Your success is at the forefront of our minds.

How the 2026 DDoS Wave Is Breaking SA Cyber Insurance Cover

Home / Blog / How the 2026 DDoS Wave Is Breaking SA Cyber Insurance Cover

Need Expert Guidance for Your Business?

Whether you’re facing challenges or looking for tailored solutions, our team is here to help. Get in touch with us today and take the next step towards securing your business’s future.

The first half of 2026 has been an unusually punishing period for South African hosting and connectivity. Afrihost, Host Africa, Xneelo, and Domains.co.za have each been hit by significant distributed denial-of-service (DDoS) attacks, and the downstream effects have rippled across thousands of SA businesses that rely on these providers for email, e-commerce, customer portals, and hosted business applications. For some businesses, an outage of six to twelve hours has meant tens of thousands of rand in lost orders, cancelled service-level commitments to customers, and operational chaos that no incident response plan had really anticipated.

The conversation that follows almost every one of these events sounds the same. “Are we covered?” The honest answer is: it depends on what your policy actually says, and most SA cyber policies have grey areas around third-party hosting outages that businesses only discover at claim time. All cover discussed here is subject to underwriting and final policy wording.

TL;DR

  • The 2026 DDoS wave hitting Afrihost, Host Africa, Xneelo, and Domains.co.za is a third-party event, and most SA cyber policies were drafted with first-party attacks in mind.
  • Business interruption cover triggered by your own systems being attacked is standard, but BI triggered by a hosting provider outage often requires a specific “dependent business” or “contingent business interruption” extension.
  • Even where the cover exists, the waiting period (typically 6 to 12 hours) excludes most short-form DDoS events that resolve within the same business day.
  • Service-level credits from the hosting provider rarely cover actual revenue loss, and recovering the gap usually depends on whether the insurance programme was structured for hosted dependencies.
  • SA cyber policies are evolving quickly in response to this wave, but the existing book has gaps that need to be reviewed against your dependency map.

Table of Contents

What is actually happening with SA hosting in 2026

Distributed denial-of-service attacks are not new, but the 2026 wave hitting SA hosting providers has been notable for three reasons. First, the scale of the attacks has been larger than anything most local providers had previously absorbed. Second, the attacks have targeted multiple major providers within compressed timeframes, suggesting either coordinated actors or copycat opportunism. Third, the secondary impact on SA businesses has been significant because the affected providers collectively host an enormous share of small and medium SA business infrastructure.

Afrihost, Xneelo, Host Africa, and Domains.co.za are infrastructure partners to a wide cross-section of the SA business economy. When their networks slow or go offline, the immediate effects are visible: websites become unreachable, email queues back up, customer portals stop responding, and any payment or booking system hosted with the affected provider goes quiet. The less visible effects are commercial: customer trust erodes, service-level commitments to enterprise clients are breached, and revenue-dependent operations grind down.

For an insurance perspective, the critical question is not whether your business was attacked. In a DDoS event affecting your hosting provider, you were not the target. The attacker hit infrastructure that happens to carry your business. That distinction matters more than it sounds, because most SA cyber policies were drafted with first-party attacks in mind.

The three policy gaps the DDoS wave is exposing

Across the broker market, the same three gaps keep emerging when SA businesses pull out their cyber policies after a hosting outage.

Gap 1: The attack was on someone else’s network

Standard cyber insurance covers a “computer attack” or “network security event” affecting the insured’s systems. When the attack is on a hosting provider’s network, the insured’s own systems were not breached. Some policies treat this as outside the cover trigger entirely. Others include it under a “dependent business interruption” extension, but only if that extension was specifically endorsed at placement.

The practical effect: many SA businesses with cyber cover are sitting on policies that would respond to their own systems being hit, but not to their hosting provider being hit. This is the single biggest gap the 2026 wave is exposing.

Gap 2: Business interruption is event-triggered, not service-triggered

Cyber business interruption cover typically responds to a specific cyber event causing loss of income. If your hosting provider is down for eight hours and your e-commerce site cannot process orders, the loss of income is clear. The question is whether the policy’s BI trigger is satisfied. A pure “network security event affecting the insured’s computer systems” trigger may not respond. A broader “interruption to business operations caused by a covered cause of loss at a dependent service provider” trigger would respond, but is far less common.

Gap 3: Reputational damage is excluded or sub-limited

When a hosting outage causes your business to miss SLA commitments to enterprise clients, the immediate revenue loss is one part. The reputational damage, possible contract loss, and recovery marketing spend are larger components, and most cyber policies either exclude these entirely or apply small sub-limits that do not match the real exposure of a B2B SA business losing a major customer.

