Cyber Insurance: What It Actually Covers (And What It Doesn't)

Back to Blog

Here is what most business owners do with their cyber insurance policy: they sign it, file it, and never read it again. They know they have it. They know they're paying for it. And they assume that if something bad happens — a ransomware attack, a data breach, a business email compromise event — the policy will cover the damage.

That assumption gets tested, hard, the first time a claim gets filed. And when it fails, the consequences are severe. Businesses that expected a $500,000 payout discover they're getting $80,000 because their software wasn't patched. Or nothing at all, because the attack has been attributed to a nation-state and their policy contains a war exclusion. Or partial coverage, because their social engineering loss is subject to a sublimit they didn't know existed.

This isn't a cynical take on insurers. Most cyber policies are written exactly as disclosed — but they're complex documents written by lawyers, and most business owners never sit down with someone who can explain what the language actually means in a real incident. The result is a coverage gap that reveals itself at the worst possible moment.

This guide is the honest walkthrough you should have gotten before you signed. We'll cover what cyber insurance actually pays for, what it doesn't, what insurers check before they pay a claim, and what IT Center helps clients document to make sure they're in the best possible position when the time comes.

First-Party vs. Third-Party Coverage: The Fundamental Distinction

Before diving into specific coverages, you need to understand the most important structural distinction in any cyber policy: the difference between first-party and third-party coverage.

First-party coverage pays for losses that your business experiences directly. This is the coverage that activates when you get hit by ransomware and your own operations are disrupted — your lost revenue, your recovery costs, your notification expenses, your forensic investigation. The "first party" is you.

Third-party coverage pays for claims made against your business by others — your clients, your vendors, regulatory bodies — as a result of a cyber incident that involved their data or affected their operations. If a breach of your systems exposes 10,000 of your clients' records and they sue you, that's a third-party claim. The "third parties" are everyone else.

Both types of coverage are essential, and most comprehensive cyber policies include both. But the distinction matters enormously when a claim occurs, because the sublimits, retentions (deductibles), and conditions often differ between the two sides of the policy. A business might have $2 million in first-party coverage and only $500,000 in third-party liability — or vice versa — and not realize the asymmetry until they're sitting across from their insurer after an incident.

What Cyber Insurance Typically Covers

When cyber insurance works the way it's supposed to, it can be genuinely transformative in keeping a business alive after a serious incident. Here's what you'll find in the coverage sections of a well-structured policy:

Forensic Investigation

After any significant cyber incident, your first obligation is to understand what happened. Who got in? When? Through which vulnerability? What data did they access? How far did they move laterally? This forensic investigation is typically conducted by a specialized incident response firm, and it is not cheap — a thorough investigation for a mid-sized business commonly runs $50,000 to $150,000 or more. Cyber insurance pays for this investigation under first-party coverage, and it's one of the most consistently useful components of the policy. Insurers want the investigation done thoroughly too — it informs the scope of the claim and can help avoid regulatory penalties.

Legal Fees and Regulatory Response

A cyber incident involving customer or employee data almost immediately triggers legal obligations: notifying affected individuals, responding to state attorneys general, potentially cooperating with federal regulators. Each of these requires legal counsel — ideally cyber-specialized attorneys who know data breach notification law across multiple states and understand how to communicate with regulators in ways that minimize exposure. Cyber policies typically cover the cost of breach counsel throughout the incident lifecycle. This is important: you should never contact a regulator or issue a public notification without having counsel involved first.

Notification Costs

Data breach notification is legally required in all 50 states, and the requirements vary considerably — different trigger thresholds, different timeframes, different content requirements. When you're required to notify thousands of individuals, the costs of notification services, credit monitoring, and identity theft protection enrollment add up quickly. A breach affecting 5,000 individuals can easily generate $75,000 in notification and remediation costs before any other expenses are counted. Cyber policies cover these costs explicitly under their first-party provisions.

Business Interruption

If a cyberattack takes your systems offline and you can't operate normally, business interruption coverage compensates you for the income you lose during the recovery period — the same way a standard property policy covers lost income from a fire. This coverage is often subject to a waiting period (typically 8–12 hours) before it kicks in, and it only covers income lost due to the cyber event, not pre-existing business conditions. For manufacturing, healthcare, professional services, and any business where operations depend on technology infrastructure, this can be the most financially significant component of a cyber claim.

Ransomware Payment

Most cyber policies include coverage for ransomware payments — the cryptocurrency transfers demanded by attackers to provide decryption keys or to prevent the release of stolen data. This coverage comes with conditions. Insurers typically require prior authorization before payment is made, they may engage their own ransomware negotiation specialists, and they'll want documentation of why payment is being considered (i.e., that recovery from backup is not a viable option in the necessary timeframe). It's also worth noting that ransomware coverage is one of the areas carriers have been tightening most aggressively — sublimits are shrinking and pre-authorization requirements are increasing.

