Whether you’re facing challenges or looking for tailored solutions, our team is here to help. Get in touch with us today and take the next step towards securing your business’s future.
The first half of 2026 has been an unusually punishing period for South African hosting and connectivity. Afrihost, Host Africa, Xneelo, and Domains.co.za have each been hit by significant distributed denial-of-service (DDoS) attacks, and the downstream effects have rippled across thousands of SA businesses that rely on these providers for email, e-commerce, customer portals, and hosted business applications. For some businesses, an outage of six to twelve hours has meant tens of thousands of rand in lost orders, cancelled service-level commitments to customers, and operational chaos that no incident response plan had really anticipated.
The conversation that follows almost every one of these events sounds the same. “Are we covered?” The honest answer is: it depends on what your policy actually says, and most SA cyber policies have grey areas around third-party hosting outages that businesses only discover at claim time. All cover discussed here is subject to underwriting and final policy wording.
Distributed denial-of-service attacks are not new, but the 2026 wave hitting SA hosting providers has been notable for three reasons. First, the scale of the attacks has been larger than anything most local providers had previously absorbed. Second, the attacks have targeted multiple major providers within compressed timeframes, suggesting either coordinated actors or copycat opportunism. Third, the secondary impact on SA businesses has been significant because the affected providers collectively host an enormous share of small and medium SA business infrastructure.
Afrihost, Xneelo, Host Africa, and Domains.co.za are infrastructure partners to a wide cross-section of the SA business economy. When their networks slow or go offline, the immediate effects are visible: websites become unreachable, email queues back up, customer portals stop responding, and any payment or booking system hosted with the affected provider goes quiet. The less visible effects are commercial: customer trust erodes, service-level commitments to enterprise clients are breached, and revenue-dependent operations grind down.
For an insurance perspective, the critical question is not whether your business was attacked. In a DDoS event affecting your hosting provider, you were not the target. The attacker hit infrastructure that happens to carry your business. That distinction matters more than it sounds, because most SA cyber policies were drafted with first-party attacks in mind.
Across the broker market, the same three gaps keep emerging when SA businesses pull out their cyber policies after a hosting outage.
Standard cyber insurance covers a “computer attack” or “network security event” affecting the insured’s systems. When the attack is on a hosting provider’s network, the insured’s own systems were not breached. Some policies treat this as outside the cover trigger entirely. Others include it under a “dependent business interruption” extension, but only if that extension was specifically endorsed at placement.
The practical effect: many SA businesses with cyber cover are sitting on policies that would respond to their own systems being hit, but not to their hosting provider being hit. This is the single biggest gap the 2026 wave is exposing.
Cyber business interruption cover typically responds to a specific cyber event causing loss of income. If your hosting provider is down for eight hours and your e-commerce site cannot process orders, the loss of income is clear. The question is whether the policy’s BI trigger is satisfied. A pure “network security event affecting the insured’s computer systems” trigger may not respond. A broader “interruption to business operations caused by a covered cause of loss at a dependent service provider” trigger would respond, but is far less common.
When a hosting outage causes your business to miss SLA commitments to enterprise clients, the immediate revenue loss is one part. The reputational damage, possible contract loss, and recovery marketing spend are larger components, and most cyber policies either exclude these entirely or apply small sub-limits that do not match the real exposure of a B2B SA business losing a major customer.
Dependent business interruption (often labelled “contingent business interruption” or “CBI” in insurer wording) is the policy extension that converts a third-party outage into a covered claim. The mechanics matter:
The placement detail that matters most for SA businesses in 2026 is whether your CBI extension specifically covers DDoS attacks on the dependent provider. Some wordings cover “network security events” but exclude “denial of service or volumetric attacks.” Read the policy. A specialised cyber insurance broker can map your dependency exposure and identify whether your current wording responds.
Even where the cover trigger is met, cyber BI policies almost always include a waiting period before benefits start to accrue. Typical waiting periods on SA cyber policies range from 6 to 12 hours. The intent is to exclude minor or transient disruptions that the business can absorb without claiming.
The problem in 2026 is that most DDoS attacks on SA hosting providers have been resolved within 4 to 10 hours. Many fall entirely within the waiting period. The result: real revenue loss occurred, the cover trigger was technically met, but no benefits accrue because the disruption duration did not exceed the waiting period.
Options to manage this gap include negotiating a shorter waiting period at renewal (typically 4 to 6 hours for an additional premium), structuring the BI cover with a “step-down” provision that pays partial benefits during the waiting period, or accepting the waiting period and reserving cyber claims for longer events. Each has trade-offs, and the right answer depends on how often your operations would be affected by sub-12-hour outages.
Most SA hosting providers offer service-level agreements that include credits for downtime. The credits are typically calculated as a percentage of the monthly hosting fee, prorated to the duration of the outage. For a small business paying R500 per month for hosting, a four-hour outage credit might be R10 to R30. The credit is unrelated to the actual revenue impact, which for the same business might be five to ten thousand rand in lost orders.
This SLA-versus-insurance gap is where cyber business interruption cover earns its premium. Where the cover responds, it pays the actual loss of business income, subject to documentation, the waiting period, and the policy sub-limits. Where the cover does not respond, the SLA credit is the only recovery, and it almost never matches the real loss.
One practical implication: when calculating sums insured for cyber BI cover, businesses should not rely on the hosting cost as a proxy for exposure. The exposure is the revenue at risk during a hosted-service outage, not the cost of the hosting itself.
