Cyber insurance is one of the most misunderstood tools in an organisation's risk management toolkit. Boards buy it expecting a financial safety net in the event of a ransomware attack. What they often discover, during the worst week of their professional lives, is that the policy has sublimits, exclusions, pre-approval requirements, and conditions that significantly reduce its value.
This post covers the policy terms you should understand before an incident — not during one.
The Approved Vendor Problem
Most cyber insurance policies require you to use the insurer's approved panel of vendors for incident response, forensics, legal counsel, and ransom negotiation. This is a significant constraint that many policyholders only discover at the moment they need help.
Approved panel vendors are not necessarily the best vendors for your situation. They are vendors who have agreed commercial arrangements with the insurer — typically at rates that suit the insurer's cost management objectives. Panel IR firms handle high volumes of lower-complexity incidents and may not have the specific expertise your incident requires.
Using a non-panel vendor without insurer approval can void coverage for those specific costs. If you have a preferred IR provider — or have a retainer in place — check whether using them is permitted under your policy. Many policies allow panel deviation with prior written approval; some do not.
The practical implication: if you have an IR retainer, your retainer agreement and your insurance policy must be compatible. Check this before you need to invoke either.
Ransom Sublimits
A policy with a £5 million aggregate limit does not necessarily cover a £5 million ransom payment. Most policies have specific sublimits for extortion or ransom payments that are significantly lower than the overall policy limit — commonly 25–50% of the total limit, sometimes lower.
This matters when the ransom demand exceeds your sublimit. It also matters when calculating whether negotiation toward a lower demand is worthwhile — reducing a £3 million demand to £1.5 million may bring it within sublimit coverage when the full demand would have exceeded it.
Read the extortion/ransomware section of your policy specifically. Do not assume the aggregate limit applies to ransom payments.
Business Interruption: The Calculation Gap
Business interruption (BI) coverage is typically designed to compensate for revenue loss during the recovery period. The policy definition of "recovery" and your actual operational recovery often diverge significantly.
Policies frequently define BI recovery as the point at which systems are technically restored — not the point at which business operations are functioning normally. If your systems are restored in week three but it takes a further four weeks to recover lost orders, rebuild customer confidence, and restore full operational capacity, weeks four through seven may not be covered.
There is also frequently a waiting period — an excess period equivalent to property insurance, typically 8–24 hours — before BI coverage begins. A brief outage resolved quickly may fall entirely within this waiting period.
BI calculation methodology is complex and contested. Insurers use their own methodologies; you are likely to disagree with their conclusions. Having pre-incident financial documentation — monthly revenue figures, cost structures, forward order books — significantly improves your position in BI disputes.
Notification Timelines and Conditions
Cyber policies impose notification obligations on the policyholder. Typically you must notify the insurer as soon as practicable upon discovering a potential claim — often within 24–72 hours. Failure to notify within the required window can affect coverage.
This creates a tension with the early hours of incident response: your IT team discovers a potential issue late on a Friday evening and spends 12 hours trying to understand scope before concluding it is a significant incident. You are now behind on notification timelines.
Know your notification requirements and the insurer's emergency contact process before an incident. Many insurers have 24/7 incident notification lines. Use them early — you can always provide more information later; you cannot retroactively notify on time.
War and Nation-State Exclusions
The war exclusion in cyber policies has been subject to significant litigation following the NotPetya attack in 2017, which Merck's insurer attempted to exclude on the basis that it was a nation-state attack attributable to the Russian military.
Most modern cyber policies now include explicit cyber war exclusions alongside standard war exclusions. The key question is how attribution is handled — specifically, what standard of evidence is required to invoke the exclusion, and whether insurance arbiters apply the same attribution standards as government intelligence agencies.
For UK organisations: nation-state-attributable attacks are not uncommon across certain sectors, including legal, financial services, defence supply chain, and critical infrastructure. If your sector is of interest to nation-state actors, your war exclusion deserves specific attention when renewing or placing coverage.
Conditions on Ransom Payment Approval
Most policies require insurer approval before a ransom payment is made. This is not merely procedural — the insurer needs to conduct sanctions screening (or confirm yours) and may want to assess whether alternative recovery paths exist before authorising payment.
In practice, this approval process can add 24–48 hours to the decision timeline during a high-pressure negotiation. Threat actors set countdown timers. Delays in the approval chain can result in timer expiry, which may increase the demand or result in data publication.
Understanding your insurer's payment approval process — who to call, what information they need, what their typical turnaround is — should be established before an incident, not during one.
What Good Cyber Insurance Looks Like
A policy worth having for ransomware exposure should include:
- Meaningful extortion/ransom sublimit aligned to your realistic exposure
- Panel deviation rights with pre-approval mechanism
- BI coverage that extends to full operational recovery, not just technical restoration
- Explicit coverage for forensic investigation costs, legal costs, regulatory notification costs, and public relations costs
- Clear notification timelines and a working 24/7 contact process
- A war/nation-state exclusion with a clear attribution standard
If your current policy does not include these elements, the renewal conversation should focus on them specifically.
The Broker Matters
Cyber insurance is a specialist product. A generalist commercial broker placing it as an add-on to your property and liability programme is not the same as a specialist cyber broker with deep knowledge of policy terms, insurer claims behaviour, and incident response integration.
How an insurer behaves in a claim — how quickly they respond, whether they dispute coverage aggressively, how their appointed vendors perform — is knowledge that specialist brokers have from actual claims experience. It should inform your insurer selection.
Binary Response works closely with cyber insurers and can assist with policy review, pre-incident planning, and incident response under insurance-managed engagements. Contact us at enquiries@binary-response.com to discuss your coverage in the context of your actual risk exposure.