What does cyber insurance business interruption *really* cover?
“The recent 365 outage is making people realize they need cyber insurance” was a recent LinkedIn post we saw. Unfortunately, the agent who posted it needs to read a few more policies, because very few if any 365 outages will fall under a valid business interruption claim. Let’s explore why that is.
One popular debate in cyber insurance is the amount of business interruption coverage needed. Is a lower limit versus the full policy okay? What about dependent business interruption? System failure?
First off, we’ll define business interruption (BI) coverage. At a basic level, this is lost income or profit during the impacted time. The base coverage in a cyber policy only covers getting your business back to 100%, not any income or profit lost during that period. That is where BI comes into play - now your cyber policy not only recovers your business, but “fills the gap” for lost income during that period.
BI is not a complete free meal ticket though, carriers commonly include restrictions such as contracted business only, and minus any expenses that were not needed due to the interruption.
An important component of BI is the waiting period. This simply means an initial period of time that must pass before the coverage kicks in. This protects the carrier for paying claims for very short term events. A recent example was a Microsoft 365 outage that lasted a few hours. The vast majority of cyber insurance policies would not pay out BI coverage because of the waiting period. A typical waiting period for BI coverage is 8 to 12 hours, but some policies can go shorter (almost never below 4 hours) while others can be 24, 48, or even 72 hours.
How much does BI coverage cost?
BI is one of the more expensive components of a claim, so better coverage can result in a higher premium (policy price).
There are some differences in BI coverage between policies:
Some policies will allow you to submit a calculation of total costs, subject to the approval of the claims team.
Others will require a third party forensic accountant to calculate the total.
Some policies will make partial/interim payments while the final BI amount is calculated.
Extra expenses might be covered to help minimize the interruption.
What about contingent / dependent business interruption (DBI)?
One gotcha on base BI coverage is that it typically covers only the systems inside the company. But with the rapid rise of the cloud, most businesses are running on third party systems. This is where DBI comes into play. One famous example was one of the biggest car dealership softwares getting a ransomware attack, and all the damage the resulted. DBI is frequently limited compared to the full policy amount, but many carriers have full limit DBI available. For many small businesses that operate primarily out of the cloud, DBI is more important than the base BI coverage.
What if a bad update causes the interruption?
Not many people in the insurance industry considered this until the summer of 2024. One of the biggest cybersecurity companies in the world pushed a bad update and disrupted 1000s of companies. Most cyber policies at the time required a malicious act to trigger a claim, or it was unclear if this was covered. After that, the “system failure” coverage entered the mainstream. This is another coverage that provides BI/DBI coverage in the event of a mistake, no longer only covering malicious attacks. On many policies you will see system failure broken out as a separate coverage, meaning the ideal policy has 4 distinct BI coverages:
Business Interruption
Business Interruption - System Failure
Dependent Business Interruption
Dependent Business Interruption - System Failure
Final Takeaways
In today’s insurance market, most SMBs should be able to get a cyber policy for a reasonable price that:
Offers all 4 BI coverages
Has no reduced sublimits for any of the coverages