When a manufacturer, retailer or warehouse operator is hit by ransomware, the operational consequences look exactly like a property-damage event — output lost, premises unusable, recovery time measured in days or weeks. The instinct is to call the property broker. The actual answer is more complex: property may decline because there is no physical damage, BI may decline because it requires a property trigger, and the cyber policy may be the only one in the programme that responds. This guide walks through the analysis with a worked example, the cyber exclusion drafting points, and the non-damage BI extensions that materially change the picture.
A 480-employee plastics manufacturer in the Midlands operates two factories and one finished-goods warehouse. The business runs on a Microsoft Dynamics 365 ERP, a manufacturing execution system (MES) from a specialist vendor, and a WMS (warehouse management system) connected to barcode scanners on the warehouse floor. Production scheduling, material call-off, machine setup files, quality records and shipping documents all flow through the integrated stack.
On a Sunday at 02:17, the network is compromised by a known ransomware-as-a-service operator. The attacker has been present for fourteen days following an initial compromise of a finance team mailbox; the lateral movement was completed through the weekend. The ransomware payload encrypts the ERP database, the MES configuration files, the WMS database, the file server, and all online backups. The offline backup tape from the previous Friday is intact.
The Monday-morning impact: - ERP is unavailable. Production scheduling, material call-off and shipping are blind. - MES setup files are encrypted. Production lines cannot be reconfigured for the scheduled SKU mix. - WMS is down. Warehouse operations are manual; barcode scanners are offline; stock locations cannot be confirmed. - 220 production employees are on site with nothing to do. The works council is called. - A scheduled outbound shipment of £180,000 of contracted product to a Tier 1 automotive customer is at risk. Late delivery penalties under the supply agreement run to £25,000 per day plus £80,000 per day of full line stoppage at the customer’s plant.
The ransom demand is $2.4m. The threat actor offers a decryption key and a separate “data deletion” guarantee. 380GB of files have been exfiltrated according to the attacker’s leak site claim, including pricing data, customer drawings, HR records and supplier contracts. A leak countdown timer is published.
The manufacturer’s cyber broker is called at 03:40 on Monday. The property broker is called at 09:20. The crime broker is called at 13:00 once the wider exposure becomes apparent. By Tuesday morning the panel forensic firm has arrived; the cyber insurer’s panel lawyer is on the call; the IT director and the CFO are reviewing the ransom decision.
Contractual liability. The supply agreement with the Tier 1 automotive customer is a JIT (just-in-time) agreement with conventional penalty clauses for late delivery and pass-through clauses for line stoppage at the customer’s plant. The customer’s claim is in contract; the manufacturer’s defence is the cyber event as a frustrating circumstance (uncertain at common law), the force majeure clause (which on this contract excludes cyber events by 2024 amendment), and mitigation arguments.
Data protection. The exfiltration includes personal data of staff and customer contacts. UK GDPR Article 33 requires ICO notification within 72 hours of awareness. Article 34 requires data subject notification where the breach is likely to result in high risk; the leak threat plus the volume make this likely. The manufacturer’s data protection officer is engaged immediately.
Sanctions. The threat group is on the OFAC SDN list but is not under blocking designation; UK OFSI listings are checked. Payment may be lawful subject to careful sanctions review by the panel law firm. The OFAC advisory of September 2021 and the parallel UK OFSI guidance both make clear that payment to designated persons would breach sanctions; payment to non-designated groups is a fact-specific question.
Sector-specific. The manufacturer is not in a regulated sector under the NIS Regulations 2018 (it is not a designated operator of essential services) and is not subject to the FCA, PRA or sector-specific notification regimes.
The manufacturer’s cyber policy is a £10m limit, £50k retention, 8-hour BI waiting period, 180-day BI period of indemnity form placed at Lloyds.
Incident response. Cyber pays the forensic firm, the legal coordinator, the ransom negotiator and the public relations agency. Typical cost for an incident of this scale: £400k–£700k. The cyber insurer’s panel deploys within hours; the manufacturer is not paying these costs out of pocket up front.
