Remember: This Blog is organized around insuring agreements, definitions, and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there. It is a new and relatively uncharted ocean.
BUSINESS INTERRUPTION INCOME LOSS AND DEPENDENT BUSINESS INTERRUPTION INCOME COVERAGE is the title of this insuring agreement, I.H.
A good part of this title is familiar with commercial first-party (often property) policies, where the idea of property damage begins with the idea of physical injury to tangible property. Obviously, that will not be the beginning of BI*or DBI coverage in cyber-policies. Still, in terms of purpose, this insuring agreement corresponds to the similar insuring agreements found in so-called “real world” policies. [*BI is a standard appreciation used to denote Business Income Losses in today’s so-called “real world” policies. Previously, BI referred to Business Interpretation Losses. Many do not know why the terminology changed, and I am one of the many. Maybe it was to accentuate the fact that there had to be an income loss; I suspect that was always true.]
Here is the verbatim quotation of insuring agreement of I.H:
The Insurer will pay the Company any Business Interruption Income Loss [BI], DependentBusiness Interruption Income Loss [DBI], and Extra Expense the Company sustains during the Period of Restoration as the direct result of an Interruption in Services, provided that such Interruption in Services first occurs during the Policy Period.
Before turning the central substantive definitions, several matters need to be discussed.
First, only the Company really covered; only its losses are to be paid.
Second, under this insuring agreement, the Insurer “will pay” is a key obligation of the Insurer. This is more flexible than “will reimburse. Interestingly, there is no restriction of when the Insurer is obligated to pay. Probably all cyber-insurer that use this language is governed by the law–a more or less general law across at least most states in the U.S.–that requires the insurer to pay promptly, once it has the information, etc., it reasonable needs to calculate what it owes.
Third, the Period of Restoration is defined (pretty much) as the reasonable length of time it takes the Company to get its cyber operation up and running again, measured starting with the time there was covered Interruption in Services, but lasting no more than 30 days. Obviously, the Period ofRecovery to reach out beyond the end date of coverage under the policy This topic is often a matter of dispute. One of the principal topics of dispute is whether the insured made is snappy to get the fix completed. An enormous number of facts and therefore components of an (or more than one) investigation are involved in any relevant adjustment and/or adjustment dispute. As a general rule, periods of restoration can be extended by endorsement, like lots of things in insurance policies.
Fourth, the term “direct result” again serves a crucial role. For more on this matter, see Part VIII: I.G, for example. The ideas of direct and indirect are illustrated nicely by the workings of the “Silk Road.” Some of it is direct, I think, in particular, the mailing of the “goods.” Some of it indirect, I believe, namely, the modes of purchasing the “goods.”
Fifth, the Company’s Computer System is an obvious term the meaning of which is intuitively obvious at a surface level. Of course, different companies have different systems used for different purposes. In this definition, an insured system is one restricted to working solely for the Company’s benefit
We now arrive at what might be called the crucial topical definitions.
The definition of Interruption in Services [IS], the covered train of events that do cover injury or damage to the Company. Which ISs are covered and which are not is to be found in this definition. IS “means the actual and measurable interruption, suspension, failure, degradation or delay in the performances of the Company’s Computer System, if directly caused by a NetworkSecurity Incident. [Notice that the idea of being direct is a necessary condition of being an IS and therefore of coverage. Given the general terms–one is “measurable”–one can bet that there will be disputes grounded on this idea.]
BI and DBI are the crucial definitions for describing the types of injuries/damages for which the Insurer will pay.BI means, roughly speaking, the Company’s loss of “net profits before income tax” that the Company is prevented from earning as the result of IS and its normal expenses, e.g., payroll, that “must continue” during the Period of Restoration had there been no IS.
[This is a relatively standard surface formulation of BI for a very long time. Extra-help that has to be brought in to straighten things out is an Extra Expense, not a loss. Notice that the general BI can be brought about by an assortment of causes of the IS and that the cause of the IS might actually involve more than one cause so that the IS need not directly result from a single cause.]
DBI is one of those components of this insurance policy that contains of “direct;” once is “direct result of” and the other it is “caused directly by.” It is even more complicated than passages where there is a double occurrence of the word; for this reason, it is necessary to quote some of it. It is a BI loss “as the direct result of an IS[, and it] is caused directly by a Network Security Incident to the Service Provider’s Computer System but only if such Network Security Incident would have been covered under the Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provisions of the Policy.”
This is a very complicated provision. The place to begin is with the word “dependent. The point is that this form of BI must be triggered by an injury to something upon which the Company depends, and–if anything–will be the Service Provider. The surface idea of a Service Provider is easy enough to understand, though it must be understood that it is a separate company, a vendor, and there is a forma contract with the Company. Its computer system is simply a Computer System somehow and/or to some extent belongs to it, as the term is defined in the policy. It is the Service Provider’s Computer System that must be subjected to a Network Security Incident.
That is a defined term in the policy. It, very roughly, means some sort of affliction is directly imposed upon the Service Provider’s Computer System, such improper use of it and/or the introduction of a Malicious Code, that directly results in specified injuries/damages to the Company’s ComputerSystem so that it is subject to IS or a “corruption or deletion” of Digital Assets.” However, under the definition of DBI there is a necessary condition: the Service Provider must be such the Network Incident “would have been covered under [this] Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provision of the Policy.”
One thing this means is that the insurance of the Service Provider must be equivalent to the Company’s policy in terms of strength and scope for the Company to have coverage. If the Service Provider has weaker or no coverage, the Company will have no coverage for DBI. Something it might mean is that the Company’s Digital Asserts have been “corrupted.” Unfortunately, that is not a defined term, although the term is commonly used in cyber-circles.
So far as exclusions are concerned, there do not appear to be any that apply uniquely to this insuring agreement, and if so there are none that are prepared for it. Plenty of exclusions that are to be found in so-called “real world” policies apply to it and to the rest of this policy, and lots of new-fangled exclusions for the “virtual world” also apply to it. Still, there is nothing further that needs to be said about this exclusionary matter just now.
Truth is not a relative (or relativistic) concept. Factual propositions are true; they are false; they are too vague to have a true value, or their true value has not been determined. We don’t know, or we do not know yet, is a permissible answer to a question, so long as it is true. It is not always the case that false propositions must be apparently false. Sometimes a false proposition can look true. And vice versa. ~Michael Sean Quinn, PhD, JD, CPCU, Etc.Tweet