By Ryan Windt | Head of Growth Marketing | Updated June 2026
When a ransomware attack encrypts your systems or a cyber incident takes your operations offline, the financial damage doesn’t stop at remediation costs. Every hour your business can’t operate is revenue you won’t recover. Payroll continues. Rent continues. Contracts have deadlines. Customers go elsewhere.
Business interruption coverage inside a cyber policy is designed to address that loss. But how it works, what it actually pays, and where it stops paying is not always well understood before a claim. This post breaks down the mechanics: what triggers coverage, how losses are calculated, what the waiting period means in practice, and where the common gaps are.
What Cyber Business Interruption Coverage Is
Cyber business interruption coverage, sometimes called cyber BI or income replacement coverage, compensates a business for lost income and extra expenses incurred when a covered cyber event disrupts normal operations. It is a first-party coverage, meaning it pays the policyholder directly rather than covering claims from third parties.
Cyber BI is distinct from the business interruption coverage in a commercial property or BOP policy. Property BI responds to physical damage: a fire, a flood, a burst pipe. It does not respond to a ransomware attack that encrypts your servers without causing any physical damage to them. The gap between property BI and cyber BI is real, and it is one of the primary reasons standalone cyber insurance exists.
Our post on why every business needs standalone cyber insurance covers this gap in more detail, and our post on whether general liability covers cyberattacks addresses the similar gap in GL policies.
What Triggers Cyber BI Coverage
Coverage is triggered when a covered cyber event causes an interruption to your business operations. The definition of a covered event and the definition of an interruption are both important and vary by policy.
Covered events. Most cyber policies cover business interruption arising from ransomware attacks, data breaches, malware infections, hacking incidents, and denial-of-service attacks. Some policies also cover interruptions caused by system failures that aren’t the result of a malicious act, though this varies significantly by carrier.
The interruption requirement. The business must actually be interrupted, meaning it cannot operate normally or at all due to the cyber event. A near-miss that causes no operational disruption does not trigger BI coverage. The degree of interruption required, and how it is measured, matters when smaller incidents cause partial rather than complete disruption.
System dependency. Coverage generally requires that the interruption results from a failure of your own systems or, under dependent BI coverage, a system you rely on. A cyber event that damages your reputation but doesn’t interrupt your systems is typically not a BI trigger.
The Waiting Period
Almost every cyber BI policy includes a waiting period, also called a retention period or time deductible. This is the amount of time that must pass after the interruption begins before BI coverage kicks in.
Waiting periods are typically expressed in hours: 6 hours, 8 hours, 12 hours, or 24 hours are common. Some policies use longer periods of 48 or 72 hours. During the waiting period, the business absorbs the loss itself. Coverage begins only after the waiting period has elapsed.
The practical effect of the waiting period is significant. A cyberattack that causes 18 hours of downtime is fully covered under a policy with a 12-hour waiting period but only partially covered under one with a 24-hour waiting period. Short, disruptive incidents that are resolved within the waiting period generate no BI recovery at all.
When comparing cyber policies, the waiting period is one of the most important terms to examine alongside the BI limit. A policy with a longer waiting period and a higher limit may provide less protection for the most common incident types (short, disruptive outages) than a policy with a shorter waiting period and a lower limit.
This interacts with the broader deductible and retention structure in cyber policies. Our post on cyber insurance deductibles explained covers how these work together.
How BI Losses Are Calculated
Cyber BI coverage pays for two categories of loss: lost income and extra expenses.
Lost income. The revenue the business would have earned during the interruption period but did not earn because of the outage. Calculating this requires establishing what the business’s normal income would have been during the affected period, which typically involves looking at historical financials for a comparable period.
For businesses with variable revenue, this calculation can be contested. A retailer whose systems go down during a holiday weekend has a much larger BI loss than the same outage would cause in a slow week. How the policy defines the measurement period and what historical data is used to establish the baseline matters.
Extra expenses. The additional costs the business incurs to continue operating or to recover from the incident. This might include costs of renting temporary equipment, paying for expedited IT recovery services, bringing in additional staff, or paying premium rates to maintain operations during recovery. Extra expenses are covered up to the policy limit and are often a significant component of cyber BI claims.
The indemnity period. BI coverage runs for a defined period after the interruption begins, called the indemnity period. Some carriers use different names for the same mechanic, including the period of restoration or the restoration period, so the term in your policy may vary even when the function is identical. Coverage ends when the business is restored to normal operations or when the indemnity period expires, whichever comes first. Indemnity periods in cyber policies are typically shorter than in property policies: 90 days, 180 days, or 12 months are common, compared to multi-year indemnity periods in property BI. For businesses that take longer to fully recover, a short indemnity period can leave significant losses uncovered.
Dependent Business Interruption
Standard cyber BI covers losses from interruptions to your own systems. Dependent business interruption coverage, sometimes called contingent BI, extends coverage to losses caused by a cyber event at a third party your business depends on.
The most common dependent BI scenarios:
Cloud service provider outages. If your business relies on AWS, Azure, or Google Cloud and a widespread outage takes those services down, your operations may be disrupted even though your own systems are fine. Standard cyber BI typically does not cover this; dependent BI or a specific cloud outage endorsement is needed. Our post on cloud outages and cyber insurance covers how this coverage works.
Supply chain incidents. A cyber attack at a critical supplier or software vendor that disrupts your ability to operate. Our post on supply chain attacks and cyber insurance covers the coverage landscape for these events.
Key vendor outages. A breach or outage at a payment processor, logistics provider, or other critical operational dependency.
