Cyber Loss: Business Interruption Calculations

By Chris Johnson, CPA, J.S. Held


It seems as though every week we hear about a ransomware attack that has crippled a business and exposed personal information. Ever since Covid-19 disrupted normalcy in 2020, and businesses adapted to remote and online operations, ransomware attacks have been on the rise. Ransomware is a type of malware that infects a computer, encrypts the victim’s data, and the threat actor demands a ransom in exchange for the decryption key which unlocks the data. In 2021, the top 5 industries hit by ransomware attacks included construction, manufacturing, finance, healthcare, and education. The average number of downtime days for victimized businesses has risen from 15 days in Quarter 1 of 2020 to over 22 days in the third quarter of 2021. With the odds of ransomware attacks and their longevity increasing, the importance of cyber insurance and business interruption coverage are becoming more important for businesses in all industries.

Cyber Policies

Over recent years, the insurance markets have realized that cyber liability needs have evolved, and many insurance carriers offer standalone cyber policies to help protect businesses from the devastating costs of an attack. Included in many of these policies is business interruption coverage.

Triggers & Types of Losses

Like many commercial property policies, the intent of business interruption coverage under a cyber policy is to make the insured whole by paying the expected net profit and continuing expenses the insured would have earned had no loss occurred. However, a few key differences are notable in cyber policies. The trigger under the cyber policy is generally either a system or service disruption. In either case, the losses must be measurable, and material interruption or suspension of service either to the insured’s computer system (system disruption) or to a service provider’s network must have occurred as a direct result of a cyber-attack.

Waiting Period

Once a cyber-attack has occurred, most cyber liability policies have waiting periods that are applicable to business interruption. A waiting period is the number of hours that must elapse after a disruption (system or service) occurs before the insurer will become obligated to pay a covered loss of business income and extra expense. Many of these waiting periods are measured in hours, not days. Waiting periods can be six hours or more depending on the policy.

After the waiting period has expired, the period of restoration begins at the time of the disruption and ends on the date and time the system disruption ends or should have ended with reasonable due diligence and effort. This period is specifically defined by the policy, and we defer to the carrier for interpretation of this period. Frequently, insureds will realize that the system in place at the time of the cyber-attack was inadequate and will choose to enhance or make improvements to the system. If additional time is taken to make enhancements, typically the policy will not allow for loss of business income during this time. Many times, technical experts are retained to investigate the breach, determine the damages, and determine the appropriate period of restoration. Like any other property loss, the length of the period of restoration could be a material measurement issue.

Calculating Cyber Business Income Loss

The first step a forensic accountant will consider in calculating the business income loss is to determine the “but for” sales that the insured would have earned had no loss occurred. Cyber losses can complicate the determination of the “but for” revenues for many reasons. Concerning sales projections related to cyber-attacks, many times forensic accountants will analyze the financials of the entire company versus one location or region. This can be different from many property losses as property losses usually occur at one location or in a specific region, while cyber-attacks could impact the insureds entire organization. Online sales versus brick-and-mortar business need to be analyzed individually as sales and margins could vary. Also, many cyber losses may only extend for a few hours or just a few days.

After determining lost revenue, saved (avoided) costs are required to be evaluated. Saved, or avoided costs, are costs the business would have incurred in connection with the generation of its lost revenue. Saved costs can be impacted and can vary depending on the length of the period and whether the cyber event caused a total outage or a partial outage. Once saved costs are calculated, they are deducted from lost revenue to arrive at the business income loss.

In addition to direct variable (saved) expenses, payroll is an expense that is often discussed at great length. Many times, the insured will utilize its own salaried IT staff to assist with restoring backups, remediating its system, or rebuilding a new IT infrastructure. This work usually takes many employees working long hours to get the business back in operation as quickly as possible. The insured will try to make a claim for the payroll costs for these employees. Since salaried employees are a fixed cost, the expense is usually not allowed. However, if hourly employees are utilized and work over and above normal hours, the incremental increase could be considered an extra expense depending on the policy.

Additional Considerations When Calculating Business Income Losses

Some businesses may be able to make up lost sales once the systems are restored. In cases where sales can be made up, consideration past the period of indemnity may be necessary to account for these sales. In addition, if the insured can continue to generate sales during the disruption period but is unable to book those sales until after the system is restored, the delayed sales will need to be evaluated. Another consideration is potential policy coverage limits. Some policies include limits that are all-encompassing of loss-related expenses that may reduce the amount of business income that can be collected. Many times, the policy limit includes ransom payment, restoration costs, and business income. 

Conclusion & Contact Information

As with all losses, it is good practice to engage a forensic accountant as early as possible to assist in discussions with the insured and the adjustment team to understand the impacts of the cyber event.

If you would like more information about business interruption and cyber-related losses, please contact Chris Johnson, CPA, at (404) 481-48800 or via email at, or through our website at

This is a publication of Southern Loss Association, Inc., P.O. Box 421564, Atlanta, GA 30342. The articles published on this website are in a general format and are not intended to be legal advice applicable to any specific circumstances. Legal opinions may vary when based on subtle factual differences. All rights reserved.