TIPS #20: Building Resilience with Contingent Business Interruption (CBI) Insurance

Issue: In the age of widespread SaaS, PaaS, and cloud-based third-party products and services, a disruption to a vendor’s computer systems can bring businesses to a halt. Contingent Business Interruption (CBI) insurance protects against financial losses from such disruptions, but many companies aren’t doing enough to evaluate and invest in the right cyber insurance policies.

Nearly every business today- from SMB to enterprise- relies on third-party Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) offerings to enable core business functions. For example: 

• Business Management: Enterprise resource planning (ERP) from vendors like Oracle and SAP.  

• Sales and Customer Service: Customer relationship management (CRM) and feedback management (FM) from vendors like Salesforce.  

• Human Resources and Finance: Human capital management (HCM) and financial management from vendors like Workday.  

• Cybersecurity: Identity, endpoint, data, network, and cloud security from vendors like CrowdStrike, Palo Alto Networks, and Mimecast.  

• IT: Content delivery, cloud computing, data storage, and remote management support services from vendors like Cloudflare and AWS.  

As a result, a disruption to a vendor’s services can bring business to a halt.  

Every company needs to prepare for the inevitable breach or compromise, not only in their own systems and software but in vendors’ as well. Cyber insurance- along with Incident Response (IR)- plays a key role in limiting the impacts of such disruptions, acting as a form of financial risk management to limit losses.  

CBI coverage vs BI coverage 

Contingent Business Interruption (CBI) insurance is an important type of coverage companies should consider to limit the costs associated with a vendor outage.  

CBI coverage provides compensation for financial losses resulting from a disruption to a third party’s computer systems. CBI contrasts with Business Interruption (BI) coverage, which covers lost revenue resulting from downtime when a company’s computer systems or data are compromised (for example, due to a ransomware incident). Put simply, CBI covers third party business disruptions while BI covers first-party disruptions.  

To qualify for most CBI payouts, companies must have incurred business income losses and extra expenses during a period of restoration which resulted from a disruption in the service of a computer system owned or operated by an “Outsourced Service Provider” (a vendor). There is often a waiting period, typically between 6 and 24 hours, before losses are covered by a CBI policy. 

CBI coverage is generally available under most cyber insurance policies and covers a wide range of events. However, each insurance carrier utilizes different language around coverage and exclusion. In addition, an insurance carrier’s risk appetite (how much risk they are willing to underwrite) influences whether they will offer CBI to a particular company. The conditions for coverage- such as documentation of an executed vendor contract relationship or requiring covered vendors to be IT providers- may also be narrower or broader depending on the market cycle and specific policy. 

System failure coverage 

Many CBI policies specify that a cyber incident must have triggered the vendor’s computer system disruption. Another type of coverage- system failure coverage– applies to cases in which a vendor’s system failed from an event unrelated to a cyber incident, such as human or system error.  

System failure policies are heavily negotiated when offered to larger companies and underwriters may have rules limiting coverage availability for certain industries.  

The problem: A disconnect between risk managers and security teams 

Risk managers, as key stakeholders interfacing with insurers, tend to have a good understanding of CBI, its importance, and the coverage their companies need.  

However, among security teams there tends to be a lack of awareness around what cyber insurance and crime policies cover. These teams need a better understanding of how different policies apply to situations like hacking incidents (which can fall under BI coverage or broader cyber insurance coverage), supplier disruptions (CBI coverage), and insider abuse like extortion, theft, and sabotage (both cyber insurance and broader crime policies may apply, depending on the context). Unfortunately, many companies just do the minimum necessary to get through the underwriting process, leaving a lot on the table in terms of aligning cyber insurance (like CBI) with security needs. 

This lack of understanding and poor coordination between risk management and security leads to inadequate and improper coverage that does not align with a company’s risk posture.  

Impact: Inadequate and misaligned CBI coverage inhibits third-party risk management and vendor disruptions lead to more negative outcomes.  

Downtime from a vendor outage can lead to lost revenue, heightened operational costs, loss of customer trust, competitive disadvantage, and potential litigation. These impacts can be far worse if a company does not have the right CBI coverage.  

