By Ryan Windt | Head of Growth Marketing | Updated April 2026
For years, cyber risk conversations focused on stolen data. How many records were exposed? Was customer information compromised? What were the notification costs?
That framing is now outdated. Business interruption has overtaken data theft as the single largest financial driver of cyber insurance claims, and the gap is widening. Understanding why, what it actually costs, and how most policies respond to it is one of the most important things a business can do before a cyber incident occurs.
What the Claims Data Actually Shows
The shift from data loss to operational disruption as the dominant loss driver is well documented in the insurer claims databases that shape how cyber policies are priced and written.
The Allianz Risk Barometer has ranked business interruption as the top corporate risk for multiple consecutive years. Munich Re and other reinsurers with visibility into aggregate claims data consistently report that the majority of cyber loss severity now comes from operational downtime, not notification or regulatory exposure. The NetDiligence Cyber Claims Study, which draws on over 10,000 actual claims filed between 2019 and 2023, found that business interruption costs are among the most significant components of total claim severity across all revenue tiers.
For manufacturing, the data is especially stark. Allianz reported that manufacturing generated 33% of total cyber insurance claims volume in 2025, with Resilience’s midyear data showing average claim severity exceeding $1 million. In virtually every one of those incidents, production downtime drove the majority of the loss, not the cost of the breach itself.
The FBI’s 2025 Internet Crime Report recorded $20.877 billion in total reported cybercrime losses, a 26% increase over 2024. The $32 million attributed specifically to ransomware in that report reflects only direct payments disclosed to the FBI. It does not capture the business interruption losses, recovery costs, or revenue foregone during downtime that represent the real financial weight of a ransomware incident. Those numbers are orders of magnitude higher.
Why Downtime Costs More Than the Ransom
The ransom demand is the number that gets the headlines. It is rarely the largest component of what a cyber incident actually costs.
When systems go offline, the meter starts running immediately across multiple cost categories simultaneously.
Lost revenue. For a business billing $500,000 per month, a week of downtime is more than $125,000 in revenue that does not come back. For a manufacturer running a plant floor, downtime can cost $10,000 to $100,000 per hour depending on facility size and product margins. For a healthcare practice, it means cancelled appointments, diverted patients, and suspended billing.
Forensic investigation. Before anything can be restored, you need to understand what happened, how attackers got in, what they accessed, and whether they are still present. For anything but the simplest incidents, this costs between $50,000 and $300,000 and takes days to weeks.
System restoration. Rebuilding from a ransomware event is rarely a clean restore-from-backup operation. In many environments, particularly those with operational technology or complex integrations, restoration requires manual reconfiguration and specialized engineering. Recovery timelines regularly run two to four weeks for serious incidents.
Contractual and SLA exposure. If your downtime causes your customers to miss their own deadlines, contract penalty clauses and SLA violation claims add a third-party liability dimension on top of your direct losses.
Employee costs. Your workforce does not stop costing money because your systems are down. Payroll, benefits, and the cost of keeping staff productive or idle during an extended outage are real expenses that accumulate during recovery.
A serious ransomware event at a mid-sized business routinely generates total losses of $500,000 to $2 million when all of these components are fully accounted for, even when the ransom itself is modest or not paid. The 2025 FBI Internet Crime Report breaks this dynamic down in detail.
The Three Attack Patterns Driving BI Losses
Business interruption losses do not happen by accident. Modern attack groups specifically engineer disruption as the primary mechanism for generating leverage.
Ransomware targeting production systems. Ransomware groups have evolved from targeting data to targeting operational continuity. They map their victims’ environments before deploying, identifying the systems that, if encrypted, create the most financial pressure to pay quickly. ERP systems, order management platforms, production line controllers, and core operational databases are preferred targets precisely because downtime costs are immediate and severe. KNP Logistics, a 158-year-old UK company, ceased to exist after a 2023 ransomware attack. The breach was not the cause of the company’s failure. The sustained downtime and recovery costs were.
