Understanding Business Interruption Following a Cyber Attack

Why Idle Labour Costs Are Typically Not an Indemnifiable Loss

We have all experienced periods when suddenly our emails or internet go down. In instances such as these, short as they may be, it is only natural to feel lost and isolated. Moreover, in today’s interconnected world where most businesses are heavily, if not entirely reliant, on functioning IT systems, cyber risks present significant challenges for businesses across all industries. When a company becomes a victim of a cyber-attack, the impact is often immediate and far-reaching, disrupting, or often bringing to a halt nearly every operational aspect of an organization. From production to logistics, administration, customer-facing functions, sales and sales order processing, a business can be brought to a complete standstill.

This reality often leads to a critical question for insurers and claims professionals at the start of most cyber losses: what are the main components and issues that need to be considered to calculate the ensuing business interruption (BI) loss following a cyber-attack? One particularly misunderstood aspect of cyber-related BI claims is the treatment of idle labour costs during periods when employees cannot work.

This article explores the unique nature of business interruption losses following a cyber-attack with regards to the frequent misconception surrounding idle labour costs, and how MDD Forensic Accountants’ expertise can assist insurers in assessing such claims accurately and efficiently.

Property vs. Cyber Risks: A Similar Framework, Different Impacts

From a technical perspective, the methodology for calculating a BI loss under a traditional property all-risk (e.g., fire) policy and a cyber risk policy is quite similar. In both cases, the policy typically indemnifies the insured for Lost Gross Profit / Lost Gross Earnings[1] as a result of lost sales. While the actual policy wording and the afforded indemnity can and does differ from insured to insured, insurer to insurer and country to country, generally the BI coverage consists of:

Net Profit: The profit the business would have earned had the interruption not occurred.
Continuing Costs / Fixed Costs: Costs that continue during the interruption period or are fixed in nature and cannot be earned via actual sales revenue when those are reduced or fully lost as a result of the cyber-attack.

However, the impact on the business of the peril itself—whether a fire or a cyber-attack—often differs significantly.

Fire Losses: After a fire, the physical premises may be damaged, but many employees can often continue working in some capacity (depending on the extent of damages), albeit less efficiently. Production might slow, and alternative locations may need to be found, but most staff remain operational and often are even more busy following the loss than under normal circumstances. This includes employees, especially in functions such as administration, sales, planning, accounting, IT along with production and logistics.
Cyber Attacks: By contrast, a cyber-attack typically renders nearly all aspects of a business idle. This idle state often only lasts for a relatively short period. Nevertheless, employees across departments—whether in production, sales, logistics, or administration—may find themselves particularly for the initial period unable to perform any meaningful work. As a consequence, companies often have no other option but to send everyone home as no work is possible while systems are down. There might of course be some staff that are required to continue working, but often dedicate a large portion of their time to recover the systems or find workaround solutions for their normal processes.

This distinction has profound implications for how losses, particularly labour costs, are viewed or perceived to be treated under a BI policy.

The Misconception About Idle Labour Costs

A common misunderstanding among insureds is that the wages paid to idle employees during a period of complete shutdown are an immediately recoverable loss that should be indemnified as part of a typical BI policy. This belief is understandable: from the insured’s perspective, these are real costs incurred, wages and other payroll-related costs continue to be paid, during a period when employees cannot work.

Hence in practice, an insured often takes precise records of all hours, sometimes down to minutes that their staff cannot work or undertake work in an inefficient manner or carry out tasks as a result of the cyber-attack and then present a claim for such labour costs, often at labour rates that not only include the labour cost itself, but also an allocation of other overheads.

However, under most BI policies, especially those that are written to indemnify the insured for the actual loss sustained, idle labour costs are not indemnified as a separate, standalone loss. Instead, these costs are addressed as part of the Lost Gross Profit / Lost Gross Earnings resulting from a loss of sales. I will explain this in more detail below.

