Dependent Systems
Coverage for losses when a cyberattack or failure at a third-party service provider disrupts the insured's business operations.
What It Is
Dependent systems coverage, also called contingent business interruption in cyber policies, extends first-party coverage to losses the insured suffers when a cyber event at a third-party service provider disrupts the insured's operations. This addresses the reality that modern businesses rely heavily on cloud providers, SaaS platforms, payment processors, and other technology vendors whose outages can halt the insured's business.
Coverage may apply broadly to any technology service provider on which the insured depends, or it may be limited to specifically scheduled providers. Some policies distinguish between IT service providers (such as cloud hosting and SaaS platforms) and non-IT providers (such as utility companies or supply chain partners) whose operational technology failures affect the insured. Waiting periods for dependent systems BI are typically longer than for direct BI, often 12-24 hours.
The sublimit for dependent systems coverage is frequently lower than the direct BI limit. A policy might offer $2M in direct BI but only $500,000 for dependent systems BI. Additionally, some policies exclude coverage for outages at infrastructure providers that affect a broad class of insureds, such as a major cloud provider outage affecting thousands of businesses simultaneously.
Why It Matters for Brokers
The concentration of business-critical services in a small number of cloud and SaaS providers means that a single provider outage can simultaneously disrupt hundreds of insureds. Brokers must evaluate each client's technology dependencies and ensure dependent systems coverage is adequate. Without this coverage, a client whose primary cloud provider goes down for 48 hours has no cyber policy coverage for the resulting business interruption.
Real-World Example
An online retailer hosts its entire e-commerce platform on a cloud provider that suffers a 36-hour outage due to a ransomware attack on the provider's infrastructure. The retailer's lost revenue during peak season is $165,000 per day. The cyber policy's dependent systems BI coverage has a 12-hour waiting period and a $250,000 sublimit. The covered loss is calculated as 24 hours of BI at $6,875/hour, totaling $165,000, well within the sublimit. Without dependent systems coverage, the retailer would bear the full loss.
Common Mistakes
- 1Assuming the insured's direct BI coverage extends to outages at third-party providers when dependent systems coverage must be separately included.
- 2Not reviewing whether the dependent systems coverage requires providers to be specifically scheduled, which would exclude unscheduled vendors from coverage.
How brokerageaudit.com Handles This
brokerageaudit.com's Submission Intake module captures the client's critical technology providers and dependencies, ensuring this information is included in submissions to carriers. Policy Checker identifies dependent systems sublimits and compares them against the client's estimated daily revenue loss from provider outages, flagging inadequate coverage.