Quantifying Economic Losses from Cyber Events

Ephraim Stulberg, CPA, CA, CBV, CFF is a partner in the Toronto office of MDD Forensic Accountants. He specialises in the areas of business valuation, economic loss quantification and investigative accounting, and has worked on numerous matters involving first-party and third-party insurance claims, including business interruption, network interruption, fidelity, reps and warranties, D&O and general liability coverage.. He has provided expert evidence in court and at arbitration, and has worked on matters across Canada, as well as the United States, Europe, South America, the Middle East and Asia. He can be reached at estulberg@mdd.com

 

Yvonne Kitkarska, CPA, CBV manages the Montreal office of MDD Forensic Accountants and is fluent in both French and English. She has completed numerous assignments involving first-party and third-party insurance coverage. Yvonne is one of the leaders of MDD’s cyber insurance practice, and has completed numerous engagements related to lost profits resulting from cyber incidents. Yvonne has prepared and delivered seminars to various audiences dealing with the quantification of lost profits and business interruption insurance. She has worked on matters across Canada, as well as the United States, Europe and South America. She can be reached at ykitkarska@mdd.com.

 

Next to “you’re on mute”, perhaps one of the most common phrases of this past year has been “don’t click on that link”!

The risk of suffering a severe financial loss due to a cyber event has never been greater. According to Allianz’s Risk Barometer, it was the top risk facing businesses; not long ago, it barely registered in the survey (1).

The cost of a cyber-attack can be absolutely paralyzing for a business. In fact, Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 (2). The costs to businesses can include direct out-of-pocket costs (such as damage and restoration of data, ransom payments, stolen money), post-attack disruption to the normal course of business, lost productivity, theft of intellectual property, theft of personal and financial data, as well as indirect costs such as reputational harm and potentially even lawsuits for data leaks involving sensitive information.

In response to this reality, more and more insurers have begun offering cyber coverage to businesses to help them protect themselves against this very important risk. Specialty insurance coverage for cyber risks is still relatively new and continually evolving. Cyber insurance often covers ransom payments, breach response and data recovery costs, liability to third parties, as well as business interruption (BI) and additional expenses.

As forensic accountants specializing in quantifying business interruption and lost profits, we have seen a large explosion in the number of cyber losses in our caseload in the past couple of years. The purpose of this article is to summarize some of our experiences, and in particular to answer the following question: How are BI losses under cyber policies different than those that have been around for decades in property policies?

Based on experience handling dozens of these losses in recent years, here are a few key factors that make quantifying losses due to cyber-attack different from other types of BI losses:

1. Variety of Impacts on Business
IT systems are so pervasive that a cyber-attack can have a seemingly infinite range of impacts on a business. We have seen impacts to online ordering, impacts to client records, impacts to inventory records, and impacts to automated manufacturing machinery.

Each of these IT problems will impact the financial results of a business in different ways. Some of these issues will lead to a loss of revenue; others will lead to an increase in operating costs; still others may not have any discernible impact on either revenues or costs, and will only create idle employee time.

What becomes particularly important in a cyber loss is understanding the cause and effect relationship between the incident and the financial impact. In a physical damage scenario, the impact is usually obvious: for example, a fire has caused a retailer to close down for a period of time affecting its ability to make sales. However, if that same retailer is the victim of a cyber incident, it does not necessarily mean they will have to close down. The retailer may be unable to access inventory records or accept automated payments while its systems are down, but it may still be able continue to sell products in the store and either accept cash or take down clients’ payment information for later processing. Revenues may be affected, but not to the same extent as if the store was completely closed down.

2. Types of Businesses Impacted
This exponential growth in cyber threats is partly as a result of a shift from a “brick-and-mortar” type of economy to a digital economy. Entities’ increasing reliance on their IT systems, as well as the emergence of more sophisticated and organized hackers, have resulted in more and more cyber-attacks.