Supply chain and vendor incidents. You do not need to be the direct target of an attack to suffer a business interruption loss. The MOVEit Transfer exploitation in 2023 disrupted hundreds of organizations that had no direct vulnerability themselves. Their exposure came through a shared vendor. The Change Healthcare attack in 2024 shut down claims processing for providers across the US healthcare system, generating business interruption losses for thousands of practices that had nothing to do with the breach. Third-party involvement now appears in roughly 30% of all breaches, double the rate from the prior year, according to the 2025 Verizon DBIR.
Cloud provider outages. When AWS’s US-EAST-1 region suffered a DNS failure in October 2025, the outage cascaded across more than 140 services and affected thousands of businesses for up to 15 hours. Three weeks later, an Azure Front Door configuration issue triggered an eight-hour disruption affecting Microsoft 365 and thousands of enterprise customers. Between August 2024 and August 2025, the three major cloud providers together experienced more than 100 service disruptions. For businesses running operations on cloud infrastructure, cloud outages represent a material and recurring source of potential business interruption loss. This specific exposure is covered under contingent business interruption provisions, which we address in depth in our post on whether cyber insurance covers cloud outages.
How Cyber Insurance Responds to Business Interruption
A well-structured standalone cyber policy includes business interruption coverage as a core component, not an add-on. Here is what it covers and where the gaps commonly appear.
What it covers. Business interruption coverage under a cyber policy reimburses lost net income and continuing operating expenses during the period your systems are unavailable as a result of a covered cyber event. This includes revenue lost while systems are down, payroll and other fixed costs that continue during the outage, and extra expenses incurred to maintain operations through emergency workarounds.
The waiting period. Most cyber policies include a waiting period before business interruption coverage activates, typically between 8 and 24 hours. This functions similarly to a deductible, except it is measured in time rather than dollars. For businesses where even a few hours of downtime creates material losses, the waiting period is a negotiable term worth discussing at placement. A 24-hour waiting period on a policy for a manufacturer billing $50,000 per day is a $50,000 gap before coverage even begins.
The indemnification period. Coverage applies for the duration of the restoration period, typically defined as the time it reasonably takes to restore systems to their pre-incident state. Standard policies often assume restoration periods of days or weeks. For businesses with complex OT environments or deep SaaS integrations, actual recovery timelines can run longer. If your restoration period could realistically exceed the policy’s indemnification cap, that is a gap worth addressing at renewal.
Contingent business interruption. Standard BI coverage responds to incidents in your own environment. When the cause of your downtime is a failure at a third-party provider, a different coverage component applies: contingent business interruption, or CBI. This coverage responds to losses from cloud provider outages, SaaS platform failures, and vendor incidents that disrupt your operations. CBI is not universally included in cyber policies, and where it exists, it is often sublimited. Understanding whether your policy includes it and at what limit is particularly important for businesses with significant cloud or vendor dependencies.
What voids coverage. The single most common reason cyber business interruption claims are denied or reduced is a mismatch between the security controls stated on the application and the controls that were actually in place at the time of the incident. The Travelers v. International Control Services case established that a carrier can rescind a policy entirely when MFA was claimed on the application but was not deployed as stated. If your controls documentation does not match your actual posture, your BI coverage may not perform when you need it. The cyber insurance application and claim denial post covers the most common triggers for claim disputes in detail.
The Coverage Gaps Most Businesses Don’t Know About
Even businesses that have cyber insurance frequently carry policies that would not fully respond to a major business interruption event. The gaps most commonly surface in three places.
BI sublimits. Some policies impose a sublimit on business interruption coverage that sits below the overall policy limit. A business with a $2 million policy and a $500,000 BI sublimit may not have meaningful protection against a week of downtime. Check whether BI sits at the full policy limit or a capped sublimit.
