A string of high-profile cyber attacks involving third-party software vendors last year has forced organizations to take a hard look at their contingent business interruption (CBI) coverage.
According to one wholesale broker specializing in cyber, businesses’ vulnerability to third-party outages was exemplified by two events in 2024: the Change Healthcare breach and the CDK Global attack.
The outage of Change Healthcare in February 2024 affected over 100 million people in the US, paralyzed healthcare operations and caused financial damages of over $4 billion. The ransomware attack on automotive software provider CDK Global in June 2024 hampered nearly 15,000 dealerships across North America.
"So many hospitals are using the Change Healthcare platform, and many automotive dealerships are using CDK," said Lauren Upshur, a professional lines broker in Jencap Group’s cyber team. "It’s gotten a little tougher for those industries (to obtain cyber coverage).”
When a cyber attack disrupts these shared systems, it can create a domino effect, she said, causing widespread operational challenges and significant revenue losses.
The concentration of businesses using identical software, combined with the industries' attractive sensitive data and complex technological dependencies, makes them prime targets for threat actors.
Business interruption (BI) coverage refers to coverage for financial losses directly stemming from a cyber incident directly affecting the policyholder’s own operations. It typically compensates for lost profits, ongoing expenses, and other financial impacts while the policyholder recovers their operations.
Contingent BI coverage (sometimes also called dependent business interruption coverage) extends this coverage to account for financial losses stemming from a cyber incident affecting a third party upon whom the policyholder depends. This might include a key supplier, service provider, or a business counterpart.
A CBI policy responds when a cyber incident at these third-party entities disrupts their ability to provide services or products to the policyholder, thereby causing financial harm.
“Say a bike shop sells bicycles and processes payments through a third-party platform,” Upshur said. “If that platform gets hacked, rendering the bike shop unable to process payments while the incident is investigated and resolved, it could lose a significant amount of business, especially since most payments are made by card.”
While both BI and CBI cover financial losses related to business interruptions, the main differentiation lies in their respective triggers and the source of the incident.
“When a payments platform goes down, most policies include a waiting period, typically eight hours, during which the business cannot make a claim for its lost revenue,” Upshur said. “Once that waiting period expires, the policy can kick in. Carriers typically calculate the claim by comparing the business’s typical payments to the amount it lost during the outage.”
Certain industries face heightened risks of contingent business interruption (CBI) claims due to their heavy reliance on centralized software systems. Aside from the healthcare and automotive industries, Lauren said other technology-dependent sectors are vulnerable, as many businesses use the same platforms for processing payments, claims, and core operations.
While many insurers today include CBI coverage in their standard policy forms, brokers and clients should pay close attention to policy wording, waiting periods, policy sub-limits, and whether coverage applies to both complete shutdowns and less dramatic interruptions.
Upshur said some carriers may pay for total shutdowns but not for partial or intermittent ones, adding a layer of complexity to coverage decisions. "Some carriers are very restrictive; others are more lenient," she noted.
Insurers are becoming more sophisticated in their underwriting and risk assessment approach to third-party cyber risks, recognizing the growing complexity of cyber threats across different industries.
Clementine Nash, US cyber underwriter at CFC, noted that traditional measures, including human intervention through due diligence on vendors and in-depth cyber risk assessments, may no longer be enough as digital interconnectivity accelerates.
“Although this concept is nothing new, 2024 saw a record number of third-party providers experiencing (cyber) attacks which impacted huge swathes of individuals and organizations,” Nash said. “We are trying to redefine ways to look at this more concisely and efficiently.”
Proactive services, including vulnerability scanning, dark web monitoring and threat intelligence, are also increasingly common offerings among carriers.
Upshur said that while agents are often familiar with BI coverage, some may not realize the significance of contingent coverage and how it adds value to clients’ overall program. “It’s crucial to remember that each carrier handles CBI coverage differently,” she said. “Policy language, exclusions, and waiting periods vary. It’s important to review policies carefully and make sure they account for as many scenarios as possible.”
