What Cyber Insurance Actually Covers — And What It Does Not
Executive Summary
Cyber insurance has become a nearly universal component of enterprise risk management. Most mid-to-large organizations carry a policy, most boards ask about it, and most CFOs include it in their risk mitigation narrative.
The problem is that cyber insurance is widely misunderstood — by the organizations that buy it, by the boards that rely on it, and sometimes by the brokers that sell it. The gap between what organizations believe their policy covers and what it actually covers in the event of a real incident has caused genuine financial and operational crises for companies that thought they were protected.
Understanding cyber insurance as a risk transfer tool — with clear limits, specific conditions, and hard exclusions — is no longer optional for CISOs and their boards. It is a fiduciary requirement.
Why This Matters Now
The cyber insurance market has gone through a significant hardening cycle. Following several years of massive losses — particularly from ransomware payouts — insurers have responded by raising premiums, reducing coverage limits, adding exclusions, and dramatically increasing the minimum security controls required to obtain coverage at all.
The exclusions have become particularly consequential. War exclusions, infrastructure exclusions, nation-state exclusions, and systemic event exclusions have all expanded significantly. Some of the most material cyber events of the past several years — events that would have triggered insurance claims — have been contested or denied on the basis of these exclusions.
For boards and executives, this means that the cyber insurance conversation needs to be a substantive one, not a checkbox. Knowing that a policy exists is not the same as understanding what it covers.
CISO2CISO Insight
An insurance policy that has never been stress-tested against a realistic incident scenario is not a risk management tool. It is a document that creates false confidence.
What the Policy Actually Says
There are five areas where the gap between expectation and reality is most consequential.
The war and nation-state exclusion. Most cyber policies now contain explicit exclusions for acts of war, state-sponsored attacks, and increasingly, nation-state-affiliated threat actors. The problem is attribution. Determining whether a specific attack was state-sponsored — and what that means under a specific policy's definition — is genuinely complex, contested, and often litigated. The Merck vs. ACE American case, where an insurer initially denied a $1.4 billion NotPetya claim under a war exclusion before ultimately settling, illustrated exactly how this plays out in practice. The exclusion exists. The definition is ambiguous. The outcome is uncertain.
The systemic event problem. Cyber insurers are acutely focused on correlated risk — incidents where many policyholders are affected simultaneously by the same underlying event. A successful attack on a major cloud provider, a widely-deployed SaaS platform, or a core internet infrastructure component could trigger simultaneous claims from thousands of policyholders. Insurers know this and have begun writing policy language that limits or excludes coverage in precisely these scenarios. If your most catastrophic risk scenario involves a compromise of a critical cloud or SaaS dependency, your insurance may offer less protection than you expect.
The sub-limits reality. A $50 million policy limit sounds substantial. But policies are structured with sub-limits for specific categories of loss — ransomware payments, business interruption, data restoration, regulatory fines, crisis communications, and legal costs. The sub-limits for individual categories are often a fraction of the headline number. A $50 million policy might have a $5 million sub-limit for ransomware payments, a $3 million sub-limit for regulatory fines, and a $10 million sub-limit for business interruption. Understanding the actual coverage structure — not just the headline limit — is essential.
The retroactive date trap. Cyber policies are typically written on a claims-made basis, which means coverage applies only to incidents reported during the policy period — regardless of when the breach actually occurred. Many real-world breaches involve long dwell times: attackers who have been present in a network for months or years before detection. If the initial compromise predates the policy's retroactive date, the insurer may have grounds to deny the claim even if the incident is discovered and reported during the active policy period.
The security control warranties. Modern policies require attestation that specific security controls are in place at the time of binding. Multi-factor authentication, EDR coverage, network segmentation, backup procedures, and incident response planning are common requirements. If a material misrepresentation is found — if a required control was not actually implemented as attested — the insurer has grounds to rescind coverage. The security attestation in a cyber insurance application is not a formality. It is a legally binding warranty.
Executive Framework
| Coverage assumption | Reality check |
|---|---|
| Nation-state attacks are covered | Often excluded or contested under war clauses |
| The policy limit is the maximum payout | Sub-limits dramatically constrain individual loss categories |
| Pre-existing breaches are covered | Retroactive date provisions can exclude them |
| Business interruption is fully covered | Sub-limits and waiting periods apply |
| Regulatory fines are covered | Fines in some jurisdictions are explicitly uninsurable by law |
What CISOs Should Do Next
- Read the actual policy — not the summary. Pay specific attention to the exclusions section, the definitions of key terms, and the sub-limits table.
- Run a tabletop exercise specifically designed to test the insurance response: simulate an incident and trace exactly which costs would and would not be covered under the current policy.
- Audit your security control attestations against actual implementation — not what you intend to have in place, but what is demonstrably operational today.
- Understand your retroactive date and assess whether there are any known or suspected compromises that predate it.
- Brief the board specifically on what the policy does not cover — the conversation about limits and exclusions is more valuable than the conversation about premiums.
- Engage your broker in an annual coverage review that goes beyond renewal pricing — including scenario-based stress testing of the policy language against your actual risk profile.
Board-Level Questions
- Have we tested our insurance policy against a realistic incident scenario to understand what would and would not be covered?
- Are we aware of the specific exclusions in our policy that are most relevant to our threat profile?
- Do our security control attestations accurately reflect what is actually implemented and operational?
- What is the total financial exposure we carry above our insurance coverage limits?
Final Executive Takeaway
Cyber insurance is a legitimate and valuable risk management tool. It is not a substitute for security investment, and it is not a guarantee of financial protection in the event of a major incident. It is one layer of a multi-layer risk management strategy — with real limits, hard exclusions, and conditions that must be maintained.
The organizations that use cyber insurance most effectively are the ones that understand it precisely: what it covers, what it does not, what conditions must be met, and how it integrates with their broader resilience strategy.
The worst time to understand what your cyber insurance policy actually says is during an incident. The second worst time is at renewal. The right time is now — before you need it.
