Every business that has a computer system needs insurance for "cyber" exposures as much as, if not more so, than "brick and mortar" coverages. Cyber policies today cover both third party and first party claims, including business interruption from both outside attacks and systems breakdown.
There are significant differences in economic loss from physical perils such as fire or storm damage and from cyber events. In a blog on the Professional Liability Underwriting Society (PLUS) website (https://plusblog.org/2012/04/05/quantifying-economic-loss-from-cyber-events/), forensic accountants Ephraim Stulberg and Yvonne Kitkanska describe those differences.
- A cyber attack can have a "seemingly infinite range of impacts" - on online ordering, client records, inventory records, automated machinery. These impacts can lead to loss of revenue, increased operating costs, or employee downtime. Unlike a physical event, a cyber event may not shut down a business but still cause economic loss.
- Cyber attacks affect a wider range of businesses than physical loss. Small and medium size enterprises are more vulnerable than large companies. Professional services and non-profits can be severely impacted.
- Measuring revenue loss for online purchases differs from direct transactions as there is often a delay in recording sales.
- Cyber business interruptions are usually shorter than interruptions due to physical damage. If data is frequently backed up, the system can be restored in a few days. For large organizations, a cyber loss can affect the entire company instead of a single location.
- Cyber insurance policy terms differ from "brick and mortar" policies in definition of loss, indemnity period and waiting period. Since there is no standard cyber form, each policy must be carefully read.
It is important for businesses to understand these differences so they can purchase policies with appropriate limits, terms and conditions for their operations.