How a Payment for Lost Gross Profit / Earnings Addresses Idle Labour Costs

To clarify this, consider how a BI policy functions:

Lost Gross Profit / Earnings Basis: The policy compensates the insured for the loss of gross profit / earnings resulting from reduced sales during the indemnity period. Gross profit / earnings encompasses both net profit and fixed expenses that cannot be earned as a result of a loss of sales (including wages).
Sales Recovery: If the insured recovers lost sales which were deferred after operations resume, the previously incurred idle labour costs are effectively recouped through these sales. It is of course possible that some additional labour costs need to be incurred after operations resume to recover the initial sales loss, and those need to be identified and should form part of the indemnity payable to the policyholder (assuming the policy affords such coverage).

Idle labour costs are thus ‘indirectly’ indemnified via the calculation of the loss of gross profit. If no sales are ultimately lost due to the interruption, there is no recoverable BI loss under the policy, bar for additional labour costs or other additional costs to mitigate the potential loss of gross profit.

A Simplified Numerical Example

To illustrate the above concept, consider the following example:

Scenario:

A manufacturing company experiences a cyber-attack on 1 January, rendering operations idle for four weeks. During this time, the company continues to pay its employees $100,000 in wages.

Impact on Sales:

Expected sales in January: $500,000
Actual sales during downtime: $0
Post-recovery sales (February): $1,000,000 (double the usual monthly sales due to catch-up of production / sales losses and use of inventory).
Labour cost increases to $125,000 in February due to the extra efforts to recover the sales that were lost in January.

Policy Indemnity:

The insured ultimately achieves all its expected sales, albeit later than planned.
Since there is no permanent loss of sales, the gross profit loss is $0.
The $100,000 in wages paid during downtime is not indemnified because it is recovered through post-recovery sales. As the labour costs increase in February from normally $100,000 to $125,000 the insured should be indemnified (assuming the policy affords such coverage) for $25,000 of increased costs or working to allow the insured to recover the initial sales losses.

This very simplified example demonstrates how idle labour costs are absorbed within the broader gross profit framework, rather than being treated as a direct, standalone loss.

Why the Misunderstanding Exists

It seems the misconception about idle labour may arise during the policy underwriting and broking stages or at the very early stages after the cyber incident but before we get instructed. I am saying this for the following: When we first get instructed, which can be weeks or even months after the cyber incident occurred to handle a new cyber BI loss, and when speaking to the policyholder during the initial kick-off meeting, often there seems to be a preconceived idea or understanding that any non-productive or idle labour cost is a claimable cost under the cyber policy. This is, however, not correct.

Cyber risks are relatively new compared to traditional risks like fire, and their unique characteristics may not always be fully understood by insureds or even insurers. Also, unlike fire losses where employees often remain partially or fully productive, a cyber attack’s immediate impact is often a complete operational idleness causing many employees unable to carry out any productive work or any work at all. This stark difference may lead policyholders and their advisors to assume that idle labour costs are automatically recoverable. The confusion may also arise due to many policies referring to coverage for ‘continuing costs, including labour costs’.

Better communication may be needed regarding the scope of coverage respective the treatment of labour costs during the policy placement period to mitigate these misunderstandings. It has been my experience that it is easier to explain the concept that coverage for ‘continuing costs including labour costs’ is afforded to the extent or proportion that sales have been lost as a result of the cyber incident, prior to the incident or as soon as the cyber-attack has occurred. The same misunderstanding often also arises when claims are presented for a portion of general fixed operational or administrative cost inefficiencies after an incident, without reference as to whether these constitute a true increase in costs.

A Unique Challenge for Cyber BI Claims

While the principle that idle labour is not indemnifiable is well-established under property all-risk policies, its application to cyber risks remains a point of confusion. The global rise in cyber incidents has highlighted this challenge, underscoring the need for insurers to approach cyber-BI claims with precision and consistency.

The complexity of cyber-BI claims stems from several factors:

Widespread Operational Impact: A cyber-attack can affect all aspects of a business, making it difficult to isolate specific losses.
Dynamic Recovery Periods: The timeline for recovery may vary widely, with initial idleness lasting weeks but full operational recovery taking months.
Mitigation Efforts: Insureds may incur additional costs to mitigate losses, further complicating the calculation of recoverable BI losses.
Financial and Operational Importance of Labour: A company’s labour force is often the most crucial company asset, carries a significant cost and needs constant cash flow. Paying staff when they are rendered idle immediately sends alarm signals to management i.e. – who will pay for my staff while they sit around and do nothing?

Given these challenges, accurate loss quantification requires specialized expertise.

