VIEW 34
Cyber supply chain cover
One important way in which the cyber insurance market is maturing can be seen in the way in which coverage is changing. As little as five years ago, business interruption cover was not standard in cyber insurance policies. Back then, the market was mainly focussed on regulatory fines and other costs associated with data breaches in the USA.
Since then coverage has been steadily broadening as shown in the diagram. Business interruption coverage for the insured has become more or less standard in cyber policies now. Following demand from clients, the market is now beginning to offer coverage to mitigate the risks from cyber incidents in different parts of the supply chain both upstream and down. This comes in several different forms:
Dependent Business Interruption (BI): Typically, this would be limited to a named supplier. So, for example, a company that depended on Google G-Suite or Amazon Web Services for cloud hosting would want coverage for any system outage from these business-critical suppliers. However, there is a growing demand for full supply chain dependent BI cover where all suppliers to the insured are covered not just a named few.
Receivers Business Interruption (BI): This focuses on the downstream part of the supply chain. If a cyber incident means that the insured is unable to fulfil a contractual obligation to a customer and that customer then suffers damages, then receivers BI coverage will compensate.
Other upstream coverage: The number of different companies involved in an industrial supply chain from raw materials at one end to finished goods delivered to a consumer at the other can easily exceed 20. Coverage for the full length of this chain would be very unusual, not least because of the problem of tracking the liability across so many entities. Most insurance policies include critical infrastructure exclusions to limit the exposure to an event like the whole power grid going down. Upstream cover is also typically limited to entities with a contractual agreement which limits the coverage chain. Companies separated by a few steps in the chain are unlikely to have contract with each other.
