A £3.4 million business interruption payout to Vertu Motors is highlighting how unevenly insurance responds when cyber disruption originates outside the insured’s own systems.
The loss, linked to disruption at Jaguar Land Rover, provides a rare test of contingent business interruption cover triggered by an upstream cyber event.
Joanna Grant (pictured left), managing partner at Fenchurch Law, said dependent or contingent business interruption cover is typically structured as an extension to cyber policies and is triggered when a supplier’s cyber event disrupts the insured’s operations.
“It is triggered when a critical supplier or service provider identified in the policy as a dependent business suffers a cyber event that in turn impacts on an insured’s own business operations even though they have not suffered a cyber attack or system failure or outage themselves.”
She said establishing causation depends on evidence and is not always straightforward.
“Causation will be a matter of evidence. In the case of JLR the cyber attack was widely reported and public knowledge. In other cases expert evidence may be required to demonstrate (i) that the dependent business had suffered the cyber event; and (ii) that that then in turn impacted on the insured’s business.”
She added that claims can fall short on structural elements within policies, including waiting periods and sub-limits, which must be carefully evidenced and aligned with potential losses.
The case highlights how inconsistent contingent business interruption protection remains. Ed Ventham (pictured left centre), director at Assured, said the issue has become more prominent following recent incidents.
“It definitely came to the limelight following the M&S and the Jaguar Land Rover incidents. Our own client book was affected by, so it’s definitely become front of mind.”
However, he said cover is not typically included as standard and the challenge for insurers lies in the lack of visibility across supply chains.
“Essentially the insurer is looking to provide cover to a supply chain of which they have almost no information on. Some of these businesses rely on hundreds of suppliers and if any one of them has an incident it could have a massive impact on the revenue or the profit of the business who is the insured.”
That lack of visibility also raises questions over how exposures are managed if disruption affects multiple businesses at the same time. He added that even where cover is included, its scope may be limited.
“But it’s a common claim because I feel like it’s a wide net of cover and I think, I think if a business just has a line item, contingent BI doesn’t necessarily mean that it’s covering them for the full supply chain because more often than not can be restricted.”
Brittany Baker (pictured right), head of solution consulting and ILS at CyberCube, said contingent business interruption cover for cyber events has not historically been standard and remains difficult to price.
“Historically, contingent BI cover for cyber events hasn't been standard. It was widely excluded in the hard market and is being reintroduced now the market's softening, though rarely priced explicitly for the exposure being taken on. Vertu's claim has given the market a solid number for an exposure that has so far largely gone unmeasured.”
She said the JLR incident provides one of the first clear examples of how losses can move through non-digital supply chains, an area not well captured by current models.
“This type of contingent loss isn't being modelled or priced today. Data on non-digital supplier dependencies is patchy at best, and there's almost no claims experience to benchmark against.”
Daniel Winn (pictured right centre), development broker at Jensten Group, said contingent business interruption cover remains limited, with only a small number of insurers offering it due to the difficulty in modelling potential losses across supply chains.
“I think it is still very rare. 1 or 2 insurers that are starting to offer this cover, but I think from a risk modelling and looking at there the loss can come from and how large the loss can be is a very unknown area.”
He said those that do offer the cover are typically selective, in some cases using it to differentiate their cyber propositions.
Client understanding also remains limited, with many businesses reliant on broker guidance and often unaware of the scope of cyber policies unless advised by a specialist.
“A cyber insurance policy today has the potential to look very different in 10 years time, especially if you look back at the previous 10 years,” said Winn.
The Vertu claim shows that contingent business interruption cover can respond to upstream cyber disruption, but also highlights how much of that exposure remains only partially understood, and how difficult it may be to manage if similar losses emerge across multiple insureds at once.