Narrow system failure definitions. Some policies define covered causes of business interruption narrowly, requiring a confirmed security breach as the trigger. This means a major cloud outage caused by an infrastructure failure rather than a cyberattack may not be covered, regardless of how long your systems were unavailable. The trigger language in the BI section is one of the most important things to review before binding coverage. The cyber insurance exclusionspost explains how these definitional limits work in practice.
No CBI coverage. As described above, contingent business interruption is a separate coverage component that many policies exclude or sublimit. Given that third-party outages now account for a significant and growing share of BI losses, a policy without meaningful CBI coverage has a structural gap that becomes more relevant every year.
For a full breakdown of the specific policy terms that create these gaps, including how sublimits, deductibles, and waiting periods interact, see our guides on cyber insurance sublimits and cyber insurance deductibles.
What Underwriters Are Looking for Now
The shift in loss drivers has reshaped what underwriters care about when they evaluate a cyber insurance application. They are no longer primarily concerned with whether you will suffer a breach. They are evaluating how long it would take you to recover if you did.
The controls that directly affect business interruption severity are the ones getting the most scrutiny.
Immutable, tested backups. Businesses that declined to pay ransoms in 2024 and 2025 did so because they had working recovery options. The 64% of ransomware victims who did not pay in the 2025 DBIR dataset had documented backup integrity. Underwriters want to see 3-2-1-1-0 backup architectures with at least one immutable or air-gapped copy and documented restore tests from the last 90 days. A backup configuration that has never been tested is treated as a gap. Our immutable backups guide covers what underwriters specifically verify.
Incident response plan with tested procedures. A documented and exercised IR plan directly affects how quickly an organization can contain an incident and begin recovery. Underwriters increasingly ask whether you have conducted a tabletop exercise in the last 12 months and whether your plan includes OT recovery scenarios if applicable. The incident response plan template on this blog is a practical starting point.
EDR across all endpoints. Endpoint detection and response tools shorten the time between initial compromise and containment, which directly limits how far an attacker can spread before being stopped. Shorter dwell time means less encrypted, less disrupted, and faster recovery. See our post on EDR and cyber insurance for what carriers specifically verify.
Network segmentation. For businesses with IT and OT environments, or with multiple business units on shared infrastructure, segmentation limits how far an incident can propagate. An attacker who compromises one segment cannot immediately shut down the entire operation. For manufacturers and healthcare providers in particular, segmentation between clinical or operational systems and corporate IT is an increasingly hard underwriting requirement.
How to Evaluate Your Current BI Coverage
If you are not certain whether your current policy would adequately respond to a meaningful business interruption event, the following questions are the right starting point.
What is the waiting period before BI coverage activates, and how does that compare to the cost of downtime in your business during those first hours?
Is BI coverage at the full policy limit, or is there a sublimit? If there is a sublimit, does it reflect your actual daily revenue exposure multiplied by a realistic recovery timeline?
What triggers BI coverage under your policy? Is it any system unavailability, or only events caused by a confirmed security breach? How would a cloud provider outage or vendor failure be treated?
Does your policy include contingent business interruption coverage? If so, what is the sublimit and trigger language?
When was your policy last benchmarked against the market? The cyber insurance market has shifted significantly since 2022, and policies placed at the pricing peak may be both overpriced and structured with terms that have since improved.
The cyber insurance renewal checklist walks through each of these questions in the context of a full policy review.
The Strategic Takeaway
Cyber risk is a business continuity risk. The financial consequence of a serious cyber incident is not primarily a data problem. It is an operational problem, a revenue problem, and increasingly a third-party dependency problem as cloud and SaaS concentration creates correlated exposure across thousands of businesses simultaneously.
The organizations that navigate major incidents without catastrophic financial outcomes share a common profile: they have working recovery options, they have practiced using them, they have insurance coverage that is structured to respond to their actual exposure, and they understand the terms of that coverage before they need to invoke it.
The businesses that are surprised by the financial outcome are the ones that treated cyber insurance as a checkbox rather than a financial instrument, and discovered the limitations of their policy at the worst possible moment.
SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes. Contact us for a coverage review or quote.