Business interruption and disaster recovery in the post-covid era

7 Dec 2023Business

Alastair Murray outlines the importance of robust business interruption plans

Many insurers came under the spotlight when the covid-19 pandemic struck, owing to their refusal to make payouts on claims made. This indicated how a surprising number of insurers were interpreting claims for business interruption, continuity and disaster recovery plans. Some firms already had a business interruption plan (BIP), yet for others the pandemic brought into sharp focus the need for business interruption and disaster recovery plans. The Financial Conduct Authority (FCA) is still considering some of these cases.

The aftermath of covid-19
More than three years later, firms have taken out business interruption policies as well disaster recovery policies. The insurers may have learned their lesson but have applied far more clauses to their underwriting terms. Time will tell how these policyholders will fare when the insurers apply these.

Often, management will commit sufficient resources to deliver business interruption plans for their clients. Indeed, the goal of any firm is to minimise risk, however slight, and ensure uninterrupted service. This should include the consequences of unexpected interruptions to normal business services as well as any reputational damage to the firm.

The ultimate goal is to not have any incidents and stay within the rules of the firm’s business interruption and disaster recovery plan. Yet in the event of being unable to fulfil these, firms can take steps to ease the inconvenience. And as a reassurance to their clients, a firm can project-manage the issue to bring some normality to the table and restore client confidence.

Areas of risk include web server failure, denial of services (DDOS) attack, theft in the firm’s offices, criminal damage to offices, cyber-attacks, employees who leave, flooding, nightly system back-ups, spam and virus filters.

Web Server failure
A firm’s core services might be its website and the servers they run on. These services will be managed on various platforms, depending on the provider. And to implement this, a firm will need server hardware, server software, rack space, power management, monitoring, and maintenance.

Most of today’s servers are on Cloud-based systems where the integrity of each of these can be managed by the cloud provider. These web servers will enjoy powerful alert systems that identify servers that have failed or are going to fail. Most business interruption policies will provide cover for this.

DDOS attack
DDOS and similar alerts are where a server is attacked by a distributed denial of service attack. This is where a bot or robot attack a quote and buy shop or online store. They can equally just cause havoc on the servers.

This is a type of cyber-attack that uses automated scripts to disrupt a site, steal data, make fraudulent purchases, or perform other malicious actions. DDOS attacks are widespread and constantly bombarding critical and not so critical servers. Most business interruption policies will provide cover for this.

Office theft
Businesses, large and small, can suffer from theft and damage to property even from the stationery cupboard. Fortunately, there are more digitally based systems to protect against this kind of theft and damage, whether simple stationery, system controls or IT. Phishing attacks can be included in this type of crime, where employees are lured into handing over passwords and other vital credentials. Some business interruption policies will insure against this type of break-in.

Criminal damage
This includes cyber-attacks, doors, exits, windows, cabinets and desks. In the event of a cyber attack all software and hardware should be reviewed and examined for possible data breaches, malware or some other nasty file downloaded onto the server.

This should also include regular and or automatic of operating system updates and patches, routine mobile phone updates, and external drives including USBs to check for any possible corrupt data. Where appropriate further investigations may be necessary for which a cyber insurance policy would come in handy as they normally have a 24/7 helpline to call if the firm suspects they have had a break-in. Business interruption policies do not tend to cover these sorts of risks; a cyber insurance policy would though.

Employees leaving
When an employee leaves a firm, it is quite typical for their passwords and other user login credentials to be deleted before they leave. Username and password logins belonging to an employee who is leaving should be deleted.

Some firms will already have such a policy in place in their Terms of Contract where the employee must hand in their ID tags, usernames, passwords, and any other credentials belonging to them.

This would not warrant a business interruption policy.

Flooding
Flooding events do trigger business interruption claims. Flood damages can often be minor, but given cases of flooding across the country recently, claims are likely to be severe if electrics, desktop computers and other electrical devices are damaged.

However, provided the firm has backed up its data, which is most likely to be on a cloud server, a business interruption policy would cover the claim.

