How much revenue could your company afford to lose if one of your key vendor’s system goes down? How much revenue could your company afford to lose if your own systems failed? One month of revenue? Two weeks? Two days?  

All industries are potential cyberattack victims, as well as organizations both large and small, but I’m going to focus on small to medium-sized technology companies and the impact of cyber-related business interruption. Over half of cyberattack victims are now small businesses and the average downtime due to a cyberattack is 18 days.  

A recent example of a ransomware attack against a client’s third-party vendor outlines the importance of contingent business interruption loss. Most companies provide payroll processing online, which is typically owned and hosted by a third-party provider. This was the case for a small HR technology firm that provides payroll processing, health insurance, and compliance solutions.  

When the third-party was hit by the ransomware attack, neither the client nor its customers could access the payroll application, which ended up being down for 8 days at the end of the calendar month. Some of the clients’ customers were unable to pay their employees on time and 8 customers cancelled their contracts, resulting in $172,000 of lost annual revenue. Fortunately, the client was covered for the income loss under the contingent (sometime called dependent) business interruption section of their cyber insurance policy.  

This claim highlights a few things that are worth exploring: 

  • 1st party business interruption coverage reimburses you for income your organization would have generated if not for a data breach plus the extra expenses you incur due to a suspension. But the above example proves the importance of having contingent/dependent business interruption coverage as well, which is not covered in all policies.  
    • Claims are triggered by elapsed time, similar to a deductible, and the typical retention period is set at 48 hours, meaning a business must have a disruption of normal business operations for at least 48 hours before coverage would apply. 
    • Policies contain different indemnity periods. If a cyber insurer is only offering a 3-6 month indemnity period and an annual contract is cancelled, the insured would lose 12 months of income but only reimbursed for a half or a quarter of the revenue.  
    • Some insurers may require you to list all of your vendors on the policy declarations page. You should always check your contracts with vendors and partners very closely as well. This Bloomberg article details a ransomware attack on one of Apple’s key suppliers and how the group is now extorting Apple for the ransom by posting upcoming Macbook product schematics.  
  • The average cost of downtime from ransomware attacks has jumped from $46,000 to $274,000 in two years. 
  • A business continuity and disaster recovery plan remain the #1 solution for combating ransomware, according to IT experts, and employee security awareness training and endpoint detection and response platforms are #2 and #3, respectively.  

Unfortunately, with the explosion of cyberattacks on companies of all sizes and the reliance on multiple third-party vendors and partners in tech, you need to determine how much time you can afford for your own systems to go down as well as each individual third-party provider you use. The keys to surviving the inevitable downtime are a top-down, dynamic cybersecurity plan combined with a thorough cyber insurance program. 

 

Bryan is a Technology Risk Advisor at Bender Insurance Solutions for the Commercial Lines team. He advises technology companies in California about cyber liability, claims management, and international regulatory requirements.

Bryan can be reached at: Direct (916) 380-5336, Mobile (916) 214-2345 bmurray@mybendersolutions.com, and on LinkedIn.