Crisis Communications and PR Management

A serious cyber incident — particularly one that becomes public — can cause lasting reputational damage that outlasts the technical recovery. Major carriers include crisis communications coverage that pays for a PR firm with data breach experience to manage your public messaging. This matters more than many business owners initially appreciate: how you communicate a breach to clients, to the press, and to the public has a direct and measurable impact on client retention and long-term revenue. Having a professional communications team engaged from the first hours of an incident — one with cyber breach experience specifically — is a genuine asset that your policy should fund.

The Exclusions That Shock Businesses

This is the part of the guide that most business owners wish they had read before signing. Cyber insurance policies contain exclusions — categories of loss that are explicitly not covered — and several of them have become significant sources of dispute and denied claims.

The War Exclusion — Now Including Nation-State Attacks

Traditional insurance policies have always excluded acts of war. In the cyber context, this exclusion has become enormously contentious because the definition of "war" is being actively expanded by carriers to include attacks attributed to nation-state actors.

The Merck pharmaceutical case set off a landmark legal battle when Lloyd's of London attempted to deny a $1.4 billion claim for the 2017 NotPetya cyberattack on the grounds that it was a Russian state-sponsored act of war. Merck won that case in 2023, but the fallout was immediate: insurers rewrote their war exclusions. Today, many policies contain explicit "cyber war" exclusions that attempt to exclude coverage for attacks attributed to foreign governments — including attacks that were not targeted at your business specifically but affected it as collateral damage.

Nation-state attackers are responsible for a significant portion of the most damaging cyberattacks hitting American businesses. The war exclusion creates a scenario where the most sophisticated, damaging attacks — the ones where you'd need the insurance most — are exactly the ones most likely to be disputed. Read your policy's war exclusion language carefully, and ask your broker specifically about how it would apply to a NotPetya-style supply chain attack.

Unpatched Software Exclusions

More and more cyber policies contain exclusions or coverage conditions related to vulnerability management. Some policies explicitly exclude losses resulting from exploitation of a known vulnerability for which a patch was available and not applied within a defined timeframe — often 30 to 90 days of the patch being released. Others use patch compliance as a factor in claim investigation, where evidence of poor patch management can result in claim reduction or denial based on policy conditions around "reasonable security practices."

The practical implication: if your business is breached through a vulnerability in software that had a patch available three months ago and you hadn't applied it, your insurer has a factual basis to question coverage. This isn't hypothetical — it's been the basis of denied claims in post-breach litigation. Formal patch management with documented timelines is not just a security best practice; it's a claims defense mechanism.

Social Engineering Sublimits

Business Email Compromise (BEC) — where an attacker impersonates a trusted party (your CEO, your bank, a vendor) and tricks an employee into wiring money or providing credentials — is among the most financially damaging categories of cybercrime. The FBI's Internet Crime Complaint Center consistently ranks BEC as the top category of cybercrime loss by dollar amount, with losses exceeding $2.9 billion in 2023 alone.

Here is where many businesses discover a painful policy structure: social engineering losses are frequently subject to sublimits that are far lower than the policy's main limit. A business might have $2 million in overall cyber coverage but discover their social engineering sublimit is $100,000 or $250,000. If an employee wires $400,000 to a fraudulent account, the gap between the sublimit and the loss is entirely uninsured.

Ask your broker the specific sublimit for social engineering fraud — not just what the main policy limit is. And ask whether that sublimit can be increased with an endorsement.

Prior Breach Exclusions

Cyber policies contain a "retroactive date" — coverage only applies to incidents that begin after that date, and there is typically a requirement to disclose any known circumstances that might give rise to a claim prior to binding coverage. If you had a breach you didn't fully investigate, or if there are indicators of compromise in your environment that you haven't identified yet, and those are later found to predate your policy's retroactive date, the insurer may deny coverage entirely on the grounds that the incident was a "prior" event you failed to disclose.

This isn't a theoretical concern. Attackers routinely establish persistent access in a network months before they actually activate ransomware or exfiltrate data. The dwell time between initial access and active exploitation is measured in months. An investigation that establishes the attacker first entered your network before your coverage effective date can create a coverage dispute even for an attack that seemed sudden and recent.

How Insurers Verify Your Security Controls Before Paying

The era of self-attestation cyber insurance — where you checked boxes on an application saying you had security controls in place and that was the end of it — is over. Post-pandemic premium spikes and surging claim volumes forced carriers to invest in technical verification, and that investment has permanently changed how cyber claims are investigated.

When you file a claim, here is what actually happens on the insurer's side:

The forensic firm is their firm first. Many carriers have panel incident response firms they deploy to manage breaches on behalf of their insureds. These firms work for the insurer's interests — which are aligned with yours in the investigation, but diverge when the investigation turns to coverage questions. The forensic report is used to determine what happened, and it feeds directly into the coverage analysis.

