Contingent Business Interruption and Cyber Insurance Coverage

Introduction

Picture this: you arrive at work Monday morning to find your cloud-based payment processor is offline. The vendor running it was hit by ransomware over the weekend — your own systems are untouched, but the damage is the same.

Orders can't be processed. Your CRM is inaccessible. Revenue is bleeding out by the hour. When you call your insurance broker, you find out your cyber policy only covers disruptions to your systems.

This is not a hypothetical. Between 800 and 1,500 businesses worldwide were caught exactly in this position after the 2021 Kaseya VSA ransomware attack — and many didn't have the right coverage to recover lost income.

That gap has a name: contingent business interruption (CBI) coverage. This article explains what CBI is, how it works inside a cyber policy, what triggers a claim, which businesses need it most, and what to check before buying.

TL;DR

  • CBI covers your lost income when a third-party vendor's cyber incident disrupts your operations — not just your own systems.
  • Standard business interruption only responds when your systems go down; CBI covers what standard policies miss.
  • Coverage triggers, waiting periods, and sublimits vary widely; never assume CBI is included.
  • Highest-risk sectors: financial services, healthcare, retail, tech, and any business running on outsourced IT.
  • Soma's brokers compare CBI terms across carriers and match coverage to your actual vendor exposure.

What Is Contingent Business Interruption Insurance?

Contingent business interruption insurance — also called dependent business interruption (DBI) — is a coverage component within cyber insurance that compensates a business for lost income and extra expenses when a third-party service provider's systems are disrupted by a cyber event, and that disruption flows downstream to affect the insured's operations.

"Third party" covers a wide range of providers:

  • Cloud hosting providers (AWS, Azure, Google Cloud)
  • SaaS platforms (CRMs, ERPs, communication tools)
  • Payment processors and point-of-sale vendors
  • Managed IT service providers (MSPs)
  • Key digital suppliers or customers

As Corvus Insurance describes it, cyber CBI covers insured losses from business interruption caused by interrupted or degraded service from a third-party provider.

Beazley's policy wording frames it similarly: dependent business interruption loss means losses sustained from interruption of the insured's operations caused by a dependent security breach or dependent system failure.

How CBI Differs from Standard Business Interruption

The distinction is clean but critical:

Coverage Type What Triggers It
First-party cyber BI Your own systems go down from a cyber event
Contingent BI (CBI) A vendor's systems go down, and your operations suffer as a result

If you only carry first-party BI coverage and a vendor outage causes your revenue loss, no claim applies. That's the gap. With worldwide SaaS spending projected at nearly $300B in 2025, most businesses today run on vendor-dependent infrastructure — which makes that gap increasingly expensive to ignore.

Security Failure vs. System Failure

Most CBI policies distinguish between two trigger types:

  • Security failure — a cyberattack causes the vendor outage (ransomware, breach, DDoS). Covered by default in most CBI-enabled policies.
  • System failure — an accidental error, misconfiguration, or human mistake at the vendor causes the outage. Less commonly covered, and often sub-limited (meaning capped at a lower payout) when it is.

Some of the most disruptive outages on record were system failures, not attacks. The 2021 Facebook/Meta outage stemmed from a misconfiguration during routine network maintenance. The Fastly CDN failure took large sections of the internet offline in 49 minutes — also a configuration error. Businesses carrying only security failure coverage had no claim for either event.

How CBI Cyber Coverage Works: Triggers, Waiting Periods, and Limits

Understanding the mechanics helps you evaluate whether a policy will actually pay when you need it to.

Coverage Triggers

For a CBI claim to apply, three things generally need to be true:

  1. A named or qualifying third-party provider experienced a documented outage or service degradation
  2. The outage was caused by a covered event (typically a cyberattack; system failures require specific inclusion)
  3. The insured suffered a direct financial loss — lost revenue or extra expenses — that resulted from that outage

Three CBI claim trigger requirements process checklist infographic

As Beazley's wording makes clear, dependent business coverage may not apply where the outage affects a company with which the insured has no direct contractual relationship — even if there's downstream impact on your operations.

