheduled or canceled. Additional staffing is required as all medical charts must be filled out manually. And sensitive patient information is compromised and exfiltrated. It takes the hospital more than a month to become fully operational again, even after paying a ransom.
The restoration costs, income loss and extra expenses are well over $60 million. This amount does not include the ransom payment of $10 million and the costs for breach counsel, forensic investigations, notification to patients, regulatory investigations, and third-party class action defense and settlement.
These costs add up quickly. It is imperative that a business conduct due diligence before an event to make sure it has adequate insurance coverage.
Once it becomes clear that a cyber event has occurred, it is important to act immediately. If an organization has an incident response plan, it should be triggered and followed by the incident response team. If your organization must respond to a cyber event, you should:
It is important to remember that responding to a cyber event, and submitting a BI claim, is a process. Rely on the experts you have retained, especially your broker and forensic accountant, to guide you. BI claim resolution may take months, depending on the complexity of the claim. Communication is key to making this process more efficient.
As technology continues to improve, businesses will utilize it for efficiency, productivity, and growth, thus remaining vulnerable to technology-related disruptions. How organizations respond to a disruption will determine, in some instances, whether they will continue to thrive, or even survive.
Cyber insurance, and in particular BI coverage, can help businesses mitigate this risk. Businesses, however, do not have to navigate these risks alone.
Cyber risk consultants can help your organization assess its exposure to cyber threats, non-data breach privacy issues, and other forms of cybercrime. These specialists can also help you determine the potential financial impacts of cyber events and develop strategies to mitigate them.
Your broker can help navigate the complexities of cyber insurance policies, ensuring that a business is adequately protected against evolving cyber threats while optimizing insurance coverage. An experienced and knowledgeable broker can help you select the right policies and appropriate coverage limits and act as an intermediary between you and your insurer during the claims process.
A forensic accountant, as part of your incident response team, is also key to this process. Forensic accountants can project future losses and evaluate the effectiveness of your business continuity plans. During the claims process, a forensic accountant can help you quantify your financial impact and any lost revenue due to an event. Post-incident, forensic accountants can assist preparing detailed reports, such as a proof of loss, to submit to your insurer in compliance with your policy. [3]
Staying ahead of cyber threat actors may seem like a full-time job, but relying on experts to put you in the best financial place for recovery is crucial. Do not wait until a cyber event happens to fully understand the impact this may have on your business — start planning today to be ready for a cyber event tomorrow.
Preliminary questions for the insured:
These requests will normally be made to include pre-loss, loss, and post-loss periods to enable the projection of operating results (trending), the actual activity during the loss compared to the projections, and the post-loss operations to identify any potential make-up. Periods and records requested will vary by the answers to questions listed in Appendix A.
[1] Alternatively, the loss may be calculated by determining the business’s lost earning during the disruption and subtracting the variable costs saved when the business was not operating. The first approach is often referred to as the “gross profit” method; the approach described in this footnote is the “gross earnings” method.
[2] For example, with partial disruptions, continuing expenses are offset against actual revenues earned during the loss period.
[3] Most cyber insurance policies with business interruption coverage provide a sublimit for preparation of proof of loss costs, which would include forensic accounting costs.
With a team of equipment specialists and forensic accountants located all over the world, our cyber damages experts provide high-quality, custom solutions for cyberattacks.
Our team of equipment experts are trained to identify and validate a cyber incident, measure the scope of impact, and analyze the incurred costs. Using this protocol our experts can determine significant changes in the overall network. This analysis enables our experts to determine the accurate period of interruption (POI) related to the event for the business interruption loss.
Our forensic accountants work to gather and review the impacted party’s operational and financial records, as well as comparative industry data, to quantify business interruption damages and extra expenses.
Together, our technical experts and forensic accountants can properly quantify all damages from the event and provide the comprehensive, custom solution our clients need.
What makes Lockton stand apart is also what makes us better: independence. Lockton's private ownership empowers its 12,500+ Associates doing business in over 140 countries to focus solely on clients' risk, insurance and people needs. With expertise that reaches around the globe, Lockton delivers deep industry knowledge and product specialization with a passion for serving clients. For more information, visit global.lockton.com.
In this article, we will be examining the technical and business impacts of a ransomware attack and what steps should be performed after ransom payments have been made. We will explore the common errors most...
The modern security ecosystem is diverse and ever-changing, a place where cyber risk is top of mind for leaders at all levels, and threats to information / data security and privacy evolve at the speed...
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....