Your application representations get audited. Every technical control you claimed on your insurance application — MFA deployment, EDR presence, backup frequency, employee training — gets verified against the forensic evidence from the incident. If the evidence shows you didn't have MFA deployed on your Microsoft 365 accounts but you checked "yes" on the application, that's a material misrepresentation. At a minimum it results in a coverage dispute. In some cases it can be grounds for policy rescission entirely.

Log data tells the story. Forensic investigators will examine your firewall logs, authentication logs, endpoint telemetry, and any other available log data to reconstruct the incident timeline. The presence or absence of adequate logging is itself a data point. If you have no logs because you weren't retaining them, the investigator cannot confirm or deny your security posture claims — and that ambiguity rarely resolves in the insured's favor.

Third-party risk assessments are increasingly standard. A growing number of carriers conduct technical security assessments — either through in-house tools or third-party scanners — at policy issuance and renewal. These assessments look at your external attack surface: exposed services, SSL certificate issues, known vulnerabilities in your internet-facing infrastructure, domain reputation. Businesses with poor external security hygiene are either declined, rated higher, or required to remediate before coverage binds.

"The claim is not the time to find out that what you said you had and what you actually had aren't the same thing. The insurer will find out — and the consequences of that discovery are far worse than the premium you might have paid for accurate coverage."

What IT Center Helps Clients Document for Claims

For clients on our managed services program, insurance documentation is a structured, ongoing activity — not something we scramble to produce when an incident occurs.

Here is what we maintain and can provide for our managed clients when it matters:

MFA deployment records. We maintain documented configuration of multi-factor authentication across Microsoft 365, VPN access, administrative accounts, and key third-party applications. This includes the specific enforcement policies in place — not just that MFA is enabled, but that it cannot be bypassed and that the enforcement scope covers what your policy application represents it covers.

Patch management logs. Our RMM platform generates timestamped records of every patch applied to every endpoint and server in your environment. This creates a defensible record that critical patches were applied within required timeframes. When an insurer's forensic team asks when a specific vulnerability was patched on a specific machine, we can answer with a log entry, not an estimate.

EDR deployment and alerting records. We document which EDR solution is deployed, what version, which endpoints it covers, and how long it's been active. We can also provide alert history — evidence that the monitoring was operational and responsive.

Backup configuration and restore verification. We maintain records of backup policy configuration (frequency, retention, offsite replication) and, critically, backup restore test results. A documented, successful restore test on a recent date is powerful evidence of backup integrity that underwriters and claims adjusters find compelling.

Security awareness training records. We document employee security awareness training completion, including phishing simulation results. Training completion records demonstrate an active security culture — another checkbox that appears on virtually every current cyber insurance application.

Incident response plan documentation. We maintain a current incident response plan for our managed clients that includes carrier contact information, forensic firm pre-authorization numbers (many carriers allow you to pre-retain their panel firms), legal contact information, and escalation procedures. In an actual incident, having this document ready means the first hours are spent containing the threat, not searching for phone numbers.

The $300 per computer user per month managed IT investment IT Center provides isn't just about keeping your technology running. It creates the continuous documentation layer that makes your cyber insurance coverage enforceable when you need it most.

Before You Renew: The Questions You Should Ask

Most business owners renew their cyber policy with minimal scrutiny because it feels similar year over year. The market has changed dramatically, and your policy may have changed with it — not always in ways that were explicitly highlighted at renewal. Before you sign the next renewal, get clear answers to these questions:

• Has the war exclusion language changed from last year? How specifically would it apply to a nation-state-attributed attack?
• What is the specific sublimit for social engineering and funds transfer fraud? Can it be increased?
• What technical controls does the policy require me to maintain as a condition of coverage — not just as representations on the application?
• What is the retroactive date, and has it changed?
• Does the policy include a panel IR firm? Can I use my own provider, or do I need their approval first?
• Has any coverage been sublimited or carved back since last renewal?
• What does the policy require me to do within the first 24 hours of discovering an incident?

If your broker cannot answer these questions clearly and in plain language, that is itself a meaningful data point about whether they're the right broker for your cyber coverage.

The Honest Conclusion

Cyber insurance is not a substitute for security controls. It is a financial transfer mechanism that helps businesses survive incidents that occur despite their controls — and it performs that function best when the underlying security posture is strong, well-documented, and accurately represented in the policy.

Businesses that buy cyber insurance as a replacement for security investment — instead of as a complement to it — are the businesses most likely to find themselves in a coverage dispute when a claim occurs. They're also the businesses most likely to experience the kind of incident that generates a claim in the first place.

The combination that works: strong managed security controls that both reduce your incident probability and satisfy underwriter requirements, paired with a well-structured cyber policy that accurately reflects your actual security posture. That combination doesn't happen automatically. It requires an IT partner who understands how the two halves connect.