Ransom payment. The panel law firm performs the sanctions analysis. Payment is recommended at a negotiated $1.4m after the negotiator’s work; the panel crypto facility handles the bitcoin acquisition and transfer. Cyber pays.
Business interruption. The manufacturer’s lost gross profit during the 18-day disruption is approximately £2.6m. After the 8-hour waiting period, cyber BI pays the lost gross profit subject to the £10m aggregate limit and any BI sub-limit.
Data restoration. Reconstructing the MES configurations from documentation, rebuilding the ERP, restoring data from the Friday tape and reconciling forward: cost approximately £350k. Cyber pays.
Breach notification. The exfiltration triggers ICO notification, employee notification and customer-contact notification. Cyber pays the legal and operational cost of approximately £80k.
ICO investigation defence. The ICO opens an investigation. Cyber pays defence costs (estimated £180k–£280k). If a fine is imposed, the policy indemnifies to the extent insurable as a matter of law.
Customer claim — the Tier 1 automotive penalty. This is the central coverage question. The manufacturer’s late-delivery penalty and the customer’s line-stoppage pass-through together total approximately £620k over the disruption window. Whether the cyber policy responds to a third-party financial-loss claim of this character depends on the policy’s contingent business interruption and failure to deliver heads. A modern cyber policy with a 2024+ form will typically respond. An older form may not.
Total cyber response (estimated): £4.5m–£5.5m of indemnity, well within the £10m limit.
The manufacturer’s property policy is an all-risks commercial combined form with a £25m sum insured for buildings and contents, £20m for stock, and a 24-month period of indemnity for BI.
Property damage trigger. The policy responds to physical loss of or damage to insured property by an insured peril. The ransomware encryption does not cause physical damage to property. The servers are physically intact; the data on them is encrypted. The market position, supported by case law including the Insurance Australia line of authority, is that data without physical embodiment is not “property” for these purposes.
The property insurer’s response: no physical damage, no trigger, no cover. The property policy does not pay.
Data restoration sub-limit. Some modern property wordings carry a small data-restoration sub-limit (£25k–£100k typically) for loss of data following an insured peril at the location. This is a narrow extension and does not respond where the loss is caused by a cyber event without physical-peril damage. Read your wording.
The cyber exclusion. Even if property’s general trigger could somehow be reached (it cannot), the property policy will carry a cyber exclusion in the LMA5400 family. The exclusion broadly excludes loss caused directly or indirectly by a cyber event. The carve-back in better wordings preserves cover for physical damage that results from a cyber event (e.g. fire caused by an attack on industrial control systems). Pure data and pure cyber BI fall within the exclusion and outside the carve-back.
The result: the property policy does not respond.
The BI policy is the BI extension of the property policy. Same trigger requirement: an insured property-damage event must have occurred.
No damage, no BI. No property damage trigger means no BI cover under the conventional BI section. The £2.6m of lost gross profit during the 18-day disruption is not covered by property BI.
Non-damage BI extensions. The better commercial wordings now include explicit non-damage BI extensions. These can include:
Where the cyber non-damage BI extension exists, the property BI may respond. The extension typically has its own sub-limit (£250k–£2m is common), its own waiting period, and its own period of indemnity that may be shorter than the main BI period.
For most commercial buyers without a negotiated cyber non-damage BI extension, the property BI does not respond to ransomware losses.
The manufacturer’s crime policy is a commercial fidelity bond with a £5m limit and sub-limits of £500k for funds transfer fraud, £500k for computer fraud and £250k for social engineering.
No money stolen. In this scenario the attacker did not transfer money out of the manufacturer’s accounts. The ransom payment is voluntary (under duress, but voluntary in a contract sense). The crime policy does not respond to the ransom payment itself; the cyber policy does.
If the attacker had taken funds. Had the attacker accessed the banking platform and initiated a transfer, the computer fraud sub-limit would respond (up to £500k) and the cyber crime head of the cyber policy would also respond (up to its sub-limit). The two policies would co-ordinate; the higher available sub-limit would lead.
