CyberGuide - Information Security and Cyber Risk Management



Supply chain cyberattacks prompt cutbacks on contingent BI capacity

 

This story first appeared in Advisen’s Cyber Front Page News. Learn how to subscribe to Cyber FPN.

By Erin Ayers, Advisen

High-profile cyber events and outages involving critical vendors for a host of businesses have cyber insurers rethinking their capacity for contingent business interruption (CBI) and cutting back significantly, according to brokers.

Blackbaud’s ransomware attack triggered downstream downtime and notifiable breaches for customers, while the June 8 outage at Fastly, a content delivery service provider, brought major websites to a halt for an hour. Hacks at Colonial Pipeline, SolarWinds, Microsoft Exchange, and Accellion top a long list of supply chain events that have organizations and their insurance partners thinking about the potential systemic risks.

Businesses can face revenue loss and downtime any time a key link in their supply chain fails to deliver goods or services. With so many organizations often relying on vast networks of digital providers, cyberattacks or non-malicious outages can have far-reaching negative effects.

As one provision of a standalone cyber policy, CBI – or dependent BI – usually can be triggered by either a security failure or systems failure at a vendor. After a defined waiting period, coverage kicks in. Sublimits, narrowing definitions, and longer waiting periods have been implemented by most major cyber markets in recent months.

“There have been cutbacks on security failure CBI, but I think the systems failure is more of a concern,” said Queenie Chong, deputy placement leader for Marsh’s U.S./Canada cyber practice. “Systems failure is often defined as ‘any unintentional or unplanned outage’ ­‑ it could be anything and there’s no way to underwrite all that.”

Waiting period for CBI cover from six to 10 hours were once common; insurers are now routinely insisting on 12, 18, or 24 hours, say brokers. System failure CBI, even in a soft market, was something with limitations around it, brokers agree. It is still achievable in the market, but limit availability has scaled down dramatically.

“It isn’t a blanket no, but it is going to be limited in scope, definitely,” said Shannan Fort, partner in McGill and Partners’ cyber and financial lines practice. Underwriters are moving more toward identifying specific perils and covered unique, essential service providers, to “bring a bit more comfort” to underwriting the risk, she told Advisen.

An outage like Fastly’s – reported as occurring due to a customer configuration error and resolved quickly – likely wouldn’t have been covered by any cyber policy. For insurers, the aggregate cost of covering all insureds hit with an unplanned outage of a widely used internet service would be too immense to accept. Lines are being drawn more clearly than ever in policies as vendors become targets.

“Historically, we were able to easily get $1 million up through full limits for contingent BI security failure and up to $1 million for system failure,” Richard Fernandez, executive vice president at Amwins, told Advisen in an email. “Now $1 million has become the ceiling and prominent carriers have expressed that the future cap will likely be cut back to $250k as they continue to fear systemic issues and ransomware attacks.”

Tighter terms and conditions and higher prices aren’t turning cyber insurance buyers off, though. Cyberattacks have occupied the headlines to such a degree, most buyers want as much coverage as they can afford, according to Marsh’s Chong.

Instead, insureds should make sure their coverage matches their true needs, and invest in their controls wherever possible, brokers say. In all cases, brokers are preparing clients to answer many more questions around their vendor controls and contracts.

“We’ve had a market that’s gone from asking a lot of questions, to far fewer, now we’re going back to asking more questions,” said McGill’s Fort. “We can’t get to sustainability without appropriate information on the risk. They have to look at it as being in their best interests.”

She added, “The increase in the rates is all due to the fact that the policies are working. Walking away from cover you know will respond is not something clients are doing at this stage.”

While the insurance market for cyber-related CBI contracts, the risk must still be managed, through new specialized risk transfer products or focused risk management and vendor contract. Fort said parametric BI coverage for specific cloud providers may gain traction with buyers in the future.

“Additional innovative solutions are absolutely needed as this risk will only expand,” she said.

According to Mary Guzman, CEO and founder of Crown Jewel Insurance, the market’s willingness to write CBI even in a soft market was surprising.

“You just knew that shoe was going to drop at some point,” said Guzman, who worked as a broker before launching her own firm. Inspired by owner-controlled insurance programs (OCIP) frequently used on large construction products, she developed a contract-specific cyber and technology errors and omissions program called Vendor Guard to bridge the expected gap in the market. Designed for organizations to coordinate primary coverage with a named insured vendor, the product is attracting interest from buyers alarmed by supply chain attacks, according to Guzman.

“The main thing we’re trying to address is breach of contract. A lot of these losses go back to breach of contract,” she said. “So many organizations give away that control of their risk, but keep the exposure.”

Beyond risk transfer, organizations need to be ready to respond to possible supply chain downtime, brokers say. They need to test how long it takes to get their contingency plans up and running and what the business income loss of tech outages would be. The more sophisticated organizations already have this on their radar, but any business can face this risk.

“Some clients are good at it, but all clients need to be good at it,” said Marsh’s Chong.

Editor Erin Ayers can be reached at [email protected]