How Cyber Insurance Covers Business Interruption Losses During a Cyberattack

What Is Business Interruption in Cyber Insurance?

So, what is CBI in the context of cybersecurity insurance? Curt Dukes, executive vice president and general manager of security best practices at the Center for Internet Security, notes that it’s basically “any impact on a company’s ability to conduct business.” 

Why? “Because almost every business function uses information technology, and that technology can come under cyberattack,” he says. “The cyberattacks we’ve seen over the past several years have come in the form of ransomware, denial of service and software errors.”

John Pironti, a risk and security adviser with ISACA and president of IP Architects, notes that business interruption insurance is typically a separate and distinct policy from a cyber insurance policy. 

“Business interruption insurance policies can typically be purchased with different time periods of interruption that come with different premiums,” he says. “It’s often based on the type of business and potential business impacts of the interruption.”  

In many cyber insurance policies, Pironti says, there are clauses similar to business interruption policies that suggest “claims can be made if the business is unable to operate as a direct result of a cyber-related attack or incident after a certain period of time has passed and remediation to an acceptable recovery point objective has not been able to be achieved.”  

Most important, Pironti notes, this is not intended to be a replacement for general business interruption insurance, which covers myriad other business-impacting scenarios.

LEARN MORE: How to counter the most common cybersecurity threats.

What Does Cyber Business Interruption Cover?  

Typically, a claim filed with the covering insurance company can include the following, according to Dukes: lost revenue, normal business expenses and direct expenses related to the interruption. Depending on the policy, he says, it could also cover third-party liability.

Cyber insurance business interruption can also cover the cost of labor, productivity loss and direct business impacts resulting from a confirmed cyber-related attack or incident, according to Pironti. 

These impacts can include everything from an inability to use time-sensitive raw materials to direct damages from an inability to provide time-sensitive services.

Click the banner below to explore our new publication BizTech: Small Business.

Documentation and Proof of Loss Requirements

In this context, documentation needs to show “a material and direct loss that extends past the minimum time period before a claim can be made according to the policy,” says Pironti. 

Additionally, documentation may include timesheets and labor cost calculations for individuals who were unable to perform their jobs but still needed to be paid by the organization during the period of the cyber incident, Pironti says. 

“This documentation needs to account for the recovery activities and often has a cascading effect during which, at the initial period, broad populations of the workforce may not be able to work, but as recovery efforts take place and systems are restored, the population size and associated costs should reduce,” he adds. 

Further, Pironti says, “any costs of perishable supplies, proof of fees being charged for not being able to provide services by customers or constituents, and any evidence of lost revenue-generation activities should be provided to support the claim.”

Typically, the business will employ cyber incident responders, often at the behest of the insurance provider, to investigate, contain and recover from the attack, Dukes says.  

Afterward, the incident responders will usually produce a report that documents the incident with system logs and forensic evidence.  

“Separately, the company must document lost revenue and extra expenses to contain and recover from the attack,” Dukes says. “Some incident response companies can provide both services, working closely with the affected company.”

Common Claims Challenges and Pitfalls 

Policy Complexity

First and foremost, Dukes says, a common pitfall for SMBs is that business and IT security leaders do not fully understand such policies and any exclusions contained therein.  

“Should the claim be denied and subsequently litigated, showing that the business implemented a cybersecurity program based on a well-established cybersecurity framework goes a long way toward demonstrating reasonable cybersecurity,” Dukes says.

Calculation of Lost Productivity and Labor Costs

According to Pironti, the biggest challenge he often sees when companies make a cyber-related business interruption claim is the calculation of lost productivity and labor costs. “These calculations are often scrutinized by claims adjusters and need very specific and independently verifiable evidence artifacts to support them,” he says. 

“For instance, if a worker can be partially effective or be reassigned to another work task that has not been interrupted, then a claim for their lost productivity is likely to be denied,” Pironti says. “In the claim material, there needs to be a clear identification of the worker’s job description, what systems and capabilities they need to complete their work activities, and how the cyber incident prevented them from being able to do their job function.”

Estimating Generalized-Loss Cost

Another challenge is providing cost estimations of the business impact resulting from the cyber incident that are not backed by documented and verifiable losses, Pironti says.  

“Claimants may try to estimate loss productivity through labor hour cost projections, but they need to show that payments were actually made to individuals and that they experienced a verifiable loss with specific currency values,” he says. 

Generalized loss cost and soft cost estimates are often disputed by insurance carriers and can require significant negotiation to come to an agreement, Pironti says, “which is typically much lower than the initial claim amount due to a lack of indisputable evidence of financial loss and damages as a result of the cyber incident.”

Calculating loss of sales and revenue because of the business interruption can also be challenging. As with other items, it is important to have factual and evidence-supported data to support the amount of the loss, Pironti says. 

How Long Does It Take to Settle a Cyber Business Interruption Claim?

Both Dukes and Pironti say that the time it takes to settle a cyber business interruption claim can vary widely, from as little as a few months to as long as several years. The length of settlement time ultimately depends on the size and scale of the claim and documentation offered, Dukes says. 

Often, the initial claim will be scrutinized and either reduced or rejected by the insurance carrier, Pironti says. “The claimant then needs to either provide more evidence to support the claim or appeal the rejection,” he says. “Both processes are time-consuming and often require the engagement of legal counsel to assist in the effort.”

Risk Mitigation for Business Interruption Losses From Cyberattacks

The easiest and simplest mitigation technique for companies is to demonstrate conformance to a well-established cybersecurity framework as part of the business’s cybersecurity program, according to Dukes. 

For example, using the CIS Critical Security Controls, starting with Implementation Group 1, can show that the business demonstrated reasonable cybersecurity based on the resources it had available. 

IG1 safeguards include typical requirements of insurance providers, such as multifactor authentication, patch management, secure configuration, awareness training and incident response.

Pironti says the best way to mitigate the possibility of business interruption loss is to have “effective and achievable business continuity plans in place.”  

WATCH: Check out the cybersecurity trends to watch in 2026.

These plans should account for cyberthreat scenarios as well as other business-impacting events, he says, and they should include “threat and vulnerability analysis activities that identify the likelihood and business impacts of cyber-related attacks so they can plan for them accordingly.”

Business continuity plans should also include “recovery time and recovery point objectives that define what business capabilities and supporting people, process, procedure, technology and other capabilities need to be in place at specific time periods to limit a cyber-related material business interruption from occurring,” Pironti adds. 

Business should engage in proactive planning and regularly test these plans, he says, noting that it’s not enough to just have a plan written down or annually do a high-level tabletop exercise on it.  

“Cyber incidents are becoming more business-impacting and causing more business interruptions as adversaries evolve and mature their tactics, techniques and procedures,” Pironti says. “Preparedness and testing must include the actual use of business continuity plans and supporting capabilities to identify where they are capable and where they need to be improved. As the adversary matures, so must a company’s business continuity plans and the people who execute them.”