Internal fraud risk discovered during incident response. A common pattern: during forensic review, evidence emerges that the initial compromise was assisted by an insider. The crime policy’s employee dishonesty head may then respond to the consequential losses. The cyber policy’s cyber crime head may or may not, depending on the wording’s treatment of insider acts.
The single sentence that decides whether property and BI engage at all is the cyber exclusion. The LMA5400 series wording (and analogous proprietary clauses) typically reads:
Notwithstanding any provision to the contrary within this Policy, this Policy excludes any loss, damage, liability, claim, cost or expense of whatsoever nature directly or indirectly caused by, contributed to by, resulting from, arising out of or in connection with: (a) the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system; or (b) any cyber act or cyber incident.
The exclusion is broad. The carve-back varies. The Lloyd’s market standard carve-back (LMA5403 and analogous) preserves cover for physical damage to property arising from a cyber event other than a state-sponsored cyber event. The frontier question post-NotPetya — the Merck v ACE litigation in the US — is whether a sophisticated ransomware attack constitutes “war” or “hostile act” for these purposes. The US position (Merck won at trial level on the war exclusion; the appellate position is settled in Merck’s favour) supports a narrow reading of the state-sponsored exclusion; the UK position is less litigated but informed by the same logic.
For a UK commercial buyer reviewing their property and liability wordings, the central question is: which LMA cyber exclusion is mounted, and what does the carve-back preserve? A property policy with LMA5403 mounted preserves cover for fire and physical damage following a cyber attack; a property policy with LMA5400 plain mounted does not.
Putting it together for the manufacturer scenario:
| Head | Quantum | Policy | Notes |
|---|---|---|---|
| Forensic + legal + negotiator + PR | £580,000 | Cyber | first-party incident response |
| Ransom payment ($1.4m) | £1,120,000 | Cyber | after sanctions clearance |
| Manufacturer BI loss (18 days) | £2,600,000 | Cyber | after 8hr wait, within 180-day PoI |
| Data restoration | £350,000 | Cyber | non-recoverable data and reconstruction |
| Notification + DPO support | £80,000 | Cyber | UK GDPR Art 33/34 |
| ICO defence (estimated) | £220,000 | Cyber | regulatory investigation |
| Tier 1 customer claim | £620,000 | Cyber (contingent BI / failure-to-deliver head) | if extension purchased |
| Property damage | £0 | n/a | no physical damage |
| Property BI | £0 | n/a | no damage trigger |
| Crime — money stolen | £0 | n/a | no theft |
| Reputational/customer churn (year 1) | £900,000 | Uninsured | long-tail not covered |
| Total quantum | £6,470,000 | majority cyber |
The £900k reputational tail and any customer attrition over year 2 onwards is the structural gap.
The most material renewal-cycle change a commercial buyer can make is negotiating a non-damage BI extension to the property policy that includes cyber as a trigger. The drafting question is whether the property BI’s longer period of indemnity (12 or 24 months) can be made available for cyber-triggered losses where the cyber policy’s BI runs out at 90 or 180 days.
Two structures are common. The first is a follow-form extension: the property BI extension responds on the same basis as cyber BI for the period exceeding the cyber policy’s period of indemnity. The second is a standalone extension: the property BI extension responds for cyber events with its own waiting period, sub-limit and period of indemnity, separate from the cyber policy.
Either structure is materially better than the default position of no property BI cover for cyber. The cost is moderate (typical premium uplift £5k–£20k depending on size); the value is substantial.
For any commercial business with operational dependence on IT and a property BI policy with a 12+ month period of indemnity:
Negotiate a non-damage BI extension to your property policy that contemplates cyber events. The extension is the bridge between the cyber policy’s shorter BI period and the property policy’s longer one.
Audit which LMA cyber exclusion is mounted on your property and liability policies. LMA5403 with carve-back preserves cover for physical damage following a cyber event; LMA5400 plain does not.
Match retroactive dates between cyber policies year-on-year. A cyber breach discovered today may have started months ago; the retroactive date must extend.
