Your Vendor Is Your Biggest Exposure and Your Smallest Sublimit

Your examiner asks about vendor risk. Your insurer sublimits it. Nobody is checking whether the coverage matches the dependency.

In May 2025, a planned infrastructure upgrade at Fiserv went wrong and knocked out online banking, Zelle, ACH processing, and direct deposits for dozens of banks, including Bank of America and Capital One. It was resolved in about 12 hours. In late 2023, a ransomware attack hit Ongoing Operations, a Trellance-owned disaster recovery unit that markets itself as the provider keeping credit unions running when nothing else works. The business-continuity vendor went down. About 60 credit unions lost access to systems for days.

Those were hours-long and days-long disruptions at third-party providers. Now model the scenario that matters most: your core ledger offline for five business days. Under a typical cyber policy, that outage runs against a dependent business interruption sublimit that could exhaust before your systems come back.

That’s the vendor coverage problem at community banks: the single point of failure that matters most, the core banking platform, carries the smallest coverage on the policy.

The Dependency Nobody Prices Correctly

A community bank’s core processor (Jack Henry, Fiserv, FIS, Corelation) touches every function: deposits, lending, wires, online banking, regulatory reporting. When it goes down, the bank doesn’t switch to a backup. The bank waits.

A realistic multi-day outage creates several categories of loss: income that can’t be earned while systems are offline, extra expenses to maintain manual operations, customer impact, and the cost of communicating with regulators during the event.

In the bank policies I’ve reviewed, dependent business interruption coverage typically sits at a sublimit between $100,000 and $1 million. Calculate what a day of downtime costs your bank: lost income, staff overtime, manual workarounds, customer impact. Then compare that number to your sublimit. Most banks I talk to haven’t done that math.

The bank's most critical technology relationship is often its least-insured exposure.

What the Policy Says (and What It Means)

Dependent business interruption coverage isn’t straightforward. It includes conditions that determine whether a vendor outage triggers coverage at all.

Four Questions That Determine Whether Your Vendor Outage Is Covered

1. What Triggers Coverage?

Some policies only cover vendor outages caused by a "Security Breach" (a cyberattack). Others also cover System Failure (any cause). If your vendor goes down due to a software bug, the narrow trigger may exclude you. Some carriers offer a System Failure buy-back at a lower sublimit. Check whether you have it.

2. Does It Require a Written Contract?

Many policies define "Dependent Business" as a vendor with a written contract. If the contract expired, was never formalized, or is a click-wrap agreement, the vendor may not qualify.

3. Is the Sublimit Shared or Separate?

Language like "part of and not in addition to" means the vendor sublimit shares an envelope with your main BI limit. A bank's own outage and a vendor outage in the same policy year compete for the same dollars.

4. Is There a Waiting Period?

Standard waiting periods are 8-10 hours before coverage begins. For a severe outage, the most chaotic and expensive phase is uninsured. Also check the indemnity period: some policies cap dependent BI at 30, 60, or 90 days. That cap can bite before the dollar sublimit does.

The Fiserv outage was a software upgrade gone wrong, not a cyberattack. A community bank whose policy carries a Security-Breach-only trigger would have no coverage for an outage like this.

What to Check at Your Next Renewal

Model a realistic core vendor outage. Take your core banking platform offline for 5-7 days on paper. Calculate lost income, extra expenses, and customer impact. Compare that number to your dependent BI sublimit.

Check the trigger. Does your dependent BI cover "Security Breach only" or "Security Breach and System Failure"? The broader trigger matters because not every vendor outage is caused by a cyberattack.

Verify your core vendor qualifies. Is your core banking vendor named in the policy, covered by class definition, or excluded because the contract is structured differently than the policy requires?

Check the waiting period. If it's 8-10 hours, the most chaotic and expensive phase of an outage is uninsured. Know what you're absorbing before coverage kicks in.

Vendor coverage is one of the areas I review in a Risk Intelligence Report. If you want to know whether a real vendor outage would be covered, sublimited, or excluded under your current program, get in touch.