Business Interruption from a Cyber Attack — Where PI Doesn't Help

The first-party loss that PI cannot reach. How cyber business interruption cover works in practice, where the structure traps unwary buyers, and the long-tail loss that almost nobody covers.


The scenario

A 90-fee-earner regional law firm with three offices is hit by ransomware on a Wednesday morning. The attack encrypts the practice management system, the document management system, the time recording and billing system, and the email server. The case files are intact in encrypted form; the encryption key is not.

The firm’s offsite backups are tested quarterly and are current to the previous Friday — five working days of work is lost. The forensic team confirms the attack vector (an unpatched VPN appliance) and begins recovery. The firm operates in degraded mode (manual time recording, paper diaries, hotmail for inbound correspondence) for 11 working days. Full restoration is achieved on day 16.

The firm calculates its lost gross profit. A typical month yields around £4.2m of revenue and £1.1m of gross profit. The 11-day disruption represents around half a month of below-normal activity, which translates to approximately £480k of lost gross profit. Plus the cost of the disruption itself (overtime, temporary staff, courier and printing costs to operate without systems) of around £85k.

The firm’s PI policy does not respond to this loss. The firm’s cyber policy does — subject to the waiting period, the period of indemnity, the deductible, and the but-for the event calculation.

Why PI doesn’t help

Professional indemnity is a third-party liability policy. It responds to claims by third parties (clients, regulators in some forms) for losses they suffer. It does not pay the insured’s own first-party losses.

The firm’s lost gross profit during the recovery period is the firm’s own loss. There is no third-party claimant. PI is silent.

The narrow exception: if the firm’s inability to operate caused it to breach client deadlines and clients suffered loss (see spoke 3), the client’s claim against the firm can be addressed by PI. The firm’s own lost revenue cannot.

How cyber business interruption works

The cyber policy’s BI head typically has the following structure:

Trigger. A covered cause — usually defined as a security failure, unauthorised access, malware, ransomware, denial of service or a wider category of cyber events. The trigger must be a cyber event; an ordinary power outage or hardware failure does not trigger cyber BI.

Waiting period. A waiting period is a time-based deductible. The most common value is 8 hours, with policies offering 12, 16 or 24 hours at the upper end. Loss during the waiting period is not covered. A 12-hour waiting period on a 16-day incident means 12 hours of the loss are uninsured.

Period of indemnity. The period during which BI loss is calculable. The market norm is 90–180 days. The period typically begins at the commencement of the BI (i.e. at the moment the firm’s revenue is affected) and ends at the earlier of (a) restoration of normal operations, or (b) expiry of the period of indemnity.

Loss measure. Loss of gross profit — defined in the policy, often by reference to net profit plus continuing standing charges, or by reference to revenue minus variable costs. The exact definition matters.

Increased cost of working. A separate sub-head covering the cost of operating during the disruption (overtime, temporary staff, alternative systems). Often subject to a sub-limit.

Restoration period. Some policies offer cover during a restoration period during which the firm is recovering revenue but has not yet returned to baseline. The period of indemnity may extend through this phase.

Deductible. A monetary deductible in addition to the waiting period. £25k–£100k is typical.

The “but for” calculation

The hardest part of any BI claim is the but-for the event calculation. The insurer asks: what revenue would the firm have earned during the recovery period if the cyber event had not occurred?

The answer is rarely obvious. The firm’s revenue varies by month, by client, by matter mix, by partner activity, by seasonal factors. The insurer’s loss adjusters will scrutinise:

The firm’s historic monthly revenue and gross profit. The trend (was the firm growing or declining). The pipeline (what matters were active, what was due to complete). The matter mix (high-volume conveyancing earns differently from low-volume litigation). Whether revenue was lost or merely deferred (work performed two weeks later is not lost; it’s deferred).

The deferral question is the most contentious. Where a litigation firm’s deadlines simply slip by two weeks, the firm’s annual revenue may be unchanged — the cases settle in the next quarter. The insurer argues the loss is not real. The firm argues the cash-flow effect, the client churn, the goodwill impact, the marginal cases that drifted away.

The case law on professional services BI is thin in the UK. The general BI principles from Westchester Fire Insurance Co v American Boating Association and the line of insurance authorities apply: the loss must be the loss of a benefit the insured would have earned, not merely a benefit deferred.

Worked numerical example

Putting it together for the regional law firm:

Head Quantum Notes
Revenue loss during BI period (claimed) £880,000 gross revenue affected
Variable costs avoided £180,000 reduced billable hours costs
Net BI loss claimed £700,000 gross-profit basis
Insurer adjustment for deferral (40% of loss treated as deferred not lost) -£280,000 contested
Waiting period (12 hours) -£18,000 uninsured
Insurer settlement £402,000
Increased cost of working (temp staff, overtime, courier) £85,000 sub-limited
Deductible -£50,000 first-pound
Net BI settlement £437,000

Compare to the firm’s claimed loss of £565k (gross profit plus ICW). The insured-uninsured gap is approximately £128k, sitting in deductible, waiting period, and the deferral adjustment.

