Cyber insurance isn’t always what it seems

Many companies think cyber insurance will protect them from financial losses after an attack. But many policies have gaps. Some claims get denied. Others cover less than expected. CISOs must understand the risks before an attack happens.

Misconceptions about cyber insurance

Myth: Insurance will cover all costs after a breach.
Reality: Policies often exclude key expenses. Some won’t cover ransomware payments. Others limit payouts for business downtime.

Myth: If we meet security standards, our claim will be paid.
Reality: Insurers review security at the time of the attack. If they find weak spots, they might deny a claim.

Myth: Nation-state attacks are covered.
Reality: Many policies call them “acts of war.” That means no payout.

Matthew Rosenquist, CISO at Mercury Risk and Compliance, cautions that while cyber insurance is a helpful tool, it’s often misunderstood. Too many organizations “make the mistake of believing insurance can be an effective replacement or the centerpiece of a comprehensive cybersecurity risk management strategy,” he said. In reality, insurance doesn’t stop breaches or ransomware. It merely displaces some of the financial losses for extreme cyberattacks.

“Insurance is a mechanism to transfer risk, not mitigate it,” Rosenquist explained. It doesn’t lower the chances of an incident, but it can soften the financial blow if one occurs. With cyberattack costs sometimes reaching into the millions or even billions, he noted, having a policy in place can offer “a valuable piece of mind.”

Still, insurance is no silver bullet. Policies often come with limitations, high premiums, and strict requirements around security posture. “Insurers scrutinize security postures, enforce stringent requirements, and may deny claims if proper controls are not in place,” he said. Many policies also include exclusions and coverage gaps that add complexity to the decision.

When used appropriately, cyber insurance plays a supporting role, not a leading one. “They should complement the defensive capabilities that focus on avoiding and minimizing loss,” Rosenquist said, serving as a safety net rather than a frontline defense. “Cyber insurance can provide important financial relief, but it should never be the first or only line of defense.”

Why claims get denied

• Policy exclusions: Many policies exclude attacks caused by weak security, employee mistakes, or poor backups.
• Acts of war: Attacks from foreign governments often aren’t covered.
• Vague terms: Some policies use unclear language, making coverage confusing.

A huge portion of the costs of cybersecurity breaches come from lawyers negotiating against each other.

“Every year, the NetDiligence Cyber Claims Study shows that a substantial portion of insurance payouts go not toward technical recovery, but toward legal liabilities,” said Chris Cronin, Principal Consultant and Partner, Halock Security Labs. “That tells insurance carriers their policyholders represent a massive liability risk in their portfolios.”

These liability costs often stem from legal wrangling over whether a breached organization exercised reasonable cybersecurity practices. As Cronin puts it, “Liability charges are typically the result of negotiations between attorneys. Regulators on one side, defense attorneys on the other, arguing about reasonableness.”

That’s where proactive risk management becomes a game-changer. “If your company manages toward reasonableness, you’ve won that debate before it even starts,” Cronin said. “And that makes you a lower risk to your insurance carrier.”

Regulators and litigators are beginning to coalesce around a working definition of reasonable cybersecurity, one that hinges on a balancing test: weighing the cost of controls against the risk posed to the public. “It’s not about spending endlessly on security,” Cronin explained. “It’s about showing that your investments are in proportion to the risks you pose to people outside your organization—like customers or the general public.”

This shift gives insurers and policyholders a practical framework to reduce cyber risk. “If your risk analysis demonstrates that balance, you’ve got a strong claim for reasonableness, and your liability charges go down,” Cronin said.

For insurers, it’s also a streamlined way to gauge the risk level of their clients. “Carriers just need to ask which of their policyholders are running cybersecurity programs using principles embedded in past breach settlements—like Duty of Care Risk Analysis, or DoCRA,” Cronin said. “It’s an efficient litmus test for identifying high versus low-risk policyholders.”

How CISOs can ensure coverage

• Work with legal and risk teams – Ensure policies align with actual security practices.
• Meet and exceed insurer security standards – Use strong security tools. Insurers are looking for proof of good security.
• Keep detailed security records – Document security actions so you can prove compliance when filing a claim.
• Negotiate better terms – Some CISOs have worked with insurers to get clearer terms and better coverage.

“If they haven’t already, IT services providers should be investing in building Compliance-as-a-Service, not only providing another potential revenue stream, but helping build that trusted advisor status. The goal is to help keep their customers up to date with obligations set out in cyber insurance policies and to adhere to requirements such as maintaining up-to-date patches and software on devices—easing stress and outsourcing compliance in a similar way to data protection or endpoint protection,” John Pagliuca, President & CEO at N-able, told Help Net Security.

“It’s a big tailwind for IT services providers. Some of our partners claim cyber insurance is the ‘best salesperson’ they have, driving their customers (current and new) to approach them to adopt reliable security solutions and best practices. Cyber resiliency is a pivotal part of the value these businesses deliver and it’s hard to name an industry that isn’t currently impacted by growing regulatory demands. More than ever, IT services providers can own the security conversation with the mature technologies, know-how, and services to back it up, while hooking into compliance,” Pagliuca added.

Why CISOs must stay proactive

Insurers are setting stricter security requirements, making it harder for companies to qualify for coverage. Premiums are also rising as cybercrime becomes more costly. Governments are stepping in with new regulations like the Digital Operational Resilience Act (DORA), which could reshape how policies work. At the same time, insurers are using AI to assess risk and set premiums, making underwriting more data-driven. CISOs must stay ahead of these shifts by strengthening security, understanding policy changes, and preparing for tighter scrutiny from both insurers and regulators.

“Many businesses still believe they’re too small to be targeted, that cyber insurance is only for large companies, or that it’s too expensive. However, the reality is that over 60% of small businesses have been victims of cyberattacks, privacy breaches affect organizations of all sizes, and the cyber insurance market offers competitive, tailored options. Working with a skilled broker brings real value. They offer broad expertise and help build tailored solutions. With the proper guidance, organizations can create programs that address their specific risks and needs,“ explained Tijana Dusper, a licensed broker for insurance and reinsurance at InterOmnia.

Cyber insurance isn’t a safety net. CISOs must treat it as part of a bigger risk strategy. Reading the fine print, improving security, and negotiating better terms can help companies avoid costly surprises.