A community bank with $650 million in assets suffers a five-day cyber outage. Systems are down. No wire transfers, no ACH processing, no online banking, no loan originations. The bank files a business interruption claim under its cyber policy.
The cyber carrier runs the income loss calculation. Fee income, extra expenses, overtime, temporary workarounds. The BI payout comes back: $48,000.
The bank’s actual income loss over five days: $269,000.
The gap: $221,000. 82% of the loss, uninsured.
The reason is not a low limit. The reason is not a coverage exclusion buried on page 40. The reason is the definition of “income” in the business interruption section of the cyber policy. It was written for commercial businesses. Not for banks.
Why Bank Revenue Is Different
A software company earns revenue from subscriptions and services. A retailer earns revenue from product sales. When either suffers a cyber outage, the BI definition in a standard cyber policy captures most of the lost income because it is tied to operations the company cannot perform while systems are down.
70-85% of a community bank’s revenue is net interest income. The BI definition in most cyber policies either explicitly excludes it, or uses language ambiguous enough that a carrier can argue it was never intended to be covered. The definition was designed around businesses where interest income is incidental. For a bank, it is the business.
Revenue Breakdown: Typical Community Bank
Two Ways the Policy Strips It Out
The flat-rate mechanism. Some policies use a pre-set hourly rate for BI recovery, written into the declarations page at underwriting. In the banks I reviewed, the rate covered only 22% of the bank’s hourly income. The math was set without interest income.
The ambiguous definition. Other policies define income loss as “income from business operations” or “net profit before income taxes” without addressing interest income. For a commercial business, those phrases capture the main revenue stream. For a bank, they create a gray area, because a carrier can argue that during an outage, existing loans continue to accrue interest contractually and the bank has not been “prevented from earning” that income. That ambiguity gives the carrier a denial path.
Four out of five banks I reviewed had some form of this gap. Only one had solved it, through a carrier endorsement that deletes the exclusion.
The Scale of the Problem
This is not a niche issue affecting a handful of institutions. The two largest community bank insurance programs, which together serve thousands of community banks and credit unions, both have policy forms where this gap is structural. Whether through a flat-rate mechanism or an ambiguous definition, the outcome is the same: the bank’s primary revenue stream is not clearly covered.
Five-Day Outage: What the Bank Loses vs. What the Policy Pays
| Bank Size | 5-Day Interest Loss | Typical BI Recovery | Uninsured |
|---|---|---|---|
| $500M assets | ~$205,000 | $48,000 | 77% |
| $1B assets | ~$410,000 | Ambiguous | Up to 100% |
| $2B assets | ~$820,000 | Ambiguous | Up to 100% |
Assumes 3% net interest margin, 5-day outage. "Ambiguous" means the policy definition could be argued either way.
I added this gap to my review methodology after recognizing the pattern across multiple audits. If an independent auditor focused specifically on bank insurance risk missed it initially, the odds that a generalist broker is checking for it are low.
The Fix
One carrier offers an endorsement that explicitly adds interest income to the BI definition. One bank in my sample had it, and it was the single most valuable endorsement in their program.
Your bank’s cyber policy was designed to cover system outages. For most businesses, that coverage works. For a bank, it covers 15-30% of the revenue at risk and ignores the rest.
The interest income exclusion is one of several gaps that appear when cyber, fidelity bond, and D&O policies are read together. I map the full picture in Five Audits. Same Gaps..
If your bank has not checked whether interest income is covered in your cyber BI definition, get in touch. A Risk Intelligence Report will show you exactly what your policy pays on a five-day outage, and whether the answer should concern your board.