Waiting Periods

Most cyber CBI policies include a time deductible — a minimum outage duration before coverage kicks in. Short outages below this threshold aren't covered.

  • Common range: 6 to 12 hours
  • More progressive policies offer 6-hour waiting periods
  • Outages shorter than the threshold generate no covered loss, regardless of revenue impact

This matters for payment processor or SaaS outages that resolve in 3–4 hours but still wipe out significant transaction volume. A policy with a 12-hour waiting period covers none of that loss — which is why the threshold is worth comparing across quotes, not just the premium.

Sublimits and Aggregation Risk

CBI is almost always structured as a sublimit within a broader cyber policy, separate from the full policy limit. A single AWS, Azure, or Google Cloud outage could simultaneously trigger thousands of CBI claims across every industry — so insurers cap this exposure deliberately to manage aggregation risk.

Key implications:

  • System failure CBI often carries an even lower sublimit than security failure CBI
  • The sublimit may be far lower than the full cyber policy limit
  • Verify the sublimit against your actual revenue exposure if a critical vendor went offline for 48–72 hours

Named vs. Unnamed Vendors

Policies fall into two structures:

Named vendor coverage schedules specific vendors by name. It offers more coverage certainty but misses any provider not listed — better suited for businesses with a small number of truly critical dependencies.

Blanket (unnamed) vendor coverage applies to any qualifying outsourced service provider. It's broader for businesses with many vendor relationships, but sublimits tend to be lower and triggers stricter.

Named vendor versus blanket CBI coverage side-by-side comparison infographic

One consistent exclusion across both structures: internet service providers, telecommunications carriers, and power utilities are commonly excluded. A regional ISP outage that halts your operations likely won't trigger CBI coverage, even under a blanket policy.

Real-World CBI Losses: What These Events Actually Look Like

The Kaseya VSA attack in July 2021 is the clearest illustration of how CBI losses cascade. Attackers compromised IT management software used by managed service providers, which then impacted downstream businesses — including Coop, the Swedish supermarket chain, which was forced to urgently close around 700 of its 800 stores because its checkout systems relied on a Kaseya-dependent MSP. All affected stores were restored within six days, but the revenue loss during that period was a direct CBI scenario: Coop's own systems were fine. Their vendor's vendor was the problem.

The 2024 CrowdStrike outage makes the same point from a different angle. Parametrix estimated total direct financial losses to U.S. Fortune 500 companies at $5.4 billion from that single software update error. CyberCube flagged it as a direct test of CBI coverage, given that the outage originated at a third-party security vendor — not at any of the affected businesses themselves.

News headline screenshot showing CrowdStrike global IT outage financial impact 2024

Two incidents. Two entirely different attack vectors. The same coverage gap.

Neither event required the insured to be attacked. That's the core claims challenge: standard cyber policies trigger on breaches of your systems, but CBI losses come from someone else's failure. Without explicit CBI coverage, businesses absorbing that revenue loss have no policy to point to.

Which Industries and Businesses Need CBI Coverage?

Any business running on outsourced technology carries CBI exposure. But risk concentration varies significantly by sector.

Highest-risk industries:

  • Financial services — Payment rails, trading platforms, and custody systems are almost entirely third-party dependent. FINRA has documented rising cyberattacks on third-party providers used by member firms since 2023.
  • Healthcare — The Change Healthcare cyberattack left 80% of surveyed physician practices with unpaid claims, forcing CMS to issue over $2.55 billion in accelerated payments — a textbook CBI loss event.
  • Retail and e-commerce — Payment processors, inventory platforms, and POS systems are external. Coop's store closures are a retail CBI case study.
  • Technology companies — SaaS vendors and software developers often rely on cloud infrastructure from just a handful of hyperscalers. A single dependency on AWS US-East-1 is a concentration risk that deserves its own coverage sublimit.
  • Manufacturing and logistics — Digital supply chains mean a supplier's system failure can halt production or fulfillment, not just data access.

Five highest CBI cyber risk industries with key vendor dependency examples

Across all of these sectors, Soma consistently finds the same gap: first-party BI is in place, but CBI is missing entirely. It's a blind spot that grew significantly as businesses moved to cloud infrastructure over the last few years.

