Business interruption and disaster recovery in the post-covid era

Many insurers came under the spotlight when the covid-19 pandemic struck, owing to their refusal to make payouts on claims made. This indicated how a surprising number of insurers were interpreting claims for business interruption, continuity and disaster recovery plans. Some firms already had a business interruption plan (BIP), yet for others the pandemic brought into sharp focus the need for business interruption and disaster recovery plans. The Financial Conduct Authority (FCA) is still considering some of these cases.

The aftermath of covid-19
More than three years later, firms have taken out business interruption policies as well disaster recovery policies. The insurers may have learned their lesson but have applied far more clauses to their underwriting terms. Time will tell how these policyholders will fare when the insurers apply these.

Often, management will commit sufficient resources to deliver business interruption plans for their clients. Indeed, the goal of any firm is to minimise risk, however slight, and ensure uninterrupted service. This should include the consequences of unexpected interruptions to normal business services as well as any reputational damage to the firm.

The ultimate goal is to not have any incidents and stay within the rules of the firm’s business interruption and disaster recovery plan. Yet in the event of being unable to fulfil these, firms can take steps to ease the inconvenience. And as a reassurance to their clients, a firm can project-manage the issue to bring some normality to the table and restore client confidence.

Areas of risk include web server failure, denial of services (DDOS) attack, theft in the firm’s offices, criminal damage to offices, cyber-attacks, employees who leave, flooding, nightly system back-ups, spam and virus filters.

Web Server failure
A firm’s core services might be its website and the servers they run on. These services will be managed on various platforms, depending on the provider. And to implement this, a firm will need server hardware, server software, rack space, power management, monitoring, and maintenance.

Most of today’s servers are on Cloud-based systems where the integrity of each of these can be managed by the cloud provider. These web servers will enjoy powerful alert systems that identify servers that have failed or are going to fail. Most business interruption policies will provide cover for this.

DDOS attack
DDOS and similar alerts are where a server is attacked by a distributed denial of service attack. This is where a bot or robot attack a quote and buy shop or online store. They can equally just cause havoc on the servers.

This is a type of cyber-attack that uses automated scripts to disrupt a site, steal data, make fraudulent purchases, or perform other malicious actions. DDOS attacks are widespread and constantly bombarding critical and not so critical servers. Most business interruption policies will provide cover for this.

Office theft
Businesses, large and small, can suffer from theft and damage to property even from the stationery cupboard. Fortunately, there are more digitally based systems to protect against this kind of theft and damage, whether simple stationery, system controls or IT. Phishing attacks can be included in this type of crime, where employees are lured into handing over passwords and other vital credentials. Some business interruption policies will insure against this type of break-in.

Criminal damage
This includes cyber-attacks, doors, exits, windows, cabinets and desks. In the event of a cyber attack all software and hardware should be reviewed and examined for possible data breaches, malware or some other nasty file downloaded onto the server.

This should also include regular and or automatic of operating system updates and patches, routine mobile phone updates, and external drives including USBs to check for any possible corrupt data. Where appropriate further investigations may be necessary for which a cyber insurance policy would come in handy as they normally have a 24/7 helpline to call if the firm suspects they have had a break-in. Business interruption policies do not tend to cover these sorts of risks; a cyber insurance policy would though.

Employees leaving
When an employee leaves a firm, it is quite typical for their passwords and other user login credentials to be deleted before they leave. Username and password logins belonging to an employee who is leaving should be deleted.

Some firms will already have such a policy in place in their Terms of Contract where the employee must hand in their ID tags, usernames, passwords, and any other credentials belonging to them.

This would not warrant a business interruption policy.

Flooding
Flooding events do trigger business interruption claims. Flood damages can often be minor, but given cases of flooding across the country recently, claims are likely to be severe if electrics, desktop computers and other electrical devices are damaged.

However, provided the firm has backed up its data, which is most likely to be on a cloud server, a business interruption policy would cover the claim.

System back-ups
Backing up the firm’s data is a no-brainer, with some firms creating multiple back-ups to thoroughly protect it from harm. It is worth pointing out that some cloud servers leave it to the service providers to back-up the client’s data, so it is worth checking this in case with your cloud service provider is not doing this for you.

At the moment, most do provide this, but it is still worth checking. Otherwise any business interruption policy will not cover your claim.

Spam and Virus filters
Spam and virus filters are also a must have service. Spam or junk files can be annoying and clog-up everything, so it is worth deleting these regularly by running monthly delete functions or some sort of routine purge of the files.

There are several brand name virus filters that will delete most types of malware to keep systems safe, whether you have a hundreds of servers or just one single PC, you should apply virus protection. A business interruption policy would not apply to this form of risk.

Firms have become increasingly aware of the costs of not having some sort of business interruption policy and or disaster recovery plan. Planning for business interruptions should definitely be on management’s to-do list.

Alastair Murray is director at The Bureau