No company is safe – attackers target large multinationals such as Marriott Hotels (3) and Equifax (4), as well as small- to medium-sized enterprises (SMEs). In some ways, SMEs are more vulnerable to cyber-attacks as they often do not have robust IT security policies and technology.

Cyber-attacks can impact a wide range of businesses, and the variety of businesses for which we have reviewed cyber losses is much broader than the types of business that suffer losses due to physical damage: examples include government bodies, not-for-profits, and professional services firms.

Consider an accounting firm. In the case of a physical damage to their offices, the business can normally continue to operate with minimal disruption and avoid or minimize business interruption losses by having employees work remotely or at another location. As the Covid-19 pandemic has shown, many professional services firms can be easily set up to work remotely. However, if the same firm loses access to its servers (e-mail, file storage servers, VPN connection), this can have a crippling effect on its ability to operate, and there may be losses of revenue, labour inefficiencies, or both.

3. Data Issues
The types of data we analyze with cyber losses can pose unique opportunities, as well as some pitfalls.

Take for example a retailer. Unlike brick-and-mortar retailers which record revenue when the customer makes a purchase, online retailers often have a lag of several days between a sales order being received and the recording of revenue (which typically does not occur until shipment). Looking solely at revenue based on shipments when analyzing losses for an online retailer may therefore yield misleading results, especially when the affected loss period is only a few days (which can often be the case with cyber losses). A more useful metric might be website traffic or revenue by order date, data that online retailers have readily available unlike their brick-and-mortar counterparts.

4. Scope of Losses
A business interruption resulting from a cyber incident is often shorter in duration than a business interruption resulting from physical damage. While in a physical damage scenario, the property needs to be rebuilt or replaced which may take some time, digital data loss can often be restored using recent back-ups. In a ransomware scenario, an expert in cyber-attacks may even advise the insured to pay the ransom and gain access to its servers right away in order to avoid or minimize any interruption to operations.

Most businesses have some form of disaster recovery protocols and back up their digital information frequently. A company’s ability to restore digital damage from back-ups often depends on how sophisticated their IT systems are and how recent the last back-up was. In some cases, it can take a few days (if back-ups are done frequently) while in other cases, it can take months (if the back-up servers were in some ways affected by the attack or if the back-ups are infrequent).

In some cases, restoring the servers does not necessarily mean that the business is no longer impacted. This is an important issue, as cyber policies normally limit the indemnity period to when the systems are restored. This may result in uninsured losses for insureds in some industries. Consider a hotel whose ability to make reservations was impacted due to a cyber incident for a period of a few weeks. Many people making hotel reservations tend to do so weeks or months before their anticipated stay. As revenues are usually only recorded once the guests have completed their stay, the inability for the hotel to make reservations does not impact its revenues until much later in time, long after the systems are restored and its maximum indemnity period has been exhausted.

Finally, while cyber business interruption losses can often take place over shorter timespans, these losses can be more extensive in geographic scope. Physical damage is unlikely to impact more than one or two locations of a business at a time, whereas a cyber-attack can cripple an entire network.

5. Insurance Policy Issues
The wording of cyber policies can be quite different than that of standard property business interruption policies. This sometimes creates confusion for insured parties. Some notable differences include:

a) The definition of “loss”
Typically, business interruption coverage that forms part of a property insurance policy will begin the calculation with the reduction in a business’s revenue, which is then adjusted to consider saved variable and fixed costs. By contrast, many cyber policies refer directly to continuing expenses, without referring to revenue losses.

b) Indemnity period.
For most businesses, a network interruption is often much shorter than a property-related interruption. As such, while property policies often have a 12 month maximum indemnity period, cyber BI coverage is often limited to 2, 3 or 4 months. Although this is usually sufficient to cover the period needed to restore the network, it may not be long enough to capture the full impact on the insured’s business, especially for businesses whose revenue recognition timing is a bit different, such as the hotel example above.

c) Waiting period
The impact of a waiting period deductible tends to be much more important in a cyber loss as the loss period tends to be shorter; therefore the losses incurred during the waiting period are more pervasive.