The long-tail loss the policy doesn’t reach

The 16-day acute disruption is one thing. The 12-month tail of impact is another.

In the months following the public incident, the firm experiences:

The cyber BI cover does not respond to any of this. The period of indemnity expired on day 90 or day 180. The long-tail loss is uninsured and frequently exceeds the BI claim itself.

Some specialist cyber policies have begun to offer extended period of indemnity extensions of 365 days or longer; some include a reputational harm sub-limit (typically £100k–£250k) that picks up a portion of the long-tail; some include a contract loss extension that responds to specific identifiable lost contracts. None reach the full tail.

The contingent BI question

What about disruption caused by a third-party cyber event affecting the firm?

A growing portion of cyber BI claims arise from the failure of a vendor — a cloud provider, a SaaS document management vendor, a managed services provider. The firm itself is not breached; the vendor is. The firm cannot work because the vendor’s service is unavailable.

Standard cyber BI cover responds to the firm’s own systems being affected. Contingent business interruption cover responds to vendor outages. Many cyber policies include CBI as a sub-limit ranging from £250k to the full BI limit; some exclude it.

The Kaseya, MOVEit, SolarWinds, CrowdStrike-Falcon and Microsoft Azure outages of the last five years have driven significant CBI claims. Underwriters are tightening sub-limits and adding waiting periods specifically for CBI.

The vendor failure question

Where the vendor’s failure causes the firm’s BI, the firm has two routes of recovery:

Its own cyber CBI cover (subject to limit, waiting period, deductible).

A contractual claim against the vendor. The vendor’s terms usually cap liability at a fraction of fees paid (typically 12 months of fees or 12 months of the cost of the affected service). The vendor may carry its own cyber and tech E&O insurance, but the firm’s claim sits within the queue of vendor’s claimants.

The realistic recovery in vendor-cyber events is often pennies on the pound.

Practical buyer takeaway

For any firm with revenue dependence on systems:

Confirm your cyber BI period of indemnity. 90 days is short for a firm with long-cycle revenue (litigation, transactions). Negotiate 180 days as a minimum; 365 days where possible.

Reduce the waiting period to the shortest the market will write. 8 hours is common; 4 hours is available in some markets at additional premium.

Confirm CBI cover for vendor outages and the sub-limit.

Document your gross profit calculation methodology in advance. The argument over but-for is much easier with pre-agreed methodology.

Track your active matter pipeline weekly. The pipeline data is the foundation of a BI claim.

Negotiate an extended period of indemnity extension for reputational and contract loss.

Maintain a documented business continuity plan and an actual practised recovery procedure. The insurer will ask in adjustment whether the disruption was prolonged by inadequate BCP.

Stress-test your backup-and-recovery times. The recovery time objective (RTO) is the single biggest determinant of BI quantum.

FAQ

Q1. Does cyber BI cover power outages? Not normally. Cyber BI requires a cyber event. Power outage from a grid failure is not cyber. Power outage from a deliberate attack on the firm’s systems may be.

Q2. Does cyber BI cover system failure unrelated to attack — for example, accidental administrator error? Some policies do — under a system failure head — others do not. Read the wording. The market is moving towards inclusion of unintentional system failures.

Q3. Can I claim partner time spent on the recovery? Generally no. Partner time is a cost the firm already bears. Some policies offer a crisis management sub-limit for executive time but the typical award is small.

Q4. What if my firm is hourly billing — is “lost time” lost revenue? The deferral argument applies. If the work would have been billed in the affected month but is in fact billed in the following month, the loss is at most a cash-flow loss. The insurer will reduce the claim accordingly.

Q5. Does cyber BI cover sub-contractor work I had to outsource? Often yes, as part of increased cost of working. The cost is generally indemnifiable subject to reasonableness and sub-limit.

Q6. What about lost contracts I would have won? Generally not. Lost opportunity is not the same as lost revenue. Some specialist extensions exist but are not standard.

Q7. Will my BI claim be paid in instalments? Often the insurer will pay interim instalments based on initial calculations, with a final settlement on agreed methodology. Most insurers want to see audited monthly figures.

Q8. How does cyber BI interact with property BI? Property BI requires physical damage to property. A cyber event without physical damage does not trigger property BI. The two policies are non-overlapping in most cases.

Sources

Standard market cyber BI wordings (Lloyd’s and company markets). Lloyd’s Market Association cyber BI clauses including LMA5499 series where applicable. Insurance Act 2015. Loss adjustment methodology — Chartered Institute of Loss Adjusters guidance. NCSC business continuity guidance.

Related

Hub: Cyber vs PI — where cover ends and begins Spoke 3: Ransomware affecting client deliverables Spoke 8: Reputational damage post-breach

Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.

Talk to a specialist broker

Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.

Get a quote
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.
★ 4.0 on Trustpilot (verified)|Listed on the ARB PI broker list|FCA FRN 724952