Why Cyber Insurance Won't Cover Your Next Incident
Your organisation paid for cyber insurance. You renewed it last year, filled in the lengthy application, checked the boxes about multi-factor authentication and patching cadence. You feel covered. The problem is that insurers increasingly disagree — and they have the policy language to prove it.
Cyber insurance claim denials are rising sharply. Insurers paid out readily in the early years of the market, building data. Now they're using that data to tighten exclusions, add conditions, and reject claims where organisations haven't met the increasingly specific technical requirements buried in their policies. The organisations that get caught out are rarely careless — they're the ones who treated cyber insurance as a transfer of risk rather than a contract with specific obligations.
This article covers the exclusions that matter most, the mistakes that trigger them, and what DFIR-ready organisations do differently to make sure coverage actually holds when they need it.
The Shift in the Cyber Insurance Market
Between 2019 and 2022, cyber insurance was a growth market operating with limited claims data. Insurers competed on price, applications were relatively simple, and most claims got paid. Then came the ransomware surge of 2021-2022, followed by two years of sustained losses that forced the market to recalibrate.
The recalibration took three forms: premium increases, capacity reductions, and — most significantly for this discussion — policy tightening. Modern cyber policies are not the broad, permissive instruments they were five years ago. They contain specific technical warranties, coverage conditions, and exclusions that give insurers multiple grounds to deny or reduce claims.
Security teams often don't see the policy language. The CISO gets briefed on coverage limits. The CTO gets asked to sign a warranty. But the exclusions that will matter at claim time are often in the fine print reviewed only by the broker and the finance team.
The Exclusions That Actually Deny Claims
1. The War and Geopolitical Exclusion
This is the most contested exclusion in the market right now. In 2023, Merck won a landmark judgment against ACE American Insurance after the insurer tried to invoke the war exclusion to deny a $1.4 billion claim arising from NotPetya. ACE argued that NotPetya — widely attributed to Russian military intelligence — constituted an act of war.
The court disagreed. But insurers immediately rewrote their war exclusions in response. Modern policies contain much more specific language about state-sponsored attacks, critical infrastructure targeting, and cyberwarfare — and the threshold for triggering the exclusion is far lower than an actual declared war.
If your organisation operates in a sector that nation-state actors target (financial services, healthcare, energy, defence supply chain, critical national infrastructure), and you're hit by an attack that can be attributed — even loosely — to a state-aligned threat actor, your insurer may invoke this exclusion. Attribution doesn't require certainty. It requires a plausible argument.
2. Breach of Security Warranty
Most modern cyber policies include a security warranty — a statement made during the application that certain controls are in place. Common warranties cover:
- Multi-factor authentication on all remote access and privileged accounts
- Endpoint Detection and Response (EDR) deployed across the estate
- Patching of critical vulnerabilities within a specified timeframe
- Segregated, tested, and offline backups
- Email filtering and anti-phishing controls
The problem isn't that organisations lie on their applications — it's that controls drift. The MFA policy was in place when the application was submitted. By the time of the incident, three legacy systems had been excluded from the rollout, a contractor VPN account had no MFA enforced, and an active directory admin account was accessing cloud infrastructure with a password alone.
Insurers investigate claims. They send forensic firms (sometimes the same ones organisations hire for incident response) to review the technical environment. If the post-incident investigation reveals that warranted controls were not in place, the insurer has grounds to void or reduce the claim — potentially to zero.
3. Prior Known Vulnerabilities
If a threat actor exploited a vulnerability that was publicly known — and your organisation hadn't patched it within a "reasonable" timeframe — insurers can argue you failed to mitigate a foreseeable risk. "Reasonable" is deliberately vague, which gives insurers flexibility. In practice, they're watching CISA's Known Exploited Vulnerabilities (KEV) catalogue.
Exploits against KEV vulnerabilities — particularly those with CVSS scores above 8.0 — give insurers the clearest grounds for claiming you should have patched before the incident. If your vulnerability management programme has a 90-day SLA for critical patches but the exploited vulnerability had been on KEV for 45 days, you may find coverage conditional or contested.
4. Failure to Notify Within Required Timescales
Almost every cyber policy contains a notification requirement: you must report an incident to the insurer within a defined period of becoming aware of it. Periods vary from 24 hours to 72 hours to 30 days depending on the policy. Some policies require notification at the point of suspicion, not confirmation.
Organisations routinely breach this. An IT team detects anomalous activity on a Tuesday, spends three days trying to understand it, involves an external IR firm on Friday, and notifies the insurer the following Monday. If the policy required 24-hour notification from the point of suspicion, coverage may be compromised for everything that happened between Tuesday and Monday.
This isn't a technicality — it's a contractual obligation. Insurers need early notification because they want the right to direct the response, approve vendors, and manage costs. Late notification deprives them of that opportunity. Courts have found this sufficient grounds for partial or full denial.
