Business Interruption Claims in Cyber Insurance: Policy Wordings, Misinterpretations, and Best Practices

By: Monica Tigleanu, Howard Panensky, Esq., Harriet Bateman, and Christa Johnson

Introduction

Business interruption (BI) coverage in cyber insurance plays a crucial role in protecting companies against financial losses resulting from cyber incidents. With increasing reliance on digital infrastructure and technology, a cyber event—such as a ransomware attack or a system failure—can severely disrupt business operations. However, policyholders often misinterpret what their policies cover, leading to disputes over claims. This paper examines the complexities of BI claims in cyber insurance, focusing on policy wordings, common misconceptions, and challenges in claims interpretation. It also outlines best practices for both insurers and policyholders to ensure more effective risk management and claim resolution.

Understanding Business Interruption Coverage in Cyber Insurance

Business interruption coverage under a cyber insurance policy is designed to compensate companies for profit or net income lost due to a cyber event that impairs operations. Most policyholders typically expect coverage for revenue loss, reimbursement for ongoing expenses, and payment for extra costs incurred to resume operations. However, the reality is more nuanced, and the scope of coverage depends heavily on the specific wording of the specific policy negotiated with specific insuring agreements covering various parts of a business interruption loss.

A typical BI insuring agreement covers loss of profit directly arising out of system disruptions and additional expenses incurred to mitigate such loss of profit, during a defined indemnity period also known as the period of restoration during which time losses can be claimed. The period of restoration is particularly important, as it determines the maximum duration for which losses are covered. If this period is too short, businesses may find themselves without financial support before they have fully recovered. Some policies have a limited period of restoration, while others may have an unlimited period of time to account for lingering financial impacts and use terminology such as ‘normal business operations are restored’. This prolonged amount of time is allowed to factor in prolonged customer loss or operational delays. Understanding these provisions is essential to ensuring that businesses have adequate protection in place for their specific type of operations.

Key Challenges in BI Claims for Cyber Events

Misconceptions in Policy Interpretation

One of the most common misconceptions in cyber BI claims involves payroll costs. Many policyholders assume that payroll expenses are automatically covered as part of business interruption losses. However, payroll is often considered a fixed cost, meaning that unless there is a measurable impact on salary expenses due to the cyber event, these costs may not be reimbursed. Including payroll as a standalone claim could lead to over-indemnification, which contradicts the principle and public policy of insurance coverage.

Another major misunderstanding involves proximate cause and the extent to which coverage applies from direct or indirect cybersecurity or system failures of specific systems. Some policyholders expect compensation for cascading effects caused by a cyber event, including losses from adjacent but unaffected systems. However, BI policies typically cover revenue loss associated only with systems directly impacted by the cyber event, not secondary or indirect consequences.

Cyber insurance policies use two primary methods to calculate lost profit: the gross profit approach ("top-down") and the net profit plus fixed costs approach ("bottom-up"). While both methods aim to determine the same financial loss, policyholders may struggle to understand which method applies to their situation. Misinterpretation can lead to disputes over the true financial impact of a cyber event.

Trend considerations also play a significant role in determining revenue loss. Standard turnover calculations use past performance to estimate expected revenue during the indemnity period. However, factors such as seasonal sales trends or one-time promotional events (e.g., Black Friday for retailers) must be accounted for to avoid inflating or underestimating losses. Without a proper assessment of expected revenue, claims may be either undervalued or disputed. Most policies provide for at least a small sublimit to support covering the costs of a professional to prepare the claim details.

Waiting periods and deductibles further add complexity to cyber BI claims. Many policies impose a waiting period, typically between 8 and 12 hours, during which no losses are covered, while others only use the waiting period as a qualifying or triggering event. The form can lead to unexpected gaps in coverage, particularly for businesses that operate on a continuous basis. Additionally, physical losses—such as spoiled inventory or equipment damage resulting from a cyber event—are often excluded, requiring policyholders to seek – and some carriers to create – alternative coverage solutions. Some insurers have begun to include franchise deductibles, which apply only if losses exceed a specified threshold, ensuring that significant financial impacts are properly addressed.

