Cyber insurance has grown from a niche product to a mainstream business requirement in a decade. Premiums have also risen sharply as insurers processed claims from major ransomware events and realized they had underpriced the risk. Today, understanding your cyber policy — not just having one — is essential.
What Cyber Insurance Typically Covers
Policies vary significantly, but most modern cyber insurance covers some combination of:
First-party costs (your direct losses):
- Incident response and forensic investigation costs
- Data recovery and system restoration
- Business interruption losses during an outage
- Ransomware payments (subject to limitations)
- Notification costs for affected individuals
- Credit monitoring services for affected individuals
- PR and crisis communications
Third-party liability (claims made against you):
- Regulatory defense and fines
- Customer and partner claims arising from a breach of their data
- Media liability (copyright infringement, defamation)
The Common Coverage Gaps
Sublimits that don't match your risk. Policies often have sublimits — coverage caps for specific categories — that are much lower than the overall policy limit. A $5M policy might have a $500K sublimit for ransomware payments. Know your sublimits.
Business interruption waiting periods. Many policies don't cover the first 8–12 hours of a business interruption. For a brief outage, you're paying out of pocket.
War exclusions. Most policies exclude "acts of war." After the NotPetya attack, which was attributed to the Russian government, several insurers attempted to invoke war exclusions to deny claims. Courts have been mixed on this. It's worth understanding how your policy defines war and what it excludes.
Negligence exclusions. Policies often exclude coverage for incidents resulting from failure to maintain basic security controls. If you were breached because you hadn't applied a six-month-old critical patch, your insurer may push back on the claim.
Voluntary payment exclusions. Some policies don't cover payments made to vendors or partners under fraudulent instruction — classic BEC scenarios where an attacker tricks finance into wiring money.
The Underwriting Process Is a Security Assessment
To get coverage — and especially to get reasonable rates — insurers now require meaningful documentation of security controls. MFA on email and admin access, EDR deployment, patch management processes, backup and recovery capabilities, and incident response planning are all commonly required.
Treat the underwriting questionnaire honestly. Misrepresentation of controls to get coverage is a path to denied claims when you need them.
How Insurers Are Changing
The market has hardened significantly. Premiums rose 50–100% in some sectors between 2020 and 2022. Coverage terms have tightened. Minimum security control requirements have increased. Some industries (healthcare, critical infrastructure) face particularly challenging market conditions.
Organizations with mature security programs get better rates. The connection between security investment and insurance cost is becoming direct and explicit.
The Right Frame
Cyber insurance is risk transfer, not risk elimination. It's most valuable for covering costs that exceed your retention capacity — major forensic investigation, significant business interruption, large-scale regulatory defense. It doesn't substitute for controls.
Know what your policy covers, what it doesn't, and where the gaps are. Then make security investments that reduce both your risk and your insurance costs.