As businesses become increasingly reliant on technology, their cyber risk increases – but does their approach to business interruption reflect this shift?

Technology has seeped into every facet of commercial operations. Even at the micro-end, businesses today tend to rely on email, WhatsApp and online banking. Once headcount reaches double digits, most firms will have Microsoft emails and use a cloud service.

A system outage can prevent businesses from accessing their data and therefore operations grind to a halt, and the impact can be considerable. Last year, unplanned downtime cost Fortune Global 500 companies 11% of their yearly turnover – almost USD 1.5 trillion.1

A significant amount of most business’ technology is managed by third parties and therefore, out of their control. In June this year, Amazon’s cloud capability, Amazon Web Services, was hit by a wide-ranging outage that impacted a long list of major websites, including Delta Airlines and the Associated Press.2

In October last year, WhatsApp experienced a global outage; the messaging platform is estimated to have more than 2 billion users,3 and is an integral part of the banking system in South America.

This third-party vulnerability also extends beyond cloud services into tangible operations. For example, the manufacturing industry is becoming increasingly reliant on technology. While the machinery may exist onsite, the maintenance and updating of the technology is usually carried out by a third party.

Businesses are concerned – they may have cyber insurance, but many are still left asking –what happens in the event of an outage? How will it impact my business? How long will we be unable to trade? Will we be covered by insurance?

It’s business interruption, but not as we know it

Cyber incidents –tech outages, ransomware and data breaches – are one of the top risks for businesses.4 While organisations understand what a fire or flood could mean for their business and can conceptualise it, to many, the impact of a cyber event is an unknown in terms of experience and recovery.

A vast majority of businesses also have plans in place to manage a flood or fire. Post-pandemic, many businesses have decided that employees will simply work from home, but there is no such workaround for a tech outage.

Therefore, the focus needs to be on limiting loss – and this may only be achievable through robust controls and comprehensive insurance. Just like a business would have a business continuity plan, an IT incident plan is critical.

Are insurance programmes reflecting this shift? A standard property policy is transparent in its calculation of business interruption exposure – insurers will ask a series of questions and the answers will dictate the business interruption premium. In contrast, in cyber, business interruption is part of a package policy with a limit of indemnity which should cover breach experts, lawyers, forensics, data loss, any potential ransom, business interruption, and the overall loss to the business. Therefore, the setting of this limit is becoming increasingly important. Businesses must ensure their limit reflects the true potential loss from a cyber issue.

Securing appropriate cover

Like all insurance lines, there are a variety of cyber policies out there. On the business interruption side, a majority of policies currently require a business to have a malicious hack, and even then, there’s no guarantee all exposures will be covered. Some insurers limit cover to external attacks, while others won’t include increased costs of working. The latter is important as firms tend to enter crisis mode during an outage to protect the business. When the extra measures – employees working around the clock, for example – are so effective they can help prevent any loss in revenue or profit, some policies don't cover these additional costs.

Many cyber policies also include an aggregated claim limit rather than any one claim. This means if a company experiences a cyber event that exceeds their limit of indemnity, they will not be covered for any further cyber losses for the duration of their policy.

There are policies available that cover all these risks and exposures. Gallagher is focused on having informed conversations with our clients, so they understand their exposures and what limits they need. Only brokers that have invested heavily in cyber risk management will be in a position to do this. Gallagher is on hand to help support clients in implementing their cyber incident plans.


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.