Practical Considerations in BI Claims

Forensic Accounting

The role of forensic accountants in cyber BI claims is vital, as they assess financial results and loss calculations to determine the true impact and cause of a cyber event. Traditionally, both the insured and insurer engage separate forensic accountants to analyze claims, leading to potential discrepancies and a “battle of the accountants”.  An alternative, more streamlined approach involves a single joint expert agreed upon by both parties to ensure consistency and transparency in claim evaluations. It is important to note that forensic accountants spend a considerable amount of time assessing increased costs of working, ensuring that only necessary and reasonable expenses are reimbursed under the policy or that they meet the economic test for these expenses being necessary to minimize the amount of income lost.

Large Loss Considerations & Excess Layers of Coverage

In cases of large-scale cyber incidents, excess insurers may challenge the conclusions drawn by primary insurers. The traditional approach involves excess insurers conducting independent reviews, sometimes leading to prolonged disputes. Alternatively, a "follow form" approach—where excess insurers align with the primary insurer’s conclusions—can facilitate a smoother claims process, provided both parties agree on this method in advance. Large losses often require detailed assessments of uninsured expenses, ensuring that costs excluded from BI policies (such as capital investments or reputational damage) do not lead to over- or under-compensation. In the Lloyds of London insurance marketplace, syndicated cyber insurance programs can more easily be assessed, negotiated and recovered by clients since there is one lead insurer for a large sum insured and all claim professionals of each market agrees via the mechanics of the Lloyds market to have one expert representing them [the excess markets] and defer to the lead insurer in agreeing to pay claims which are not extraordinary.

Best Practices

To mitigate claim disputes, underwriters should evaluate the proposed insured’s operational dependencies and workaround plans such a manually operating their businesses.  Factors such as the company’s reliance on automated processes, minimum viable business requirements, inventory, and the estimated duration of downtime should all be assessed. Being pragmatic about how realistic it would be to manually conduct business operations after a cyber event is also critical to assess the impact of a potential BI loss since most organizations overestimate the amount of time and cost of additional labor.

Policyholders should also perform due diligence before purchasing BI coverage. Working with forensic accountants to develop business interruption worksheets, testing restoration timeframes with internal subject matter experts, mapping dependencies between IT or OT and revenue generation as well as understanding trend-adjusted revenue loss calculations can help policyholders align their expectations with policy limitations. Organizations can also include the treasurer or Chief Financial Officer in their internal due diligence.

Additionally, pre-incident modelling such as cyber risk quantification of various cyber events can help businesses identify potential gaps in coverage and negotiate appropriate policy terms before a claim arises. Businesses should also evaluate whether their loss of opportunity is covered, as some cyber policies exclude revenues lost from potential sales that never materialized due to the event.

New Frontier

The complexities of cyber business interruption claims highlight the need for clearer policy wordings and better alignment between policyholder expectations and actual coverage.

Misinterpretations regarding payroll costs, indemnity periods, and indirect losses often lead to claim disputes or a drawn-out and messy process that leaves insureds and policyholders feeling down about the insurance products and their value. By incorporating forensic accounting best practices such as agreeing a short list of forensic accountants to be utilized by all insurers and improving preplacement risk assessments to include business interruption worksheets the cyber insurance industry could drastically improve client experience. Insurance procurement process including underwriting needs to be changed in order determine more appropriate sums insured and therefore exposure information for policyholder’s cyber risk.

Insurers and Insureds can work toward a more effective and transparent claims process by conducting BI impact analyses and ensure that coverage terms including their limit of insurance accurately reflect their operational realities. It is through proactive collaboration between policyholders, underwriters, brokers and forensic experts that we can ensure businesses receive the coverage they need in the event of a cyber-related business interruption.

The alternative would be for Cyber BI loss to be insured differently. Is it time for the cyber insurance community to think big in this regard? Is it time for a new horizon?