5. Unapproved Vendors and Panel Requirements
Many policies require that incident response, forensic, and legal services come from an insurer-approved panel. If your organisation retains an IR firm not on that panel — even a firm with superior capability for your specific situation — the insurer may refuse to fund those costs.
Organisations that have an existing relationship with a specialist IR firm, and call that firm first during an incident, sometimes find that the policy won't cover the invoice. This matters most for organisations with complex environments that need specialist forensics — manufacturing, healthcare, OT/ICS environments — where generic panel IR firms may lack the necessary expertise.
| Exclusion / Condition | How It Gets Triggered | Mitigation |
|---|---|---|
| War / state-sponsored | Nation-state attribution, even loose | Negotiate explicit carve-outs; check sub-limits |
| Security warranty breach | MFA gaps, EDR coverage, backup failures | Annual warranty audit vs actual estate |
| Prior known vulnerabilities | Unpatched KEV vulns at time of incident | KEV-aligned patch SLAs, documented exceptions |
| Late notification | Delay between suspicion and insurer contact | Notification SOP in IR runbook, day-one trigger |
| Unapproved vendors | Calling non-panel IR firm first | Pre-approve preferred vendor with insurer |
The Evidence Problem: Why DFIR Matters for Claims
Even when coverage isn't disputed in principle, the size of the payout depends almost entirely on the quality of forensic evidence. Insurers don't pay estimated losses — they pay documented losses. If you can't prove what data was exfiltrated, what systems were affected, when the breach began, and what recovery costs were genuinely incidental to the attack, the claim will be settled for less than the actual damage.
This is where organisations without dedicated digital forensics capability leave money on the table. Common gaps we see:
- No documented exfiltration evidence: The insurer won't pay GDPR notification costs if you can't demonstrate that personal data actually left the network. Without forensic evidence of exfiltration — DNS, proxy, and firewall logs, combined with endpoint artefacts — the claim for regulatory response costs is contested.
- Undocumented dwell time: Attackers in the network for 45 days before detection means 45 days of potential data exposure. Without a forensically established timeline, insurers may argue the scope is smaller — or that the organisation should have detected earlier.
- Unreliable business interruption quantification: BI claims require documentation of revenue impact. Without logs showing system unavailability tied to the incident, insurers dispute the numbers. A forensic timeline of system states anchors the BI calculation.
Organisations with an IR retainer in place have forensic-grade evidence collection built into their first-hour response. That evidence doesn't just support prosecution or recovery — it funds the insurance claim.
What DFIR-Ready Organisations Do Differently
The organisations that recover cleanly from incidents — and recover their insurance costs — don't treat preparation as a box-ticking exercise. They build three specific capabilities:
Annual Policy vs Reality Audit
Every year, before renewal, they compare the warranted security controls against the actual deployed state. Not a self-assessment — an independent technical review. They find the gaps (there are always gaps), remediate them, and document the remediation. When they sign the warranty, it's accurate. When the insurer's forensic team arrives post-incident, the controls are there.
Incident Notification in the Runbook
The IR runbook explicitly names the insurer, the claims hotline, the notification timeframe, and the specific trigger events that require notification. The first call during a confirmed incident isn't to IT leadership — it's simultaneously to the IR firm and the insurer. Notification happens within hours, not days.
Forensic Evidence Collection From Minute Zero
Evidence collection starts during containment, not after. Memory dumps, log exports, network captures, and chain-of-custody documentation begin in the first hour. By the time the insurer's adjusters arrive, there's a documented forensic timeline, preserved evidence, and a clear record of what happened, when, and what was affected.
This isn't just good forensic practice — it's the difference between a full claim and a partial one.
A Practical Review: Check Your Policy Now
Before your next renewal, answer these questions honestly:
- Does your policy have a war or state-sponsored exclusion? Does it have a sub-limit rather than full exclusion for nation-state events?
- What security controls did you warrant? Are all of them actually deployed, with no exceptions or legacy carve-outs?
- What's the notification period? Is it triggered by suspicion or confirmed breach? Is it in your IR runbook?
- Does your policy require an approved vendor panel? Is your preferred IR firm on it?
- When was the last time you tested your backups for actual restoration? Do you have documentation of the test?
If any of these questions produce uncertainty, you have work to do before the next incident — not during it.
The Bottom Line
Cyber insurance is not a safety net that deploys automatically. It's a contract with specific conditions, and the organisations that collect on it are the ones that understood those conditions before the incident occurred.
The insurers who entered this market aggressively are now defending their loss ratios aggressively. Every exclusion and warranty clause in a modern cyber policy has been written to give them options. Your job — and your broker's job — is to take those options away, through accurate warranties, documented controls, and forensic-grade response capability when the incident happens.
The organisations we work with that recover their costs from insurers share one characteristic: they treated their IR retainer as a tool for claims readiness, not just incident recovery. They had the evidence. Insurers paid.
If you're not sure whether your current posture would withstand a post-claim forensic review, Binary Response offers cyber insurance readiness assessments. We review your warranted controls, your IR process, and your forensic capability against your actual policy — before you need to rely on it.