Cyber insurance was originally marketed as a technical product. If the servers went down, the policy would help pay to get them back up. If data was stolen, the policy would help with notification and forensic costs. What the insurance industry did not fully anticipate is that for many businesses, especially professional service firms, the most serious damage from a cyber attack is not technological at all. It is reputational, operational, and financial. Clients leave. Projects disappear. Revenue erodes long after the computers are technically “working again.”
That reality is now colliding head-on with cyber business income coverage. A recurring argument made by insurers in cyber business income claims is that once systems are restored, the loss period ends. According to this view, any decline in revenue caused by frightened customers, terminated contracts, or lost trust is simply the cost of doing business in a digital world.
A federal court decision involving a managed services provider illustrates why there is pushback to the cyber insurer view. 1 The policyholder suffered a data breach that spread malware to its clients. The insured’s systems were not completely shut down, but its employees were forced to divert enormous time and resources away from ordinary revenue-producing work to crisis remediation. During that period, several clients terminated their contracts or refused to renew. The insurer paid certain cyber expenses but denied the business income claim, arguing there was no “actual impairment” because the company was still operating.
The court rejected the insurer’s narrow framing. It held that impairment does not require total paralysis. A business can be operational and still be impaired. When a cyber attack forces a company to function at diminished capacity, when employees are pulled from normal work to manage fallout, and when clients walk away because the breach undermines confidence, those facts can support a covered cyber business income claim. The court allowed the case to proceed, recognizing that cyber losses do not end the moment the lights and computers come back on.
This reasoning matters enormously for law firms, accounting firms, technology providers, healthcare practices, and other service-based businesses. Their product is trust. When that trust is damaged by a cyber event, the financial impact is real, measurable, and often immediate.
At the same time, the decision is also a warning. The policyholder survived summary judgment, but the court made clear that proving these losses requires discipline. Business income is not simply loss of gross revenue. Courts will not accept speculation, inflated projections, or unsupported assumptions.
For policyholders and public adjusters handling cyber business income claims, several practical lessons stand out. First, document operational impairment, not just system status. Do not let the claim be framed solely around whether computers were “up.” Show how employee time was reallocated, how projects were delayed or canceled, how normal workflows were disrupted, and how capacity was reduced during the restoration period.
Second, connect client departures to the cyber event with evidence, not conclusions. Contemporaneous emails, termination letters, testimony or affidavits from those involved telling the story, and internal communications explaining why clients left are powerful. Courts respond to facts, not generalized statements about reputational harm.
Third, respect the policy’s time boundaries but do not concede them prematurely. Many cyber policies define the period of restoration ambiguously. Restoration is not always the moment a server is functional. It can include the time reasonably required to return business operations to the condition that would have existed absent the breach. That distinction can be critical.
Fourth, get the numbers right. Business income claims live or die on credibility. Engage forensic accountants and possibly economists early. Establish historical margins. Separate covered period losses from long-term business decline. A strong liability theory can still fail if damages are poorly supported.
Finally, recognize that cyber business income claims are not just technical exercises. They tell a business story. When done properly, that story explains how a cyber attack disrupted people, relationships, and revenue, and not just computerized machines that fail to work.
Cyber insurance law is evolving because cyber losses and policy forms are evolving. Courts are beginning to recognize that in a service economy, the true interruption often occurs in confidence, continuity, and capacity. Policyholders and adjusters who understand that reality, and can prove it with care, will be far better positioned to recover what the policy promised.
Thought For The Day
“There are only two types of companies: those that have been hacked, and those that will be.”
—Robert Mueller, former Director of the FBI
1 New England Systems v. Citizens Ins. Co. of America, No. 3:20-cv-01743 (D. Conn. Dec. 12, 2022). See Also, Citizens Insurance Motion for Summary Judgment Memorandum of Law, and New England System’s Memorandum in Opposition to the Motion for Summary Judgment.
