Fort Worth 24

collapse
Home / Daily News Analysis / Reading between the lines of a cyber insurance policy

Reading between the lines of a cyber insurance policy

Jul 16, 2026  Twila Rosenbaum  4 views
Reading between the lines of a cyber insurance policy

Enterprises in regulated industries often carry cyber insurance policies because contracts require it or boards ask for documented risk transfer. The global market for these policies reached about $16 billion in premiums in 2024, and coverage has become widespread. Yet payouts have grown less predictable as insurers tighten terms and deny claims at alarming rates.

The gap between exposure and coverage

The Global Federation of Insurance Associations, representing insurers accounting for close to 90 percent of premiums worldwide, quantified the cyber protection gap at about $900 billion in a 2023 report. Annual economic losses from cyber incidents exceed that figure, but only a small share is covered by insurance. A 2024 white paper from Marsh McLennan and Zurich Insurance Group amplified these findings and called for public-private action to close the gap. Meanwhile, the US cyber market contracted in premium volume for the first time on record, driven by eleven consecutive quarters of rate decreases. Excess capacity has pulled prices down even as reported losses have climbed, creating a dangerous disconnect between risk and reward.

The underwriting bargain

Applications for cyber coverage run long. Some questionnaires now include more than fifty items covering multifactor authentication, backup practices, endpoint detection, patching cadence, and incident response testing. Answers become legal representations. A control that lapses after binding, or a partial deployment described as universal, can shift a later claim into dispute. Independent analyses place the denial rate for cyber claims between 40 and 44 percent. Cases hinge on misrepresentation, lapses in required controls, and application answers signed off by staff without deep technical understanding of the attestations.

Dr. Chase Cunningham, a former NSA analyst and cybersecurity expert who publishes analysis under the DrZeroTrust name, emphasized the limits of insurance: “Cyber insurance has a legitimate role, but it is not a control plane, a trust model, or a resilience strategy. It is a residual-risk financing tool.” He warns that policyholders often mistake coverage for protection, only to discover that exclusions and sublimits render the policy nearly useless when a major incident strikes.

Exclusions carved out of catastrophe

Merck’s litigation over NotPetya damages, which the company put at roughly $1.4 billion, tested the war exclusion in “all risks” property policies and produced a New Jersey appellate ruling favoring the pharmaceutical company in May 2023. The case settled confidentially in January 2024. Lloyd’s of London had already moved in the same direction, issuing a market bulletin in August 2022 that required standalone cyber policies to explicitly exclude state-backed attacks from March 31, 2023 onward, with four model clauses offering different levels of restriction. This means that many large-scale cyberattacks attributed to nation-states — such as those suspected in Colonial Pipeline, SolarWinds, or even NotPetya if it were to happen today — could fall outside standard coverage.

Social engineering sits in a similar zone. Standard policies often exclude these events entirely or cap payouts at $250,000, a figure that sits well under the average loss for this attack type. Business interruption coverage also carries narrow definitions and waiting periods that can exhaust a company’s cash reserves before a penny is paid.

Systemic risk and public policy

Lloyd’s scenario modeling has estimated that a major attack on global financial services payment systems could cost the world economy roughly $3.5 trillion. That figure sits far above the total premiums the entire cyber insurance market collects each year. The potential for a catastrophic systemic event has led to calls for a federal cyber backstop, along the lines of the Terrorism Risk Insurance Act (TRIA). Cunningham sees room for such a mechanism but only under strict conditions. “I think a federal cyber backstop is worth exploring for truly catastrophic systemic cyber events, but only if it is designed as a last-resort resilience mechanism, not as a subsidy for weak security,” he said. He argues that eligibility should require minimum controls tied to NIST CSF and CISA’s Cybersecurity Performance Goals, with evidence-based proof, and that both insurers and policyholders should retain meaningful exposure so taxpayers avoid underwriting preventable negligence.

The debate mirrors earlier discussions about terrorism insurance after 9/11. Without a backstop, insurers may simply refuse to cover systemic cyber risks, leaving entire industries exposed. However, critics warn that government intervention could distort the market and reduce the incentive for firms to invest in cybersecurity. The outcome remains uncertain, but the conversation is gaining urgency as the frequency and severity of cyber incidents continue to rise.

Guidance for mid-market buyers

Mid-market companies without a dedicated CISO or in-house counsel often lean on brokers to interpret cyber risk. Cunningham recommends a wider circle. “I would tell them to build a small advisory triangle around the insurance process: a cyber-specialist broker, an independent technical advisor or fractional CISO, and outside counsel who understands cyber coverage and breach response,” he said. This triangle ensures that the application is accurate, the policy aligns with actual security posture, and legal implications are understood before any claim arises.

He points to CISA’s Cybersecurity Performance Goals and NIST’s small business cybersecurity materials as starting baselines. On broker credentials, he lists PLUS cyber-liability training, RPLU, CPLP, The Institutes’ Associate in Cyber Risk Management, CPCU, ARM, CRM, and CIC as useful screening signals. Claims experience matters as much as any credential. One question, he says, tends to reveal the difference. “How many cyber claims have you helped manage?” A surface advisor asks about limits, revenue, and MFA. A serious advisor probes where MFA is enforced, who holds privileged access, how backups are protected, when the last restore occurred, and what sub-limits apply to social engineering and business interruption.

Coverage decisions carry legal weight the day a questionnaire is signed. Application answers become the record insurers reference when a claim arrives, and the gap between advertised limits and payable amounts often traces to sublimits, waiting periods, exclusions, and control representations written before an incident. Resilience work sits upstream of any policy. Insurance follows the security program that produced it. For organizations without rigorous internal security operations, the insurance is at best a gamble — and at worst, a false comfort that lulls management into complacency until the inevitable breach forces a painful reckoning with the fine print.


Source: Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy