The Revenue Your Policy Ignores: Why Cyber BI Doesn't Cover a Bank's Primary Income

A community bank with $650 million in assets suffers a five-day cyber outage. Systems are down. No wire transfers, no ACH processing, no online banking, no loan originations. The bank files a business interruption claim under its cyber policy.

The cyber carrier runs the income loss calculation. Fee income, extra expenses, overtime, temporary workarounds. The BI payout comes back: $48,000.

The bank’s actual income loss over five days: $269,000.

The gap: $221,000. 82% of the loss, uninsured.

The reason is not a low limit. The reason is not a coverage exclusion buried on page 40. The reason is the definition of “income” in the business interruption section of the cyber policy. It was written for commercial businesses. Not for banks.

Why Bank Revenue Is Different

A software company earns revenue from subscriptions and services. A retailer earns revenue from product sales. When either suffers a cyber outage, the BI definition in a standard cyber policy captures most of the lost income because it is tied to operations the company cannot perform while systems are down.

70-85% of a community bank’s revenue is net interest income. The BI definition in most cyber policies either explicitly excludes it, or uses language ambiguous enough that a carrier can argue it was never intended to be covered. The definition was designed around businesses where interest income is incidental. For a bank, it is the business.

Revenue Breakdown: Typical Community Bank

Net Interest Income
70-85%
Excluded or ambiguous in most cyber BI definitions
Fee & Service Income
15-30%
Typically covered under standard BI definitions

Two Ways the Policy Strips It Out

The flat-rate mechanism. Some policies use a pre-set hourly rate for BI recovery, written into the declarations page at underwriting. In the banks I reviewed, the rate covered only 22% of the bank’s hourly income. The math was set without interest income.

The ambiguous definition. Other policies define income loss as “income from business operations” or “net profit before income taxes” without addressing interest income. For a commercial business, those phrases capture the main revenue stream. For a bank, they create a gray area, because a carrier can argue that during an outage, existing loans continue to accrue interest contractually and the bank has not been “prevented from earning” that income. That ambiguity gives the carrier a denial path.

Four out of five banks I reviewed had some form of this gap. Only one had solved it, through a carrier endorsement that deletes the exclusion.

The Scale of the Problem

This is not a niche issue affecting a handful of institutions. The two largest community bank insurance programs, which together serve thousands of community banks and credit unions, both have policy forms where this gap is structural. Whether through a flat-rate mechanism or an ambiguous definition, the outcome is the same: the bank’s primary revenue stream is not clearly covered.

Five-Day Outage: What the Bank Loses vs. What the Policy Pays

Bank Size 5-Day Interest Loss Typical BI Recovery Uninsured
$500M assets ~$205,000 $48,000 77%
$1B assets ~$410,000 Ambiguous Up to 100%
$2B assets ~$820,000 Ambiguous Up to 100%

Assumes 3% net interest margin, 5-day outage. "Ambiguous" means the policy definition could be argued either way.

I added this gap to my review methodology after recognizing the pattern across multiple audits. If an independent auditor focused specifically on bank insurance risk missed it initially, the odds that a generalist broker is checking for it are low.

The Fix

One carrier offers an endorsement that explicitly adds interest income to the BI definition. One bank in my sample had it, and it was the single most valuable endorsement in their program.

1
Find the BI or Income Loss definition in your cyber policy. If "interest income" is not mentioned, or if the definition says "income from business operations" without specifying it, you have an ambiguity the carrier can use against you.
2
If your BI uses a flat hourly rate, run the math. Multiply the rate by 96 covered hours (five days minus a 24-hour waiting period). If recovery is less than half of your bank's income loss over the same period, the rate was set without your primary revenue stream.
3
Ask your broker about an Interest Income endorsement. At least one carrier offers one. If yours does not, factor that into your next renewal decision.
4
If no endorsement is available, quantify the gap for your board. Run the five-day outage scenario with your bank's net interest income. That dollar amount belongs in the risk register and in your next examiner conversation.

Your bank’s cyber policy was designed to cover system outages. For most businesses, that coverage works. For a bank, it covers 15-30% of the revenue at risk and ignores the rest.

The interest income exclusion is one of several gaps that appear when cyber, fidelity bond, and D&O policies are read together. I map the full picture in Five Audits. Same Gaps..

If your bank has not checked whether interest income is covered in your cyber BI definition, get in touch. A Risk Intelligence Report will show you exactly what your policy pays on a five-day outage, and whether the answer should concern your board.

Joerg Proeve, Founder and Independent Risk Advisor
Joerg Proeve

Founder of Breezy Risk. 20 years of insurance, background in cybersecurity and engineering. Audits insurance for community banks and credit unions.

More about Joerg →