Is your cyber business interruption coverage what you think it is? Many insureds assume cyber business interruption claims work like property claims—but key differences could lead to unexpected coverage gaps. Do you know what documentation is required? How your waiting period is applied? Find out how to avoid common pitfalls in our latest article.

One of the most significant sources of dispute between policyholders and their insurance carriers is a simple misunderstanding about the intent of business interruption coverage. At the time of a loss, some insureds expect everything to be paid. They may assume coverage extends to their gross sales. However, coverage is primarily adjusted on a loss of net or gross profit basis.¹ Insureds can also become frustrated by the documentation required for proof of loss. This can result in many back-and-forth communications between the parties, which slows down claim processing. Large, complex claims can already take longer to unravel, so retail insurance agents and brokers must set clear expectations around the claims process.

Insureds may also assume that a cyber business interruption claim is no different than a property business interruption claim. However, cyber business interruption coverage is significantly different. It’s vital for producers and their clients to clearly understand the coverage terms and conditions as well as the claims process. Clients may also be frustrated by what can feel like ever-changing rules regarding the data carriers require in the proof of loss. In reality, client-provided data is often received very differently by adjusters than the data provided by forensic accountants, which typically carries more validity. If included in the policy, engaging with a forensic accountant immediately and utilizing policy sublimits for such expenses can help expedite the claims process.

COVERAGE DIFFERENCES ABOUND

There are many significant differences in the business interruption coverage offered among carriers. A close look at the policies reveals a somewhat chaotic coverage environment that can confuse insureds. Only the savviest cyber brokers will likely appreciate this and direct their clients to consider the broadest possible coverage. However, helping potential buyers consider these distinctions can be challenging, making it easy to overlook when purchasing decisions are made.

No coverage forms are precisely the same. The most easily recognizable differences are the waiting period, application of policy limits, and the periods of restoration or indemnity. Waiting periods are intended to keep minor events from triggering a claim and can vary from zero to a few hours or even several days. However, how an insurer applies a waiting period can vary significantly. Some insurers refuse liability for any loss until the expiration of any stipulated waiting period, and any loss occurring during the waiting period is uninsured. Carriers may also apply a retention before paying the loss. Others state that if a computer disruption exceeds the waiting period, coverage will take effect back to the start of the disruption, and a retention will apply. Unfortunately, these coverage distinctions are often not recognized until a loss occurs.

SELECTING LIMITS IS A CHALLENGE

Most policies offer business interruption coverage at a full limit within the aggregate policy limit, but sublimits are also common. This is particularly true when dependent business interruption or reputational harm coverage is included. Agents and their clients should engage in coverage limit discussions before incepting coverage on a per-insuring agreement basis rather than an aggregated policy limit. This is particularly crucial when discussing business interruption as it allows for a full review of various business interruption scenarios. Estimating the potential timeframe from computer disruption to restoration, including the potential loss of profit and extra expense, also ensures that adequate limits can be considered. In general, income losses will only be paid from the time of a computer disruption until the computer systems are restored to their pre-disruption level. However, this coverage will not extend beyond the policy’s period of restoration or indemnity, which is typically defined as 60, 180, or even 360 days after the computer system shutdown.

Some policies recognize that operations may not be fully restored after computer networks are fully functional again. These may extend coverage up to 30 or 60 days or even throughout the entire period of restoration or indemnity after the computer system has been restored to allow operations to be restored as well. Restoration of a computer network does not always mean cessation of the loss of net profits. An insured suffering from a computer outage could lose salespeople. A loss of manufacturing output during an outage can take time to rebuild sales inventory. Exclusions applicable to this coverage should not be overlooked as they may exclude the loss of market share or other consequential loss.

DEFINITIONS MATTER

Cyber policies can cover business interruption losses caused by security breaches, system failures, or both. However, there is currently no standardized wording for this coverage across the industry. The potential for client frustration is also found in dependent business interruption security and systems failure coverage. Many policies include IT vendors, but based on their definition, entities such as managed services providers or cloud providers might be omitted or expressly excluded. Some include non-IT vendors in policies or by endorsement. These can also be known as business process outsourcers, who provide services such as logistical support and fulfillment services. Some of the broadest cyber coverage available includes protection for supply chain partners. This can apply either to specific partners listed by endorsement or more broadly to any provider of goods or services under a written contract. The requirement for a written contract is most notable. Nearly every carrier requires a written contract for coverage to apply in cases of dependent business interruption or system failure. During the Change Health Care data breach, many healthcare clients filing business interruption claims were frustrated to receive reservation of rights letters or outright denials from carriers due to not having a written contract with Change Health. Reviewing the definition of a dependent business with a client is prudent to determine if all contracted outsourced vendors will fall under the policy definition. If not, alternative wording can be explored.

Reputational harm, a subset of business interruption, is triggered primarily by a notification or adverse media report involving a cyber event. In its broadest application, the coverage replaces the loss of current or future customers or even projected net profit solely caused by damage to the insured’s reputation. However, the definition of income loss varies widely in the marketplace. Because the coverage can overlap with business interruption caused by a computer disruption, some carriers void any reputational harm loss if the business interruption coverage is also triggered. It is a complicated coverage to adjust and can cause friction as it is difficult to calculate the loss of future profits or customers from an adverse report. Furthermore, most insurers limit the indemnity period to 180 days, even though reputational loss can quickly reach a year or more.

BOTTOM LINE

Cyber policies are complicated and multi-faceted, containing first-party, third-party, crime, regulatory, and media coverage. By far, the business interruption component is the most challenging component to convey accurately to clients due to the complexities and variances in the coverage. Claims can be difficult to adjust as proof of loss is required, generally within a restricted timeframe, and typically requires the assistance of a forensic accountant. The introduction of an outside third party to the claims process can be fraught with potential complications outside of the agent or carrier’s control.

Agents and brokers should proactively set expectations with clients regarding the scope of the coverage, how it is triggered, its limitations, time constraints, and how claims are best adjusted. Cyber coverage is widely available in the market, but understanding the distinctions between carriers requires time and a thorough review of the coverage forms. Retail insurance agents need cyber specialists to navigate the complexity of policy forms. Partnering with a knowledgeable wholesale broker can assist agents in finding the right policy for complex coverage issues like cyber business interruption and reputational harm. Reach out to your CRC producer today for assistance placing your cyber risks.

CONTRIBUTORS

• Paul Burge and Tyler O’Connor are Brokers with CRC’s Birmingham, AL office where they specialize in Cyber, Healthcare,and Management Liability.
• Ari Shapiro is a Claims Advocate working on behalf of CRC’s retail agency partners and brokers to resolve coverage orclaim issues.

END NOTES

1. Cyber Disruptions Remain Top Business Risk Concern in US, Globally, Cybersecurity Dive, January 15, 2025. https://www.cybersecuritydive.com/news/cyber-business-risk-us-globally/737447/
2. Cyber Business Interruption: What has changed since 2018? IUA Cyber Underwriting Group Report in association with Baker Tilly, 2025. https://iua.co.uk