As companies become more and more resilient on technology to operate, there could many more days like July 8.
Known and unknown system vulnerabilities can send companies into a hectic scramble to get up and running as fast as possible. On July 8 the New York Stock Exchange, United Airlines and Wall Street Journal experienced disruptive glitches. The NYSE suspended trading due a technical issue, United temporarily grounded flights, and WSJ’s website went down.
Immediately speculation of a cyberattack surfaced but while cybersecurity and tech experts appear to have put to rest the possibility of a coordinated cyberattack, July 8 is just the latest example to highlight the many definitions of “cyber risk,” beyond popular conceptions related privacy, cyberattacks and hackers.
“Unless you are selling fruits and vegetables by the side of the road, your company is dependent upon technology to operate,” said Robert Parisi, managing director and national cyber risk product leader for Marsh.
“Privacy has gotten all the media attention to date, largely due to the various regulations that require notification of lost or mishandled personal information,” Parisi continued “But it really is only the tip of the cyber iceberg. Every company utilizes technology in running its business, such that a failure of that technology whether from a malicious attack or a software glitch, can be devastating.”
As a cyber business interruption module, the “system failure” provision can be triggered by technology failures like those experienced by United, NYSE and WSJ, said Sarah Stephens, head of cyber, technology and media E&O at JLT Specialty.
Operation errors and glitches can become more common and cause disruption, with impacts “ranging from minor extra expenses to business interruption, to delayed services for customers, to really damaging reputational impacts,” she said.
System failure, now a fairly popular add-on to cyber BI, has expanded from meaning a security failure caused by hacking, virus or employee sabotage to “any unplanned outage of your IT systems,” added Tom Srail, technology, media and telecom industry leader for Willis.
Some exclusions—for security breaches or loss from natural perils—apply, of course. Some policies exclude planned systems upgrades gone wrong, sources said.
In other words, if a company suffers some income loss because it couldn’t sell its product during a computer outage, it is possible the company could recover the losses and receive some insurance payout for investigation of the incident. However, the losses would have to exceed a likely deductible and occur after a waiting period, which sources said are typically longer than traditional than the typical BI standard because system failure has a broader trigger.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