Conclusion
In conclusion, cyber-attacks are becoming more and more prevalent and prominent, and businesses are wise to protect themselves against this very real and potentially extremely damaging risk. Insurers are responding to this demand by underwriting more and more cyber policies. As a relatively new insurance product, many insurers have seen claims increase exponentially over the last few years. The number and magnitude of claims are only expected to grow with the impact of the Covid-19 pandemic on businesses who now rely more than ever on their IT systems to remain connected and continue operating (5).

This article has attempted to outline some of the particularities in quantifying cyber business interruption losses compared to standard property damage losses. As hackers continue to develop their craft, we can only imagine how this field will evolve over time.

Until then – don’t click on that link!

1 https://www.agcs.allianz.com/news-and-insights/reports/cyber-risk-trends-2020.html2 https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
3 https://www.bbc.com/news/technology-54748843
4 https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html
5 https://www.forbes.com/sites/theyec/2021/01/19/the-next-five-years-cyber-insurance-predictions-through-2025/?sh=7cfaf1a163fa

2022 LAMP Application Now Open

The PLUS Foundation has opened the call for eligible professional liability professionals to apply for the 2022 cohort of the Diversity Leadership & Mentoring Program (LAMP). Deadline for submissions is Friday, May 28.

LAMP is a leadership development training program for PLUS members from diverse and traditionally under-represented groups within the professional liability insurance industry. During the one-year experience, participants receive group leadership training, pairing with a seasoned PLUS mentor, registration, travel, and lodging to the annual PLUS Conference and other select education programs, access to up to three PLUS Curriculum study modules and three complimentary RPLU examinations, as well as leadership opportunities within PLUS and the PLUS Foundation.

Participants are selected out of a competitive application process overseen by the PLUS Foundation.

Further details on the program, including how to apply, can be found here.

PLUS Q1 2021 Content Recap

PLUS has always provided members with great content, and we’ve only stepped up our efforts going into 2021. With the new PLUS Connect App, as well as this blog, we’ve upped our content channels and are working to provide the latest insights in the professional liability. You can learn more about the app and download it here to keep up to date on the latest PLUS news, content, events, and more.

Take a look at the great content we’ve had so far in 2021!

PLUS has been branching out into podcasts, and this year has already brought fantastic content from various branches of the industry:

Coming up in Q2 is another installment of “The New Administration and D&O Risks,” this time focusing on the first 100 days in office. There will also be another episode of “Deal with Me,” and Robbie has a great set of interview lined up with insurance professionals for more “Let’s Talk Professional Liability” podcast episodes.

The written content on the blog has also been strong going into 2021. We’ve had posts from our regular blog contributors, as well as submissions from other interested and knowledgeable insurance professionals:

Webinars have also been an excellent source of content and education for our members. In February PLUS hosted a webinar on the Biometric Privacy Act, with another webinar in March about recent trends in Fiduciary Liability. And today was a webinar focusing on new risks of claims against directors from COVID-19, the threat of cyber attacks, and the growing support for both ESG as well as diversity and inclusion. If you missed these webinars, you can view the recordings and the materials on the PLUS Website here.

If you have an idea that you think would make a great blog post, podcast, or webinar, we’d love to hear it! You can fill out the PLUS Content Idea form and we’ll get in touch with you about which content channel would be best.

Thank you to all our authors, speakers, and panelists for providing your time and expertise. We’re looking forward to even more fantastic content in Q2!

We’d also like to remind you that registration for all three PLUS Symposia is now open! Register now for the 2021 PLUS D&O Symposium, the 2021 PLUS Cyber Symposium, and the 2021 PLUS Healthcare & Medical PL Symposium for premiere events that bring together the most experienced thought-leaders for education and networking that is second-to-none.