Cyber insurance premiums have climbed sharply over the past few years, and businesses paying those premiums often assume they’re fully covered if something goes wrong. That assumption can be dangerously expensive.
The fine print in most cyber insurance policies contains exclusions, conditions, and requirements that could leave you footing the bill for a breach you thought was covered. Understanding what your policy actually says, rather than what you hope it says, is critical.
The Attestation Problem
When you apply for cyber insurance, you fill out a questionnaire about your security controls. Do you enforce multi-factor authentication? Yes. Do you conduct regular penetration testing? Yes. Do you have an incident response plan? Yes.
Insurers take those answers at face value when writing the policy. But when you file a claim, they verify them. If your MFA implementation only covers email but not VPN access, and the breach came through VPN credentials, the insurer may argue that your attestation was inaccurate. That argument can void your claim entirely.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “We’ve seen clients turned down for insurance claims because they couldn’t demonstrate that basic security controls were in place at the time of the breach. Insurers are getting more technical in their questioning, and they’re sending their own assessors to verify what you told them on the application form.”
Common Exclusions Worth Knowing About
Acts of war exclusions have become particularly contentious. Several insurers have attempted to deny claims related to state-sponsored attacks by classifying them as acts of war. If a ransomware group with ties to a nation state hits your business, your insurer might push back on the claim.
Unpatched systems represent another exclusion zone. If the breach exploited a vulnerability that had a patch available for more than 30 days, some policies exclude that from coverage. Your patching cadence isn’t just a security concern, it’s a financial one.
What Insurers Expect From You
The requirements for maintaining coverage have grown more demanding. Most policies now expect MFA across all remote access points, endpoint detection and response tools on every endpoint, regular security testing, and documented incident response procedures.
Regular vulnerability scanning services demonstrates to insurers that you’re actively managing your security posture. It also creates an evidence trail showing that you identified and remediated vulnerabilities in a timely manner, which strengthens your position if you ever need to file a claim.
Making Insurance Work for You
Read your policy carefully. Understand the exclusions, the conditions precedent, and the notification requirements. Most policies require you to notify the insurer within 24 to 72 hours of discovering a breach. Miss that window and your claim could be denied regardless of the circumstances.
If you haven’t reviewed your security posture against your policy requirements recently, getting a penetration test quote is a sensible starting point. The cost of proper testing and remediation is a fraction of what you’d pay out of pocket for an uncovered breach.