Given the 2026 DDoS wave, an immediate cyber programme review is warranted for any SA business that relies on third-party hosting or connectivity for revenue-generating operations. A structured review covers six areas:
For businesses already affected by 2026 incidents, the priority is documenting the loss, preserving evidence of the outage and its commercial impact, and notifying insurers promptly even where coverage is uncertain. Late notification is a common reason for claim denial in SA cyber matters. See our guidance on third-party cyber breaches for related claim-preservation principles. Where the outage exposed or potentially exposed personal information, additional notification obligations apply under POPIA, administered by the Information Regulator.
The 2026 wave has accelerated changes that were already underway in the SA cyber market. Brokers and insurers are responding in several visible ways:
1. Dependent BI is moving from optional to standard. A year ago, dependent business interruption was a niche extension on most SA cyber policies. The 2026 events have made it a default ask at renewal. Insurers are accommodating, though premiums are rising to reflect the broader exposure.
2. DDoS-specific cover is being negotiated separately. Some insurers are willing to add specific DDoS cover with a tighter trigger and shorter waiting period, in exchange for an additional premium. This is becoming the recommended structure for businesses with high revenue dependency on hosted services.
3. Underwriting questions are getting more granular. Cyber insurers are now asking for dependency maps, SLA terms with critical providers, and backup or failover arrangements at placement. The days of a one-page proposal form for cyber cover are ending.
4. Premium increases on the existing book. The SA cyber market is seeing 10 to 25% premium increases at renewal in 2026 for businesses with hosted-service dependencies, even where no claim has been made. The exposure recalibration is industry-wide.
5. Reputational damage cover is being tested. Sub-limits on reputational damage are being challenged in claim conversations following the 2026 events, particularly where SA businesses lost enterprise customers because of hosting-provider outages. Resolution is still in progress, but the direction is towards either broader sub-limits or clearer exclusions.
Most standard SA cyber policies cover DDoS attacks that target the insured’s own systems directly. Cover for DDoS attacks targeting a third-party hosting or connectivity provider is less consistent and typically depends on whether the policy includes a dependent business interruption or contingent BI extension specifically covering volumetric attacks. The current 2026 wave has highlighted that many existing policies do not respond to provider-level DDoS events, and businesses should review their wording specifically against this exposure.
It depends on whether your cyber policy includes dependent business interruption cover, whether the cover responds to DDoS or only to “network security breaches,” whether the provider is named or whether blanket dependency cover applies, and whether the outage duration exceeded the policy waiting period (typically 6 to 12 hours). A broker review can map your specific policy against the providers you rely on. We arrange specialised cyber insurance with dependent BI extensions structured for SA hosted-service exposures.
An SLA credit is contractual compensation from the hosting provider for failing to meet uptime commitments. It is typically calculated as a percentage of the monthly hosting fee and prorated to the duration of the outage. The credit is usually small relative to the actual revenue impact of the outage. Insurance recovery, where cover responds, pays the actual loss of business income subject to the policy terms, waiting period, and sub-limits. The two are designed for different purposes, and SA businesses with significant revenue dependency on hosting should not treat the SLA credit as adequate protection.
Most SA cyber policies set the BI waiting period at 6 to 12 hours. The intent is to exclude minor or transient disruptions. The practical effect in 2026 is that many DDoS events resolve within the waiting period, leaving real revenue losses uncovered. Shorter waiting periods (4 to 6 hours) can typically be negotiated at renewal for an additional premium, and may be cost-effective for businesses with high revenue dependency on continuously available hosted services.
Probably yes, even if your business was not directly affected. SA cyber insurers are recalibrating premiums to reflect the broader market exposure to hosted-service dependencies, and increases of 10 to 25% at renewal are being seen across the book. Premium increases are typically accompanied by broader cover (dependent BI being added by default) and tighter underwriting questions. The right time to engage your broker is well before renewal, not at the renewal call.
Document everything. Capture the outage notification from the provider, the times the outage started and ended, the specific services affected (website, email, customer portal, payment gateway), the actual revenue or transactions lost during the outage, customer or SLA breach implications, and any internal staff time spent managing the incident. Even if you do not currently believe a claim will be made, preserving evidence at the time of the incident protects your position if cover review later identifies that the event was insured.
Specific policy wording varies, but most cyber policies do not cover voluntary migration costs to a different provider. Migration would typically be considered a business decision rather than an insured loss. However, where a hosting provider is unable to restore service within a reasonable period, some policies include “extra expense” cover that can fund interim hosting arrangements during the outage. This is a narrow extension and should be confirmed with the broker before relying on it.
The 2026 DDoS wave is unlikely to be a one-off. SA hosting providers will continue to be targets, and the businesses that have done the work to map their dependencies, review their cover, and negotiate the right extensions will be the ones that recover quickly when the next event happens. Those that have not done the work will discover the gaps at claim time, when it is too late to fix them. Contact Berkley Risk or call 011-702-8250 to arrange a cyber programme review structured around your hosted-service dependencies, subject to underwriting and insurer appetite.
Berkley Risk (Pty) Ltd arranges/places/co-ordinates insurance with licensed insurers. FSP #54407. This article is general information only and does not constitute legal, financial, or regulatory advice. All cover is subject to underwriting acceptance and final policy wording.
Berkley Risk (Pty) Limited (Registration Number 2017/412000/07)
Authorised Financial Services Provider under the Financial Advisory and Intermediary Services Act No 37 of 2002 – FSP#54407