System back-ups
Backing up the firm’s data is a no-brainer, with some firms creating multiple back-ups to thoroughly protect it from harm. It is worth pointing out that some cloud servers leave it to the service providers to back-up the client’s data, so it is worth checking this in case with your cloud service provider is not doing this for you.

At the moment, most do provide this, but it is still worth checking. Otherwise any business interruption policy will not cover your claim.

Spam and Virus filters
Spam and virus filters are also a must have service. Spam or junk files can be annoying and clog-up everything, so it is worth deleting these regularly by running monthly delete functions or some sort of routine purge of the files.

There are several brand name virus filters that will delete most types of malware to keep systems safe, whether you have a hundreds of servers or just one single PC, you should apply virus protection. A business interruption policy would not apply to this form of risk.

Firms have become increasingly aware of the costs of not having some sort of business interruption policy and or disaster recovery plan. Planning for business interruptions should definitely be on management’s to-do list.

Alastair Murray is director at The Bureau

Legal News desk contact: editorial@solicitorsjournal.com

Some firms will already have such a policy in place in their Terms of Contract where the employee must hand in their ID tags, usernames, passwords, and any other credentials belonging to them.

This would not warrant a business interruption policy.

However, provided the firm has backed up its data, which is most likely to be on a cloud server, a business interruption policy would cover the claim.

At the moment, most do provide this, but it is still worth checking. Otherwise any business interruption policy will not cover your claim.

Alastair Murray is director at The Bureau

Hantavirus outbreak claims hinge on causation and jurisdiction

Serious ship incidents trigger complex claims where law, evidence, forum and causation determine outcomes

Advertising ruling supports Chris Packham's claim

Advertising Standards Authority rules meat and dairy ads mislead on environmental impact, marking regulatory change

Legal profession under increasing pressure

Solicitors in England and Wales face escalating complexities affecting their wellbeing, underscored by rising demand for support

Ismailov v Secretary of State: High Court upholds sanctions designation based on family association with Usmanov

The Administrative Court dismisses all seven grounds of challenge to Russia sanctions maintained against the nephew of oligarch Alisher Usmanov.

Lodhia v Twelve Trees: High Court orders costs against claimant who discontinued defamation claim amid document authenticity concerns

A leaseholder who sued his estate's management company for defamation has been ordered to pay substantial costs after discontinuing his claim, with the court also...

Legal professionals wary of firm reputation

New research reveals that a significant number of legal professionals are hesitant to apply for roles due to concerns about a law firm's reputation

Dacorum Borough Council v Persons Unknown: High Court upholds Green Belt injunction against Gypsy and Traveller site

High Court continues interim planning injunction after finding occupants moved onto land in flagrant breach of an existing court order.

BEA v Staffordshire County Council: High Court declines to rule on foster placement time limits as claim turns academic

A judicial review challenging the legality of a child's placement with a relative beyond the statutory 16-week limit has been dismissed after the placement ended...

AI and copyright law face uncertain future

Government retreat on AI copyright rules leaves unresolved tensions between innovation, licensing markets, and creative industry protection

Acer and Asus secure key win over Nokia as Court of Appeal strips disputed licence term

Nokia's cross-licence arbitration condition ruled incompatible with RAND obligations in consequential judgement following landmark codec SEP appeal.

Siem v Womble Bond Dickinson: High Court dismisses £50m negligence claim over failed Hyde Park Gate redevelopment

WBD cleared of professional negligence following a three-week trial in the Chancery Division.

Car Sales Solutions v Riekstins: EAT overturns reconsideration refusal over procedural failings

Employment tribunal failed to apply mandatory reconsideration framework, Appeal Tribunal rules.

New UK bill could weaken economic crime fight

The Law Society warns that proposed changes to anti-money laundering regulations threaten effective oversight and increase costs for law firms

SJ Interview: Keith Froud

Keith Froud, Global Co-CEO and International Chief Executive of Eversheds Sutherland, has spent over three decades in corporate M&A before moving into global leadership. In...