Recently, between 800 and 1,500 businesses around the world were affected by a ransomware attack. The hackers paralyzed hundreds of businesses, including dentist offices, accounting firms, supermarkets, and schools, and demanded $70 million dollars from the businesses to restore the related business data.
These types of cyberattacks are occurring more frequently and are affecting all aspects of a victim’s business, posing threats such as a temporary shut-down and a loss of reputation, among other things. As cyberattacks become more prevalent, businesses are focusing on how to prevent the attack in the first place. But what happens if a business is attacked? What does the recovery process look like for these companies?
Oftentimes, depending on insurance coverage, businesses are able to file a business interruption claim to recover losses related to the cyberattack.
While the language for each policy varies, in general, business interruption insurance typically covers the protected business’s net profits it would have received but-for the business interruption. The loss is generally limited to some contractually defined period of time. Although the insurance company will do its own calculation of damages, the business (the insured) also has the option to, and should, submit its own damage calculation. The insured’s calculation will oftentimes be more inclusive and thorough given that the insured has better insight into its business operations and the impact of the cyberattack as compared to whomever the insurance company hires.
This raises the question – precisely how are losses calculated for a business interruption claim? As mentioned above, the policy language drives the actual calculation, but in general, the calculation is very similar to a lost profits calculation. After all, as noted above, the coverage is generally for the net profits the business would have received but-for the business interruption. The calculation looks at what revenue/sales were lost as a result of the interruption and what costs were saved/avoided as a result of changes to the operations of the business during the period provided for in the policy.
For example, a cybersecurity attack could lock down the order processing system so the business is unable to fulfill sales orders for a period. This, of course, results in lost sales. However, it could also result in some cost savings during the shutdown period related to the cost of processing those orders (shipping, manufacturing costs, etc.). The business interruption calculation will take all of these things into consideration.
What can a business and its advisors to do ensure a successful claim process? Our experience is that the following information contributes to a successful process:
- Keep detailed contemporaneous documentation. Contemporaneous documentation is advantageous because the interruption calculation is prepared months after the interruption itself, which means memories of the actual event have faded, and important details could be forgotten. For example, proof of customer interactions regarding impacted sales and/or canceled orders. Keeping a good record of the events as they unfold will help connect the dots for the insurance company and provide support for the loss calculation.
- Work closely with legal counsel. Any insurance claim is subject to the legal language in the policy. Your accountant and financial team can help with the numbers, but it is important that legal counsel weighs in on the specific language that impacts the loss calculation. Doing the calculation in a way that is consistent with the legal interpretation of the policy language will help expedite the process.
- A detailed, data-driven analysis is key. An analysis that is supportable and based on historical performance and projected expectations will be better received than a calculation that lacks detail. Currently, projecting performance is more difficult than it has been historically due to the pandemic. Be sure that the calculation explains how and to what extent Covid had any impact on the loss calculation.
To explore this information in more detail, contact a member of GBQ’s Forensic & Dispute Advisory Services team today.
Article written by:
Staff, Forensic & Dispute Advisory Services
Mallory Ashbrook, CPA, CVA, JD
Senior Manager, Forensic & Dispute Advisory Services