Cyber attacks are increasing globally at an alarming rate, becoming more frequent and complex and resulting in greater losses. As the threats fuel growth and claims in the cyber insurance market, business interruption has become a particularly complicated and costly component of the equation. Insurers and clients are increasingly relying upon highly-specialized forensic accountants to quantify these losses. 

“Before the rise of technology, forensic accounting was mostly a property insurance thing. Now, we’re focused on business interruption as a type of cyber exposure and how network incidents impact revenue,” said Michael Colford, senior vice president and cyber product leader at Westfield Specialty.  

“Once the fires are put out, forensic accountants really are the ones who come in post-mortem and figure out how an incident impacted the financials, how much revenue was lost, and how much the insurance policy may cover.” 

 Increasing Complexity in Cyber-Related Business Interruption Claims 

The average number of cyber attacks per organization surged nearly 50% globally in Q1 2025, according to a report by Check Point. Additionally, ransomware attacks increased by 126% compared to Q1 2024, with nearly 2,300 incidents reported during that period, 62% of which occurred in North America.  

In response to threats, the cyber insurance market has experienced notable growth in recent years, from $14 billion in 2023 to $16.6 billion in 2024, with North America accounting for $10.5 billion of the total, according to Guy Carpenter.

The report noted that evolving tactics, techniques and procedures have increased the risks and made ransomware a significant cause of losses worldwide. In 2024, the average ransomware claim reached $292,000 per incident, while funds transfer fraud was $185,000, and business email compromise hit $35,000 per event, according to Coalition.  

While new cyber insurance products have come online in recent years, not all policies are the same and they can vary significantly in terms of what they cover. Cyber policies typically protect companies from the cost of internet-based threats to IT infrastructure, data and information, which are often not covered by traditional insurance products or general liability policies. They usually cover costs related to mitigating the threat, including legal fees, data recovery, third-party liability and regulatory fines.  

However, most policies now also cover cyber-related business interruption, and that’s where things become gray and complex, said Jeremy Gittler, global head of claims with Resilience, a cyber MGA.

Unlike physical damages, which have clear loss markers and more straightforward calculations, cyber incidents often involve intangible assets like data and network systems, which can complicate calculations. Insurers and policyholders are increasingly looking for specialized forensic accountants to carefully review policies and calculate loss amounts.  

“With the rise of ransomware claims and business interruption losses becoming commonplace in cyber insurance, we now hire forensic accountants to assist the claims team with assessing the proof of loss for coverage because it can be very intricate and complicated,”Gittler said. 

 Determining Losses with Nuanced Calculations   

The demand for forensic accountants with cyber experience has grown in response to the changing nature of cyber attacks, said John Dempsey, CEO and cofounder of Insight Risk. In the early 2010s, cyber attack losses primarily stemmed from IP theft and data breaches, as well as the resulting liability claims.

For example, the 2011 Sony PlayStation Network data breach exposed approximately 77 million user accounts, resulting in an estimated $177 million in costs for the company. The 2017 Equifax data breach exposed the personal information of more than 147 million people and led to a $700 million settlement. Dozens of other large companies and hundreds of smaller companies suffered data breaches in the mid-2010s. 

While data breaches aim to steal and monetize data, ransomware attacks disrupt operations, holding data hostage and extorting companies to pay a ransom. These attacks can be considerably more disruptive and accounted for 58% of the value of large cyber claims in the first six months of 2024, according to the Allianz Risk Barometer. 

“Cyber was mostly focused on privacy-type issues, protections against IP theft, and things like that and was built around a liability policy. Now it’s increasingly focused on business interruption and claims for lost profits,” Dempsey said. 

Forensic accountants must quantify a wide range of losses, including costs associated with ransom payments, revenue losses, and secondary impacts such as supply chain disruptions and operational downtime.

Impacts can vary widely, however, depending on the nature of the attack and the business’ operations. For example, while some organizations can partially maintain operations without full system access, others face complete shutdowns that can complicate loss modeling and verification. Cyber events can impact manufacturers, hospitals, stores, and online retailers in different ways. Every claim needs careful and customized financial analysis. 

“There are a lot of nuances in how the calculations are made,” Colford said. “Some revenue may not be completely lost, it may just be delayed. There are many moving parts in the calculations, so it’s not as black and white as one might think.” 

The extent, nature and duration of a system outage can all impact the equation. Forensic accountants also have to consider what contingency plans were available, whether operations could have been conducted manually, how the company responded, and whether systems were encrypted. Each company and claim has a myriad of variables that can be taken into account when calculating a loss. 

 Niche Experience Required 

Some insurers are exploring new data and analytics tools that can partially expedite the process by identifying anomalies in claims data. However, cyber-related business interruption claims typically remain too complex for machines alone, as they still rely on hands-on, human-based investigatory work.  

“Most forensic accountants still do things the traditional way, reviewing documents manually and with Excel spreadsheets. It’s not really about the tools or technology; it’s about the experience,” Gittler said.  

The talent shortage is another critical issue, as there are limited forensic accountants who have CPA credentials and the deep understanding and technical skills needed to conduct cyber claim analysis.

There simply aren’t enough forensic accountants with deep cyber experience to handle the growth in claims. Gittler noted that while customers often want things turned around in a week or two, insurers are sometimes taking up to a couple of months on complex cyber claims. Many just don’t have enough forensic accountants to handle the workload. 

As a result, many insurers are building panels of specialized forensic accounting firms. These firms can provide faster, more balanced assessments, but sourcing enough qualified partners remains a challenge. While some clients try to calculate cyber-related losses using in-house accountants, they typically lack the niche expertise required to put together a detailed proof of loss in a complex cyber situation.  

“We, frankly, would prefer that they use a forensic accountant. Our policy covers the fees for forensic accountants. We occasionally encounter issues when it’s their own accounting staff … An outside firm with specific cyber expertise can have a better perspective on the loss,”
Gittler said.  &