Dependent BI coverage is not universal. Many policies either exclude it entirely, include it with a lower sublimit than the primary BI coverage, or require that the third-party event be specifically caused by a cyber incident rather than a general system failure. If your business is operationally dependent on cloud services or key vendors, understanding whether and how your policy responds to third-party outages is important.
Cyber BI vs. Property BI: Key Differences
Understanding how cyber BI differs from the business interruption coverage in your commercial property policy matters because many businesses assume their existing BI coverage will respond to cyber incidents.
The triggering event. Property BI requires physical damage to property. A ransomware attack that encrypts your data and shuts down your operations causes no physical damage to your servers. Property BI does not respond. Cyber BI does.
The waiting period structure. Property BI policies typically have waiting periods of 72 hours or longer, or use dollar-amount deductibles rather than time-based waiting periods. Cyber BI policies tend to have shorter waiting periods (6 to 24 hours) because cyber incidents can cause meaningful disruption in a much shorter timeframe than physical events.
The indemnity period. Property BI indemnity periods can run for years, reflecting the time needed to rebuild a physically damaged facility. Cyber BI indemnity periods are shorter, typically 90 days to 12 months, reflecting that cyber recovery, while significant, usually doesn’t require rebuilding physical infrastructure.
Coverage scope. Property BI typically does not cover reputational harm, customer attrition following an incident, or losses caused by events at third parties. Some cyber BI policies include some of these, though coverage varies significantly.
Common Coverage Gaps
The waiting period. Short outages that resolve within the waiting period generate no BI recovery. Many cyber incidents, including DDoS attacks, brief ransomware events, and short system failures, fall within the waiting period of a 24-hour or 72-hour policy.
Revenue proof requirements. Demonstrating the income you would have earned requires financial records that show your historical revenue. Businesses with poor financial recordkeeping or highly variable revenue can have difficulty establishing the baseline for a BI claim.
Dependent BI exclusions. If dependent BI is not included or is sublimited, cloud outages and third-party incidents can cause significant uninsured losses.
Reputational harm. Lost revenue caused by customers leaving after a breach, rather than from the operational interruption itself, is typically excluded from cyber BI coverage. This post-incident revenue loss can be significant but is not covered by standard BI.
The indemnity period cap. If recovery takes longer than the indemnity period, losses beyond that cap are uncovered. Complex ransomware events affecting large environments can take months to fully remediate.
Sublimits on BI coverage. Some policies carry a sublimit on business interruption that is lower than the overall policy limit. A policy with a $1 million limit and a $250,000 BI sublimit may be inadequate for a business with significant revenue. Review BI sublimits specifically when comparing policies. Our post on cyber insurance sublimits covers how sublimits work across coverage lines.
How BI Coverage Interacts with Ransomware Coverage
Ransomware events are the most common trigger for cyber BI claims. A ransomware attack that encrypts your systems creates simultaneous exposure across multiple coverage lines: cyber extortion coverage responds to the ransom demand, BI coverage responds to the operational downtime, and breach response coverage responds if data was exfiltrated alongside the encryption.
The interaction between these coverage lines matters for understanding your total recovery. The ransom payment and negotiation costs are separate from the BI loss. Extra expenses during recovery, including IT forensics, system restoration, and temporary workarounds, may be covered under extra expense provisions rather than the BI limit itself.
Our post on what ransomware insurance actually covers covers how ransomware claims interact across coverage lines.
Frequently Asked Questions
Does cyber BI cover partial interruptions?
It depends on the policy. Some policies cover partial interruptions proportionally; others require a complete interruption of operations. If your business can operate at reduced capacity during a cyber event, whether and how that partial loss is covered is worth clarifying with your broker before a claim.
What if my business interruption lasts longer than the indemnity period?
Coverage ends when the indemnity period expires, even if recovery is not complete. Losses beyond the indemnity period are not covered. For businesses in complex environments where extended recovery is possible, a longer indemnity period is worth the additional premium.
Does cyber BI cover lost income from customers who leave after a breach?
Generally no. BI covers income lost during the operational interruption itself. Revenue lost because customers chose competitors after learning of a breach is reputational harm, which is typically excluded from standard cyber BI coverage.
Is there a deductible on cyber BI in addition to the waiting period?
Some policies apply a dollar-amount deductible to BI claims in addition to or instead of a waiting period. Others use only the waiting period as the retention mechanism. Review the specific BI deductible structure in your policy; it may be different from the deductible that applies to other coverage lines.
How does the insurer calculate what I would have earned during the outage?
Carriers typically look at historical financials for a comparable period: the same days or weeks from prior years, adjusted for any known differences. Seasonal businesses need to be particularly attentive to this: a retailer whose systems go down in December has a much larger BI exposure than the same outage in February, and the calculation needs to reflect that.
Related Resources
- Business Interruption Is Now the Largest Driver of Cyber Losses
- Cyber Insurance Sublimits Explained: Ransomware, Funds Transfer Fraud, BEC, and Why Your Full Policy Limit May Not Apply
- Cyber Insurance Deductibles Explained: SIR, Retention, and What You Actually Owe When You File a Claim
- What Ransomware Insurance Actually Covers
- Cloud Outages and Cyber Insurance: What Your Policy Covers and Where It Falls Short
- Supply Chain Attacks and Cyber Insurance: Coverage, Exclusions, and What to Check
- Why Every Business Needs Standalone Cyber Insurance and What a BOP Won’t Cover
- What Is Bricking Coverage in Cyber Insurance?
Cyber business interruption coverage is one of the most financially significant parts of a cyber policy and one of the least examined at purchase. The waiting period, the indemnity period, the dependent BI scope, and any sublimits all determine what you actually recover when an attack shuts you down. Reviewing these terms before a claim is the only time you can change them.
Ready to review your coverage? Contact us or explore your coverage options.