Dependent business interruption cover, explained

Dependent business interruption (often labelled “contingent business interruption” or “CBI” in insurer wording) is the policy extension that converts a third-party outage into a covered claim. The mechanics matter:

  • Named dependencies versus blanket dependencies. Some policies require you to name specific dependent service providers at placement (Afrihost, Xneelo, etc.). Others provide blanket cover for “any service provider supplying critical IT services to the insured.” Named dependencies are more common but more restrictive; blanket dependencies are broader but typically more expensive.
  • Tier of service provider. Most policies cover Tier 1 dependencies (your direct hosting provider). Few cover Tier 2 dependencies (the upstream provider your hosting provider uses for transit, DNS, or CDN). When the 2026 attacks hit upstream infrastructure, businesses found their direct provider was technically “available” but unable to serve traffic, complicating the trigger analysis.
  • Geographic scope. Some SA cyber policies issued through international insurers exclude SA-based service providers because the underwriting was done on a global template. This is a placement issue your broker should flag at renewal.
  • Cover duration. CBI cover typically responds for the duration of the dependent outage plus a recovery period, but capped at a maximum number of days. For a six-month operational disruption following a major provider compromise, the cap can be reached quickly.

The placement detail that matters most for SA businesses in 2026 is whether your CBI extension specifically covers DDoS attacks on the dependent provider. Some wordings cover “network security events” but exclude “denial of service or volumetric attacks.” Read the policy. A specialised cyber insurance broker can map your dependency exposure and identify whether your current wording responds.

Why the waiting period kills most DDoS claims

Even where the cover trigger is met, cyber BI policies almost always include a waiting period before benefits start to accrue. Typical waiting periods on SA cyber policies range from 6 to 12 hours. The intent is to exclude minor or transient disruptions that the business can absorb without claiming.

The problem in 2026 is that most DDoS attacks on SA hosting providers have been resolved within 4 to 10 hours. Many fall entirely within the waiting period. The result: real revenue loss occurred, the cover trigger was technically met, but no benefits accrue because the disruption duration did not exceed the waiting period.

Options to manage this gap include negotiating a shorter waiting period at renewal (typically 4 to 6 hours for an additional premium), structuring the BI cover with a “step-down” provision that pays partial benefits during the waiting period, or accepting the waiting period and reserving cyber claims for longer events. Each has trade-offs, and the right answer depends on how often your operations would be affected by sub-12-hour outages.

Service-level credits versus insurance recovery

Most SA hosting providers offer service-level agreements that include credits for downtime. The credits are typically calculated as a percentage of the monthly hosting fee, prorated to the duration of the outage. For a small business paying R500 per month for hosting, a four-hour outage credit might be R10 to R30. The credit is unrelated to the actual revenue impact, which for the same business might be five to ten thousand rand in lost orders.

This SLA-versus-insurance gap is where cyber business interruption cover earns its premium. Where the cover responds, it pays the actual loss of business income, subject to documentation, the waiting period, and the policy sub-limits. Where the cover does not respond, the SLA credit is the only recovery, and it almost never matches the real loss.

One practical implication: when calculating sums insured for cyber BI cover, businesses should not rely on the hosting cost as a proxy for exposure. The exposure is the revenue at risk during a hosted-service outage, not the cost of the hosting itself.

How to review your cyber programme right now

Given the 2026 DDoS wave, an immediate cyber programme review is warranted for any SA business that relies on third-party hosting or connectivity for revenue-generating operations. A structured review covers six areas:

  1. Dependency map. List every third-party service provider whose unavailability would interrupt your revenue. Hosting, email, DNS, CDN, payment gateway, customer portal SaaS, and CRM are typical entries. For each, note whether the dependency is named in your cyber policy.
  2. Policy trigger language. Identify the BI trigger wording. Does it require an event at the insured’s systems, or does it include events at dependent service providers? Does it include DDoS and volumetric attacks, or only “network security breaches”?
  3. Waiting period. Confirm the BI waiting period. If it is 12 hours, most short-form DDoS events fall outside cover. Negotiate to 6 or 4 hours if the exposure justifies the premium.
  4. Sub-limits. Check sub-limits for cyber BI, dependent BI, reputational damage, and recovery costs. These are often substantially below the main policy limit and may not match the real exposure.
  5. SLA gap calculation. Estimate the revenue impact of a typical 8-hour hosting outage, compare to the SLA credit from your hosting contract, and identify the uncovered gap. This is the figure your cyber BI cover should address.
  6. Renewal timing. Cyber insurance market terms are tightening in response to the 2026 wave. Review well before renewal so adjustments can be negotiated rather than imposed.

For businesses already affected by 2026 incidents, the priority is documenting the loss, preserving evidence of the outage and its commercial impact, and notifying insurers promptly even where coverage is uncertain. Late notification is a common reason for claim denial in SA cyber matters. See our guidance on third-party cyber breaches for related claim-preservation principles. Where the outage exposed or potentially exposed personal information, additional notification obligations apply under POPIA, administered by the Information Regulator.

What is changing in the SA cyber insurance market

The 2026 wave has accelerated changes that were already underway in the SA cyber market. Brokers and insurers are responding in several visible ways:

1. Dependent BI is moving from optional to standard. A year ago, dependent business interruption was a niche extension on most SA cyber policies. The 2026 events have made it a default ask at renewal. Insurers are accommodating, though premiums are rising to reflect the broader exposure.

