Understanding Contingent Business Interruption in Cyber Insurance

Cyber risk takes many forms and often strikes without warning. Business interruptions caused by third parties, such as a cyber attack on an IT service provider, can cause significant losses. Given the prevalence of using third-party IT providers and the technology dependence of modern businesses, an attack on a single software can have a reaching impact on numerous businesses.

Organizations must protect themselves from business interruptions that could be sudden and sweeping, and contingent business interruption insurance is a crucial part of this.

What is Contingent Business Interruption?

Contingent business interruption (CBI) insurance, sometimes referred to as “Dependent Business Interruption insurance” is a type of coverage that compensates a business for financial losses resulting from disruptions in the operations of its suppliers, customers, or other key third-party entities. It covers lost income and additional expenses that result from business interruptions and suspension.

While standard business interruption insurance typically covers losses caused by disruptions to the insured’s business, CBI extends coverage to the indirect consequences of disruptions to external parties.

If an organization’s software or IT services go down for any reason, it can become difficult or impossible to conduct business or collect revenue. Cyber liability insurance that includes CBI coverage helps policyholders recover from the financial damage resulting from these types of IT service provider disruptions and outages.

How CBI Differs From Traditional Business Interruption Insurance

The difference between CBI and traditional business interruption insurance comes down to the presence of a third party. 

Traditional business interruption insurance covers unforeseen circumstances that directly affect a business and suspend or scale back operations. Here’s an example: A manufacturing plant relies on computer systems to take orders and manage production, but an attacker launches a denial-of-service (DoS) attack that halts operations. This causes the manufacturer to shut down without the ability to generate revenue for two weeks while they restore the attacked systems.

Contingent business interruption insurance covers losses that specifically result from third-party outages or interruptions. This type of insurance would not cover the above examples since the damages didn’t involve a third party. Likewise, traditional business interruption insurance would not cover losses to customers from a third-party IT outage since the damage occurred downstream from the incident.

Examples of What Contingent Business Interruption Covers

CBI policies cover a variety of incidents affecting suppliers, partners, or key customers. The most common example is cyber attacks on vendors.

Today’s tech-driven companies grind to a halt when IT service providers can’t keep their products and services online. IT outages could be caused by a cyber attack on the vendor, but mismanagement and human errors are also common culprits.

The now-infamous Kaseya cyber attack is a chilling example of a sudden attack that caused significant and widespread business interruption. 

After attackers infiltrated the technology management software developed by IT provider Kaseya, they were able to launch successful cyber attacks against the businesses using it. One of the victims was a Swedish supermarket chain that shuttered 800 stores for almost a week while trying to get its IT systems back online. The business suffered a significant loss in revenue from the store closures and also had to pay heavily to have its systems restored.

Why CBI Coverage is Essential for Today’s Businesses

In an increasingly interdependent marketplace, CBI coverage insulates businesses from interruption caused by issues with third-party vendors, suppliers, and technology providers.

Between 2020-2022, 20% of all organizations and 80% of all data center managers reported suffering a “serious” outage resulting in significant losses. Growing even faster than outages are the financial consequences: The percentage of outages that resulted in $100,000 or more in losses rose from 39% in 2019 to more than 60% in 2022, while outages costing $1 million or more rose from 11% to 15%. 

IT service outages are clearly a risk companies need to manage. That becomes complicated by the fact that third parties cause 70% of all downtime, which means companies have very limited ability to predict or control outages that may affect them.

Contingent business interruption cyber insurance helps businesses manage this risk and prepare for the unexpected. With no way to predict when interruptions will happen, how long they will last, or how much they will cost, insurance is the only contingency. 

CBI coverage gives businesses the peace of mind so they can withstand any interruptions even if they can’t anticipate them.

Who Should Get CBI Coverage?

Every business depends on technology today, and often, multiple teams use various software and tools to get their jobs done. This is especially the case with SMBs as very few of them develop all the technology they use in-house. 

External IT providers build, secure, and manage the mission-critical software and services that keep many modern businesses running. Think of how many businesses you know depend on software like a CRM, email marketing services, cloud backups, mobile apps, and more. Any company using a third-party provider could potentially experience business interruptions because of IT outages. 

It’s prudent for most modern organizations to consider whether their risk management strategy and insurance portfolio includes CBI.

CBI Coverage Needs by Industry

The risk of IT outages may be nearly universal, but the amount of risk skews differently across industries. 

Industries like finance, consulting, healthcare, and accounting, for example, are more highly dependent on technology than others and therefore more susceptible to outages and interruptions. Industries like law, real estate, higher education, or construction face a slightly lower risk of IT outages. That said, risk exposure varies widely within industries and is something each company must determine individually.

Note that there are restrictions that apply to companies seeking CBI coverage in a subset of industries like cannabis, adult entertainment, payment processing, and even public K-12 education. These restrictions — and the reasons behind them — differ, and there may still be ways to obtain coverage, but the terms and number of policy options can be more limited. 

Selecting the Right CBI Insurance for Your Business

Shutting down a business because of an incident at a third-party tech provider would have been an unlikely risk 20 years ago. Now, it’s a grim reality that affects a large number of companies every year. Businesses ignore this risk at their own peril. 

At-Bay, the InsurSec provider for the digital age, offers CBI coverage as part of our comprehensive cyber insurance offerings. If you’re a business looking to secure coverage before an interruption happens, talk to your insurance broker about your coverage options today.

This document is intended for information purposes only and does not modify or invalidate any of the provisions, exclusions, terms, or conditions of the policy and endorsements. For specific terms and conditions, please refer to the coverage form. This information may not be used to modify any policy that might be issued, modify an existing policy, or imply that any claim is covered.