How MDD Forensic Accountants Can Help

MDD Forensic Accountants is a global leader in the quantification of business interruption losses, including those arising from cyber risks. Our team has the expertise and resources to assist insurers in navigating the complexities of cyber-BI claims.

With offices worldwide, MDD professionals are uniquely positioned to provide:

Comprehensive Loss Assessments: We apply proven methodologies to calculate gross profit losses accurately, ensuring claims are settled fairly and efficiently.
Cyber-Specific Expertise: Our deep understanding of cyber risks allows us to address the unique challenges posed by these claims, from idle labour costs to dynamic recovery timelines.
Collaborative Support: We work closely with insurers, brokers, and insureds to clarify policy terms, manage expectations, and resolve claims disputes.
Early involvement to assist in Explaining BI Loss Principles: In many cases, we only get instructed weeks or even months after the Cyber-attack has occurred, However, when we are engaged early on, we can explain BI loss measurement principles to the various stakeholders to help everyone understand the underlying principles and avoid a claim being put forward at a later stage that include elements that are not indemnifiable as presented.

Conclusion: Bridging the Gap in Understanding

The treatment of idle labour costs in cyber-BI claims highlights the importance of clear communication and specialized expertise. While the principle that idle labour is not a standalone indemnifiable loss is well-established under traditional BI policies, its application to cyber risks requires careful explanation and consideration. In our experience, this issue should be explained right at the start to the insured and if done early on, in most – if – not all cases – is then also well understood and accepted by all parties. This boils down to the frequently mentioned issue of ‘management of expectations’. In our opinion, it is important that all affected stakeholders work together with a common understanding of the relevant principles to achieve the common goal of indemnifying the insured for their losses in line with the policy wording.

As the frequency and severity of cyber incidents continue to rise, insurers must be prepared to address these challenges head-on. MDD Forensic Accountants is here to help, offering unparalleled expertise and a global network of professionals ready to assist.

For more information or to connect with one of our experts, please visit our Cyber page here – https://www.mdd.com/forensic-accounting-services/cyber-risks/

By working together, insurers and forensic accountants can ensure that cyber-BI claims are managed with the precision and professionalism they require. If you have questions or need assistance with a claim, don’t hesitate to reach out to our team. We’re here to help.

By Markus Heiss.

The statements or comments contained within this article are based on the author’s own knowledge and experience and do not necessarily represent those of the firm, other partners, our clients, or other business partners.

This article uses Lost Gross Profit (a term usually used in UK policies) and Lost Gross Earnings or more generically lost contribution margin but without reference to any specific policy coverage terms or wording. It is important to note that as long as labour costs is an insured expense, the general issue addressed in this article applies regardless what policy cover, i.e. Gross Profit of Gross Earnings is in place.

Markus Heiss

ACMA, CGMA, Partner

+44 7730 985 822, +49 176 3129 2272
mheiss@mdd.com
London, EMEA

Articles

Relevant Articles

Our experts are extremely knowledgeable about thier subject areas and often write educational material and commentary on topical issues they come across.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Search

Insurance

Litigation

Individuals...

Public...

Services

Construction

Energy

Industries

Professionals

Calculators

Knowledge Center

Case Studies

Articles

CAT 365 Blog

Claims Interviews

Discovery Series

Calculators

IRB Calculator

Duxbury Calculator

Client Training Opportunities

Locations

Events

About Us

News

Careers

New Assignment

Understanding Business Interruption Following a Cyber Attack

Why Idle Labour Costs Are Typically Not an Indemnifiable Loss

Property vs. Cyber Risks: A Similar Framework, Different Impacts

The Misconception About Idle Labour Costs

How a Payment for Lost Gross Profit / Earnings Addresses Idle Labour Costs

A Simplified Numerical Example

Scenario:

Impact on Sales:

Policy Indemnity:

Why the Misunderstanding Exists

A Unique Challenge for Cyber BI Claims

How MDD Forensic Accountants Can Help

Conclusion: Bridging the Gap in Understanding

Authors

Markus Heiss

ACMA, CGMA, Partner

Services

Articles

Relevant Articles

Understanding Business Interruption Following a Cyber Attack

The Impact of Tariffs on Insurance Claims