Pre-engage the cyber insurer’s incident response panel. Print the phone numbers. The first 12 hours of a ransomware incident set the trajectory of the entire claim.
Test backups quarterly, including offline immutable backups. The single most preventable factor in major ransomware losses is backup failure.
Segment OT from IT networks where any industrial control system is operated. Manufacturers, utilities, food processors, transport operators — all have this exposure.
Review your supply agreements for force majeure clauses that exclude cyber events. The 2022–2024 wave of contract amendments has narrowed force majeure protection materially.
Maintain a printed (paper) playbook covering: ICO 72-hour notification template, cyber insurer’s emergency phone number, panel forensic firm, panel law firm, key supplier contacts, HR communication template, customer holding-statement template.
Q1. Can my business pay the ransom directly without involving the cyber insurer? Technically yes, but you sacrifice the cyber policy’s first-party response cover plus you face FCA/HMRC anti-money-laundering complications and reputational risk. Don’t.
Q2. Is paying the ransom illegal in the UK? Per se no, but subject to sanctions law (OFSI), proceeds-of-crime considerations (POCA 2002), and Terrorism Act 2000 considerations if the recipient has terrorist affiliations. Each payment is assessed on its facts; the panel law firm performs the analysis.
Q3. What if my offline backups had restored cleanly — would cyber still respond? Yes, to the cost of the incident response, the BI during the period of unavailability, the notification, and the regulatory defence. The ransom would not be paid.
Q4. Does property cover physical damage caused by a cyber attack on industrial controls? Where the LMA5403 (or equivalent) cyber exclusion is mounted with the physical-damage carve-back, yes. Where LMA5400 plain is mounted, no — and the cyber policy must cover the physical damage element, which not all wordings do.
Q5. What’s the period of indemnity for cyber BI? Market norm 90–180 days; some specialist insurers offer 360 days. The waiting period is typically 8–12 hours. Compare to property BI which is 12–24 months. The mismatch is the gap.
Q6. Does it matter for the indemnity whether the attack was preventable? For the indemnity, no — cyber policies cover negligent security failures by the insured (subject to specific exclusions for unpatched known vulnerabilities in some wordings). For the next renewal, very much yes — the underwriter will scrutinise controls.
Q7. Can the Tier 1 automotive customer sue the cyber insurer directly? No (privity of contract). The customer sues the manufacturer; the manufacturer claims indemnity under cyber’s third-party head and the contingent BI extension.
Q8. What’s the difference between the cyber policy’s BI head and the contingent BI extension? The cyber policy’s own BI head covers the insured’s own loss of gross profit during the period of restoration of the insured’s own systems. The contingent BI head covers loss caused by the failure of a critical third party — cloud provider, payment processor, key supplier. The contingent head is essential for supply-chain cyber events.
Q9. Does the cyber policy’s BI cover increased cost of working? Standard wordings cover both lost gross profit and increased cost of working (ICW) during the period of restoration. ICW is critical — workarounds, temporary contracts, premium freight — are often the largest single BI head.
UK GDPR Articles 33, 34, 82. OFAC Advisory on the Potential Sanctions Risks for Facilitating Ransomware Payments, September 2021. OFSI guidance on sanctions and ransomware, ongoing. Insurance Australia Ltd v HIH Casualty and General Insurance Ltd and the line on data as property. Merck v ACE American Insurance Company (Superior Court of New Jersey, Appellate Division, May 2023) — war exclusion analysis post-NotPetya. FCA v Arch Insurance (UK) Ltd [2021] UKSC 1 — BI construction. Insurance Act 2015, sections 10 and 11. NIS Regulations 2018 (where applicable to designated operators). LMA5400, LMA5401, LMA5402, LMA5403 cyber exclusion clauses. NCSC ransomware response guidance. Cabinet Office and Home Office: 2024 UK consultation on ransomware payment restrictions.
Hub: Cyber Insurance for UK Commercial Businesses Spoke 2: Wire-fraud and social-engineering — where crime cover stops Spoke 4: Supply chain cyber Spoke 5: Cyber for manufacturers
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber, property and BI wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote