What Forensic Accountants Should Consider When Analyzing a Business Interruption Insurance Claim Following a Ransomware Attack | JS detained

As businesses continue to rely on computers and the digital storage of important data, cyberattacks pose a growing potential threat to these organizations, especially now that businesses have shifted their workforce to remote work. There are many types of cyber threats and the pandemic has led to an increase in ransomware attacks. Ransomware is malicious software specifically designed to disrupt, damage, or gain unauthorized access to a computer system. The threat actor uses encryption to hold a victim’s information for ransom.

Ransomware attacks have affected organizations such as public school systems, insurance companies, government agencies, IT companies, healthcare facilities, food manufacturers and utility providers, to name a few. name a few. Even companies that help recover from ransomware attacks, such as cyber insurance companies and data storage/backup providers, are not safe.

A business interruption (BI) occurs when a business experiences a loss of revenue as a direct result of a system failure. Business interruption claims are nothing new, but BI from a standalone cyber liability policy is an evolving concept. Historically, BI coverage has been provided through commercial property policies. A growing number of business interruption claims result from cyber-ransomware attacks. But cyber liability insurance policies differ from insurer to insurer, so it’s important to understand the policy and ask crucial questions.

So what makes cyber business interruption claims unique?

Waiting Periods and Policy Limits

Most business interruption claims have a waiting period. Stand-alone cyber policies differ from typical BI claims because waiting periods for cyber activity interruptions are typically less than a day, ranging between 6 and 24 hours compared to the normal 24 to 72 hours for losses. commercial BI. It is important to understand the waiting period as it is the amount of time an insured must wait before the calculation of business income begins. It is also important to know whether the times of the waiting period are based on clock hours or business hours, as this can have a significant impact on business interruption analysis.

In addition to understanding the waiting period, it is important to understand the policy limits as ransom payments may be included in the BI limit. This could affect how you analyze the BI claim (for example, if you have a BI limit of $1 million, a business interruption claim of $3 million, and a ransom payment of $700,000 that has been covered and paid under the BI policy, you may not need to analyze all aspects of the BI claim because the insured only has $300,000 of BI coverage left after the payment of the ransom).

Restoration Period/Compensation Period

The recovery period refers to the period for which the loss of income is covered. Cyber ​​claims generally have a shorter measurement period. Many policyholders make a claim and they don’t wonder if it falls within their coverage period. One of the main difficulties in measuring an IT business interruption loss concerns the applicable indemnification period. For real estate claims, the duration of compensation is most often based on the duration of repairs. With an eClaim, the start and end time/date is more difficult to define. As accountants analyzing a business interruption claim, we need to understand not only the financial side of the business, but also the technical side of the event. We defer to the carrier for the appropriate period of compensation.

An example would be a lost contract claimed due to a cyber event. It would be less difficult to quantify a lost contract measured at face value; however, there are details to consider, including:

  • The start date of the contract
  • How long would the contract have lasted
  • Did the contract fall within the defined compensation period
  • Was the contract subsequently replaced by another contract
  • Could the contract be performed at a later date
  • How much revenue was lost from the policy during the covered loss period

The indemnity period could be further complicated if the company’s systems are back online, but the insured continues to incur business interruption losses. It is also not uncommon for some system upgrades or changes to be made after the event. However, these upgrades may extend the time it takes to resume normal operations. This extension of time cannot be considered part of the indemnity period under the provisions of the policy. The forensic accountants will rely on the technical assessment of what was achieved after the event and the carrier’s guidelines as to how everything fits into the policy coverages.


Consideration should be given to deferred revenue or revenue that may still be realized after the repairs are completed. For example, if a manufacturer was unable to produce their product for two days, they had inventory, production was caught up once their system was back online, and they were not full capacity before the loss, there may be no IB Loss. However, if the insured increased production and paid employees overtime to compensate for production during off-peak hours, the insured may have incurred additional expenses instead of lost business income.

Saved costs and additional expenses

The costs saved (avoided) must be calculated to determine the net income lost. The costs saved in a cyber claim may be different from a property claim. There are savings such as cost of goods sold, credit card fees, and other variable selling costs that should be the same in both loss scenarios. However, expenses related to the physical location, such as rent and utilities, may not be spared as the insured normally remains in their physical space while they restore their computing capabilities. In addition, the insured sometimes uses salaried IT personnel to carry out the necessary computer repairs/restorations. Often the most important decision a business owner has to make is whether to continue paying non-productive employees during the shutdown period or temporarily lay off staff.

A common problem occurs when an insured uses their salaried staff to rebuild/repair their systems and claim these costs as an additional expense. Salaried staff is considered a fixed expense and is generally not allowed as an additional expense because the business has not incurred any additional salaries due to the cyber event. In addition, the insured can call on internal hourly personnel to carry out the repairs. If the payroll remains at normal levels, there could be a duplication between the authorized payroll in the technical evaluation and the operating loss. Payroll should only be considered once. It is also common for an insured to claim lost billable hours for any employee who spent time restoring the computer system. However, only employees who were normally billable before the cyberattack could potentially lose revenue for the insured during the downtime.

It is important to communicate early in the claims process the potential cost savings or additional expenses and their impact on the BI analysis. Also, consider whether these expenses fall within the compensation period.

Geographical position

During a cyber event, a forensic accountant may need to examine the entire business rather than a single location or region. While some cyber losses may affect only one location, others may affect multiple locations, even globally. It is important to understand how the cyberattack affected sales, especially if the business generates sales through e-commerce and physical stores. Sales and expenses should be analyzed for any potential makeup.

If multiple locations are affected worldwide, it is imperative to work with the insured and the carrier to determine the impact on only the covered locations, as there may be multiple insurance policies involved and potentially no coverage for some locations.


Cyberattacks are inevitable and business interruptions are a major driver of cyberlosses. According to Allianz Global Corporate & Specialty SE (11/19/20), business interruption losses have accounted for 60% of cyber insurance claims over the past five years. A forensic accountant should be engaged as soon as possible to help communicate with the insured and the adjustment team to understand the impacts of the cyber event. The accountant will also help manage expectations of what will be needed to quantify a business interruption loss and help identify ways to mitigate the loss.

Comments are closed.