Business interruption (BI) insurance typically covers physical damage to a commercial space insured by a commercial property policy. However, business interruption and loss of income can also occur due to a cyberattack. Without physical damage to your commercial property, you most likely won’t be insured for a cyber-related business interruption.

For that, you’d need a specific cyber insurance policy for loss of income due to a data breach, a ransomware attack or another incident affecting your operating systems.

Why business interruption insurance isn’t enough

Most people are familiar with the typical exclusions in commercial property insurance. These include pandemics and any perils that require separate coverage, such as earthquakes, floods and mudslides. As an example, say a hurricane floods your business. If you don’t have flood insurance, your BI policy won’t cover any loss of income due to the flood.

Likewise, any BI insurance included with your cyber policy would likely not cover interruptions due to cyber issues originating outside your organization. These are known as “third-party” cyber interruptions.

For comprehensive protection against loss of income, you need contingent business interruption (CBI) coverage. You can add CBI insurance to your cyber policy. It safeguards your business if you’re forced offline or can’t access vital data because of a problem impacting one of your service providers. It’s also known as dependent business interruption coverage.

How does contingent business interruption work?

Many companies have suffered a “third-party” cyber interruption. When such an incident leads to a loss of income for you, CBI insurance can help close the financial gap. This coverage is intended to reimburse you for lost income and extra expenses that result if one of your service providers causes a total, partial or intermittent interruption of your computer systems. The third-party interruption can be due to a privacy breach, a security flaw or an administrative error.

Examples of third-party incidents that could lead to loss of income and trigger your CBI policy include:

  • A credit card company being unable to process your online payments due to a cyberattack
  • Your off-site web hosting platform being forced offline due to an equipment failure
  • A supplier’s data leak of your customers’ private information damaging your reputation and leading to account losses

As organizations move more data to the cloud, process more online transactions and increase their reliance on remote work, this type of cyber protection has become essential. Are you protected to the degree you should be?

Understand the details

All CBI policies are not equal, so you’ll want to understand the specifics of the policy you’re considering. Before you choose a policy, find out what it does and doesn’t cover. Ask:

  • What qualifies as a trigger incident? Most CBI policies cover security failures. But some limit payment or exclude coverage for any internal system failures your third-party provider suffers.
  • Which services qualify? Most CBI policies outline the types of third-party vendors they cover, such as internet providers, cloud storage hosts and financial transaction companies. Some require a named list of those vendors.
  • How much time must pass before coverage begins? If your online systems handle many financial transactions each hour or day, losing your cyber capabilities could lead to a significant loss of income in a short period. You’ll want to make sure your coverage kicks in as soon as possible. The coverage clock on most CBI policies begins 12 hours or less after an incident. Some have a waiting period of only six hours.
  • How do losses accrue? Once you exceed the waiting period, you will be compensated for income losses either a) from the start of the incident or only b) from the end of the waiting period. These timing details are known as the policy’s “retention structure.”
  • What expenses are considered? A third-party cyberattack could lead to a direct loss of income and require overtime or other expenses to restore your business capabilities or reputation. Find out if these additional expenses are covered. Some policies restrict payment to a specific restoration period, while others allow additional restitution for a set recovery period. For example, this might be the time needed to clear your record and billing backlogs.

Reduce your exposure

As you shift more services to third-party vendors, your risks may not be as obvious. But that doesn’t mean they don’t exist. To reduce your exposure:

  • Develop a cybersecurity plan. If you don’t already have a comprehensive plan, ask your insurance broker for recommendations. You can also download free guides from the government and other specialist organizations.
  • Verify your third-party vendor cybersecurity plans. Confirm that your vendors have appropriate training, security procedures and recovery strategies. Make sure they also have a process for incident notification.
  • Consider adding CBI coverage. Know your greatest vulnerabilities and make sure your policy addresses them. For example, the Uptime Institute reports that power failures cause 52% of data center and IT outages worldwide. In contrast, only 8% of those outages were due to network or IT system malfunctions. Would your CBI policy cover just one type of interruption or both?

Cyber risks constantly evolve. Update your security and incident recovery plans and procedures annually. Require your vendors to do the same. Meet with your insurance broker to assess new risks and adjust your insurance as needed. They can help you mitigate your risks and protect your income.