Here are two case studies of recent incidents to illustrate how CBI coverage applies in practice.  

Change Healthcare Ransomware Breach 

In February 2024, healthcare payment processor Change Healthcare was hit with a significant ransomware breach perpetrated by the ALPHV/BlackCat ransomware group. BlackCat targeted and stole highly sensitive medical and personal data that Change Healthcare handles as part of its payment processing services.  

To isolate the attackers, Change Healthcare shut down its entire network, causing widespread outages and bringing billing and claims processing to a halt for many healthcare facilities and providers. The company eventually paid BlackCat a $22 million ransom to get the stolen data back and continues to notify impacted individuals and organizations. Notably, Change Healthcare serves between one third and half of all U.S. healthcare transactions, making this one of the largest breaches of U.S. medical data in history. 

In this case, CBI coverage applied because Change Healthcare’s systems were down due to a cyber incident which caused subsequent business interruptions and revenue losses for its customers. Interestingly, though, UnitedHealth Group (Change Healthcare’s parent company) ended up providing short-term cashflow to help impacted companies, so payouts from CBI coverage may not have been necessary in many cases.  

CrowdStrike Faulty Software Update 

In July 2024, a faulty update to cybersecurity giant CrowdStrike’s Falcon Sensor (an endpoint security agent) caused widespread crashes on Windows devices across the globe. The IT outage- likely one of the largest in history- had a major impact on companies and customers in industries including airlines, healthcare, and financial services.  

CrowdStrike identified and fixed the issue within hours, but many impacted organizations had to manually implement the fix across numerous servers, causing lengthier business disruptions. In one high profile case, Delta Airlines estimated it experienced $350 to $500 million in losses in 5 days from flight disruptions and threatened legal action against both CrowdStrike and Microsoft to seek damages. 

In this instance, system failure coverage would have been necessary to access the insurance policy because the outage was caused by a faulty update (not a cyber attack).  

Action: Improve alignment between risk management and security teams to invest in the right CBI coverage, leverage comprehensive IR, and manage third-party risk.  

1) Ensure alignment between risk management and security teams when evaluating CBI policies 

All company stakeholders need to understand the types of available cyber insurance to select the coverage which aligns with the company’s needs. Risk management and security teams should collaborate to establish a baseline awareness of cyber insurance, CBI (vs. BI) policies, system failure coverage, and other relevant types of insurance (such as commercial crime coverage) to inform well-aligned coverage selection. For example, if a business is highly dependent on third-party IT services for its operations, CBI coverage should be a key aspect of its cyber insurance policy.  

Converge Insurance combines cyber insurance expertise, security, and technology to provide companies with cyber protection, offering CBI in its base cyber insurance policy for SMBs.  

CyberCube’s Broking Manager tool uses advanced data analytics to assist insurance brokers with risk quantification and helps brokers work with their clients to determine how much and what types of cyber insurance to purchase. 

SolCyber helps SMBs acquire enterprise-grade security capabilities through a managed security program which includes cyber insurance coverage, simplifying security and helping companies better manage third-party cyber risk. 

2) Leverage comprehensive Incident Response (IR) capabilities to prepare for and mitigate vendor incidents that disrupt company operations 

Work with an incident response firm to help you prepare for incidents—whether to a vendor’s systems and data or your own—and mitigate their impact. Having a proven IR firm on retainer can also increase your company’s insurability, showing insurers that you have strong security controls and risk management practices in place. 

Surefire Cyber helps companies prepare for, respond to, and recover from cyber incidents with resilience. Surefire’s expert team has extensive experience in developing IR plans, exercising those plans with technical and executive leadership, and providing incident retainer services. 

 

3) Develop strong third-party risk management practices 

Reduce the likelihood and impact of a vendor outage affecting your company by evaluating third-party security and managing software supply chain risk. ReversingLabs helps companies secure third-party software with capabilities to create SBOMs, hunt for and analyze malware threats, and assess third-party risk.