Marsh’s New Endorsement Targets Cyber Insurance’s Slowest Payout

Estimated reading time: 4 minutes

A breach can shut a business down for months. Marsh wants insurers paying for that downtime in days, not after the recovery is over. Ransomware does not just lock files. It stops the business. AXA XL’s own claims data found 92% of ransomware incidents caused a business interruption, and the average company needed about two months to restore operations.

Marsh has built a framework aimed at that exact gap. The broker announced on June 15 that it has negotiated accelerated-payment endorsements with five major cyber insurers: AIG, Beazley, Canopius, CFC, and QBE. It has also written the new terms into its own primary cyber products, including Cyber CAT.

What the Framework Actually Changes

The mechanics matter more than the announcement. The framework lets insurers pay incident-response firms directly, so a client is not funding its own recovery while a claim is still under review. It mandates interim payments for undisputed business interruption losses. And it sets a standardized, prioritized evidence package, intended to stop insurers and policyholders from working off different documentation timelines.

A Second Clock, Not the First One

That third point addresses a problem this title has tracked closely. Cyber business interruption claims already start behind a clock: most policies carry a waiting period of around 12 hours before BI coverage even begins. Marsh’s framework does not touch that clock. It attacks what happens after it starts, the document-heavy review process that can stretch a claim for weeks once the loss is already running.

Greg Eskins, Global Cyber Product Leader at Marsh, framed the business problem behind the legal one.

“Settling cyber business interruption claims can be a protracted, documentation-heavy process. Our framework is aimed squarely at the operational and financial realities our clients face when they are trying to recover from a cyber incident. By minimizing our clients’ out-of-pocket expenses, getting money into their hands sooner, and by reducing complexity regarding the documentation insurers need, we help clients focus on recovery, not paperwork.”

That is the heart of it. A claim that pays out correctly six months later is still a six-month cash problem for the client living through it.

What This Means for Buyers

The timing lines up with where the market’s own data has been pointing. Munich Re and the Insurance Information Institute’s RiskScan 2026 found business interruption now ranks among the largest sources of cyber claims, with cyber the top-ranked insurance risk across the US and UK market. The exposure was never in question. What Marsh is targeting is the lag between a covered loss and the cash that answers it.

It is a narrow fix aimed at a specific failure point, not a rewrite of cyber coverage. Marsh says it is working to expand carrier participation and extend the framework into other markets. For buyers, the practical question is simple: ask your broker whether your carrier is one of the five, and if not, what timeline you are actually working with today.

FAQ – Business Interruption Cyber Insurance

Related Cyber Insurance News Posts

• Critical National Infrastructure Cyber Insurance: The NCSC Warning
• The Squeeze Between Ransomware and Business Interruption Insurance(Opens in a new browser tab)
• The “Downtime Era” Redefines Business Interruption Risk – Absolute Security(Opens in a new browser tab)
• Large Cyber Claims Surge: AXA XL Study Finds 88% of Losses Driven by Major Attacks(Opens in a new browser tab)
• “Downtime”& Digital Business Interruption Insurance Offered by Parametrix(Opens in a new browser tab)