Key Exclusions and Coverage Gaps to Watch For

CBI is not included in all cyber policies. When it is included, the terms vary enough that two policies with the same premium can cover very different scenarios.

Infrastructure Exclusions

Most policies exclude outages originating from core infrastructure providers:

  • Internet service providers (ISPs)
  • Telecommunications carriers
  • Power and utility providers

A regional internet outage — not tied to a specific software vendor — likely won't trigger coverage even under blanket CBI language.

Second- and Third-Tier Supplier Exclusions

Most underwriters restrict coverage to direct, first-tier vendors — companies with whom the insured has a direct contractual relationship. Losses from a vendor's vendor are generally excluded.

Munich Re is explicit on this point: cyber CBI should exclude second- and third-tier suppliers because the frequency becomes too high and too difficult to calculate. For businesses with multi-tier digital supply chains, this is a significant blind spot.

Beyond supplier tiers, these exclusions appear frequently across carriers:

  • Physical damage events (not cyber-originated)
  • Contractual penalties or SLA credits
  • Losses below the waiting period threshold
  • Vendors not listed on a scheduled-vendor policy

As IRMI notes, cyber and privacy insurance policies are not standardized and can differ significantly in coverage terms by insurer. Read the actual policy form before assuming what's covered.

How to Choose the Right CBI Coverage for Your Business

Getting CBI coverage right starts before you talk to an insurer.

Step 1: Map your vendor dependencies. List every third-party platform, software tool, or IT service provider whose outage would cause immediate revenue loss or operational shutdown. This exercise determines your true CBI exposure and whether named or blanket vendor structure is more appropriate.

Step 2: Ask the right questions during the placement process:

  • Is CBI included in the base policy, or does it require an endorsement?
  • What is the waiting period — and does a 6-hour threshold fit your actual exposure?
  • Does the policy cover system failures alongside security failures?
  • Is this named vendor or blanket coverage?
  • What is the CBI sublimit, and how does it compare to your actual revenue at risk?

Step 3: Work with a broker familiar with the nuances. CBI language varies significantly across carrier forms, and a broker who only places standard cyber policies may not flag that the CBI sublimit is $250,000 when your payment processor handles $50,000 in daily transactions.

Soma places cyber liability coverage across carriers including Chubb, Hiscox, Kinsale, and Liberty Mutual, comparing actual policy terms across options — including for businesses standard markets decline.

For tech companies, financial firms, healthcare organizations, and retailers with complex vendor dependencies, that comparison matters. A $250,000 CBI sublimit on a policy that looks complete on the surface can leave your largest revenue exposure entirely uncovered.

Frequently Asked Questions

Does cyber insurance cover business interruption?

Many cyber policies include first-party business interruption for disruptions to the insured's own systems. Some also include contingent business interruption (CBI) for third-party outages, but CBI is not universal. Confirm with your broker whether it's included and review the specific sublimits and triggers.

What does dependent business interruption cover?

Dependent (or contingent) business interruption covers lost income and extra expenses when a third-party service provider — a cloud platform, SaaS vendor, or MSP — experiences a cyber event that disrupts your operations. The key requirement is a direct financial loss traceable to the vendor's outage.

What cyber incidents are typically covered by insurance?

Covered incidents commonly include ransomware attacks, data breaches, denial-of-service attacks, and in broader policies, accidental system failures. Coverage scope depends on whether the policy defines and includes both "security failure" and "system failure" triggers.

How is CBI different from standard business interruption?

Standard BI responds when your own systems are disrupted. CBI kicks in when a third-party vendor's outage causes your revenue loss. These are separate coverage components — having one does not guarantee you have the other.

What is the typical waiting period for a CBI claim?

Waiting periods typically range from 6 to 12 hours. Outages shorter than this threshold won't trigger coverage. Some carriers, such as Corvus, offer 6-hour waiting periods. Verify the specific threshold in your policy before binding.

Is CBI included in all cyber insurance policies?

No. CBI varies by insurer and policy wording — it is not standard across all cyber forms. Ask your broker to confirm whether it's included and what sublimits, triggers, and vendor requirements apply.