2. DDoS-specific cover is being negotiated separately. Some insurers are willing to add specific DDoS cover with a tighter trigger and shorter waiting period, in exchange for an additional premium. This is becoming the recommended structure for businesses with high revenue dependency on hosted services.

3. Underwriting questions are getting more granular. Cyber insurers are now asking for dependency maps, SLA terms with critical providers, and backup or failover arrangements at placement. The days of a one-page proposal form for cyber cover are ending.

4. Premium increases on the existing book. The SA cyber market is seeing 10 to 25% premium increases at renewal in 2026 for businesses with hosted-service dependencies, even where no claim has been made. The exposure recalibration is industry-wide.

5. Reputational damage cover is being tested. Sub-limits on reputational damage are being challenged in claim conversations following the 2026 events, particularly where SA businesses lost enterprise customers because of hosting-provider outages. Resolution is still in progress, but the direction is towards either broader sub-limits or clearer exclusions.

Frequently asked questions

Does a standard SA cyber insurance policy cover DDoS attacks?

Most standard SA cyber policies cover DDoS attacks that target the insured’s own systems directly. Cover for DDoS attacks targeting a third-party hosting or connectivity provider is less consistent and typically depends on whether the policy includes a dependent business interruption or contingent BI extension specifically covering volumetric attacks. The current 2026 wave has highlighted that many existing policies do not respond to provider-level DDoS events, and businesses should review their wording specifically against this exposure.

If my website is hosted on Afrihost, Xneelo, Host Africa, or Domains.co.za and goes offline due to a DDoS attack on the provider, am I covered?

It depends on whether your cyber policy includes dependent business interruption cover, whether the cover responds to DDoS or only to “network security breaches,” whether the provider is named or whether blanket dependency cover applies, and whether the outage duration exceeded the policy waiting period (typically 6 to 12 hours). A broker review can map your specific policy against the providers you rely on. We arrange specialised cyber insurance with dependent BI extensions structured for SA hosted-service exposures.

What is the difference between a hosting provider’s SLA credit and an insurance recovery?

An SLA credit is contractual compensation from the hosting provider for failing to meet uptime commitments. It is typically calculated as a percentage of the monthly hosting fee and prorated to the duration of the outage. The credit is usually small relative to the actual revenue impact of the outage. Insurance recovery, where cover responds, pays the actual loss of business income subject to the policy terms, waiting period, and sub-limits. The two are designed for different purposes, and SA businesses with significant revenue dependency on hosting should not treat the SLA credit as adequate protection.

How long is the typical waiting period on SA cyber business interruption cover?

Most SA cyber policies set the BI waiting period at 6 to 12 hours. The intent is to exclude minor or transient disruptions. The practical effect in 2026 is that many DDoS events resolve within the waiting period, leaving real revenue losses uncovered. Shorter waiting periods (4 to 6 hours) can typically be negotiated at renewal for an additional premium, and may be cost-effective for businesses with high revenue dependency on continuously available hosted services.

Will the 2026 DDoS wave change my cyber insurance premiums at renewal?

Probably yes, even if your business was not directly affected. SA cyber insurers are recalibrating premiums to reflect the broader market exposure to hosted-service dependencies, and increases of 10 to 25% at renewal are being seen across the book. Premium increases are typically accompanied by broader cover (dependent BI being added by default) and tighter underwriting questions. The right time to engage your broker is well before renewal, not at the renewal call.

What records should I keep if my business is affected by a hosting provider DDoS attack?

Document everything. Capture the outage notification from the provider, the times the outage started and ended, the specific services affected (website, email, customer portal, payment gateway), the actual revenue or transactions lost during the outage, customer or SLA breach implications, and any internal staff time spent managing the incident. Even if you do not currently believe a claim will be made, preserving evidence at the time of the incident protects your position if cover review later identifies that the event was insured.

Does cyber insurance cover the cost of switching hosting providers after an attack?

Specific policy wording varies, but most cyber policies do not cover voluntary migration costs to a different provider. Migration would typically be considered a business decision rather than an insured loss. However, where a hosting provider is unable to restore service within a reasonable period, some policies include “extra expense” cover that can fund interim hosting arrangements during the outage. This is a narrow extension and should be confirmed with the broker before relying on it.

Review your cyber programme before the next event

The 2026 DDoS wave is unlikely to be a one-off. SA hosting providers will continue to be targets, and the businesses that have done the work to map their dependencies, review their cover, and negotiate the right extensions will be the ones that recover quickly when the next event happens. Those that have not done the work will discover the gaps at claim time, when it is too late to fix them. Contact Berkley Risk or call 011-702-8250 to arrange a cyber programme review structured around your hosted-service dependencies, subject to underwriting and insurer appetite.

Berkley Risk (Pty) Ltd arranges/places/co-ordinates insurance with licensed insurers. FSP #54407. This article is general information only and does not constitute legal, financial, or regulatory advice. All cover is subject to underwriting acceptance and final policy wording.