The Growing Importance of Contingent Business Interruption Coverage in Cyber Insurance
A series of significant cyber attacks on third-party software vendors last year has prompted organizations to reevaluate their contingent business interruption (CBI) coverage. According to cyber insurance specialists, businesses are increasingly vulnerable to disruptions caused by third-party outages, as exemplified by the Change Healthcare breach and the CDK Global attack in 2024.
The Change Healthcare outage in February 2024 affected over 100 million people in the US, crippled healthcare operations, and resulted in financial damages exceeding $4 billion. Similarly, the ransomware attack on CDK Global in June 2024 impacted nearly 15,000 car dealerships across North America. Lauren Upshur, a professional lines broker at Jencap Group’s cyber team, noted that these incidents have made it more challenging for certain industries to obtain cyber coverage.
“When a cyber attack disrupts these shared systems, it creates a domino effect, causing widespread operational challenges and significant revenue losses,” Upshur explained. The concentration of businesses using identical software, combined with their attractive sensitive data and complex technological dependencies, makes them prime targets for cyber threat actors.
Understanding Business Interruption (BI) vs. Contingent Business Interruption (CBI) Coverage
Business interruption (BI) coverage compensates for financial losses directly resulting from a cyber incident affecting the policyholder’s operations. This includes lost profits, ongoing expenses, and other financial impacts during the recovery period. In contrast, contingent BI coverage extends this protection to financial losses stemming from cyber incidents affecting third-party entities upon which the policyholder depends, such as key suppliers or service providers.
“Consider a bike shop that processes payments through a third-party platform,” Upshur illustrated. “If that platform is hacked, rendering the bike shop unable to process payments during the incident’s investigation and resolution, it could lose substantial business, particularly since most payments are card-based.” CBI policies typically include a waiting period, often eight hours, before a claim can be made for lost revenue. Carriers usually calculate claims by comparing the business’s typical payments to the amount lost during the outage.
Key Considerations for Retail Agents and Insureds
While many insurers now include CBI coverage in their standard policy forms, brokers and clients must carefully review policy wording, waiting periods, sub-limits, and coverage applicability to both complete shutdowns and partial interruptions. Upshur warned that some carriers may only cover total shutdowns, not partial or intermittent disruptions, adding complexity to coverage decisions.
Clementine Nash, US cyber underwriter at CFC, noted that insurers are becoming more sophisticated in assessing third-party cyber risks. Traditional measures, such as due diligence on vendors and in-depth cyber risk assessments, may no longer be sufficient as digital interconnectivity accelerates. Carriers are increasingly offering proactive services, including vulnerability scanning, dark web monitoring, and threat intelligence.
Conclusion
“It’s crucial to remember that each carrier handles CBI coverage differently,” Upshur emphasized. “Policy language, exclusions, and waiting periods vary significantly. It’s essential to review policies carefully to ensure they cover as many scenarios as possible.” As cyber threats continue to evolve, the importance of comprehensive CBI coverage cannot be overstated.
