What Cyber Insurance Actually Covers And What It Doesn’t

If you’ve purchased a cyber insurance policy, you’ve probably done something most small business owners haven’t. You recognized that a cyberattack is a real business risk, you did something about it, and now you have a document that says you’re covered. That peace of mind is understandable.

It may also be giving you a false sense of security.

Cyber insurance is a genuinely valuable tool, and most small businesses that handle customer data, process payments, or rely on connected systems should have it. But cyber insurance is not a financial guarantee that a breach won’t cost you anything. It’s a contract with specific conditions, coverage limits, exclusions, and an increasingly demanding list of requirements you have to meet, and keep meeting, for the policy to pay out when you need it.

According to the National Association of Insurance Commissioners, nearly three times as many cyber insurance claims were closed without payment as those that were paid in 2024. That’s not a small rounding error. That’s an industry where the majority of claims go unpaid. Understanding why that happens, and whether your policy is in the group that pays out or the group that doesn’t, is a conversation worth having before a breach forces it.

What Cyber Insurance Is Actually Designed to Cover

A well-structured cyber insurance policy covers a meaningful range of costs that follow a breach or cyberattack. Understanding what’s included helps you assess whether your current policy is adequate for your business.

First-party coverage addresses the direct costs your business incurs. This typically includes:

• forensic investigation to determine how the breach happened and what was accessed
• legal counsel to navigate notification requirements and regulatory exposure
• customer notification costs, including the letters, credit monitoring services, and call center support for affected customers
• business interruption losses during the period your systems are down
• ransomware response costs, including negotiation support and, in some cases, ransom payments.

Third-party coverage addresses:

• claims made against your business by customers, partners, or other parties who suffered harm because of a breach at your company
• legal defense costs
• settlements
• regulatory fines in certain circumstances

On paper, that looks comprehensive. In practice, the gap between what a policy appears to cover and what it actually pays out in a real incident is where most small businesses get blindsided.

The Exclusions That Matter Most

Every cyber insurance policy has exclusions. These are conditions and circumstances under which the insurer won’t pay. Some of these are obvious. Most are not. Here are the ones that most often catch small businesses off guard.

Your existing security controls don’t actually match what you said on the application.

This is the single most common reason cyber insurance claims are denied. Many cyber insurance claims were denied or partially denied in 2025. The most common reason was the failure to maintain the security controls that the business attested to in its application.

When you apply for cyber insurance, you fill out a questionnaire. Do you use multi-factor authentication? Do you have endpoint protection? Do you conduct employee security training? Do you test your backups? Many small businesses answer yes to these questions based on a general sense that they’re probably doing most of them. After a breach, forensic investigators find the reality.

The Travelers v. ICS case is one of the clearest examples on record. International Control Services certified on their application that MFA was enforced on all administrative access. After a ransomware attack, forensic investigators found one server without MFA enabled. Travelers denied the entire claim. ICS absorbed millions in recovery costs because of a single overlooked login path.

One server. One unchecked box. The entire claim denied.

You didn’t report the breach fast enough.

Most cyber policies require you to notify your insurer within 24 to 72 hours of discovering an incident. Most small businesses spend those first hours trying to fix the problem rather than calling their insurance company. Failing to meet the reporting timeline is one of the top reasons cyber insurance claims are denied. Insurers argue that delayed reporting limits their ability to mitigate damage and investigate the cause. If you hire a forensic firm, a PR agency, or an IT recovery team before checking with your insurer, you may also find that those vendor costs aren’t covered, because many policies require pre-approval of specific vendors during a claim.

The attack came through a vendor or third party.

If a critical supplier suffers a breach that compromises your data or disrupts your operations, many cyber insurance policies will not cover your resulting losses unless you’ve purchased contingent business interruption coverage specifically for that scenario. This is a gap that became very visible during the CrowdStrike outage in 2024, when a single software update took down systems at companies around the world. Most small businesses don’t know this coverage exists, let alone whether they have it.

An employee caused it.

Insider incidents, whether from a disgruntled former employee who still has system access, a current employee who clicked a phishing link, or someone who accidentally emailed a file containing customer data to the wrong address, are frequently excluded from standard cyber policies or covered only under a separate endorsement. Cyber insurance policies often exclude crime and theft, insider threats, and contractual liability, leaving businesses exposed in exactly the scenarios that happen most frequently.

The losses extend beyond the immediate incident.

Losses arising from diminished customer trust or changes in market conditions following a cyber incident are generally not covered. Businesses cannot claim speculative future profits or rely on insurance to mitigate reputational damage. This means no payout if a breach causes customers to leave, if your reputation in your market takes a hit, or if you lose a contract because a prospect Googled your company and found the news coverage. The customers you lose aren’t a covered loss. They’re just gone.

PCI fines if you handle credit cards.

If your business handles credit card transactions, you’re required to comply with the Payment Card Industry Data Security Standard. Cyber insurance often excludes fines and penalties for failing to meet PCI DSS standards, which means if a breach exposes cardholder data and the card brands come after you for non-compliance fines, you may be paying those out of pocket, regardless of what your policy says.

The attack was sophisticated enough to be classified as a “war” or nation-state event.

This one is increasingly relevant as geopolitical cyberattacks become more common. Many policies exclude losses from acts of war or state-sponsored attacks. Many insurers invoked this exclusion in litigation following the NotPetya attack that caused billions in damage to private companies. Whether your insurer would classify a future attack as a war exclusion is something you want to understand before it happens.

The Requirements That Have Quietly Changed

Beyond the exclusions, the baseline requirements for maintaining valid cyber insurance coverage have shifted dramatically over the last several years, and many small business owners who bought policies a few years ago don’t realize their coverage conditions have changed at renewal.

99% of cyber insurance applications now include specific questions about MFA implementation. MFA has moved from a nice-to-have to a hard requirement for coverage. 82% of denied claims involved organizations without MFA, and having MFA “available” is not enough; it must be enforced and documented.

The other controls insurers now commonly require include:

• endpoint detection and response software (EDR) on all devices, not just traditional antivirus
• documented, tested data backups stored separately from your main systems
• a written incident response plan with named roles and contact procedures
• regular employee security training
• patch management processes that keep software and operating systems current

Many insurers now conduct external vulnerability scans on applicant networks as part of the underwriting process, meaning some carriers are actively checking your actual security posture before they issue a quote, rather than taking your word for what you have in place.

If your policy is up for renewal and you can’t document these controls, you may face significantly higher premiums, reduced coverage limits, or exclusions added to your policy. Insurers are denying claims for failure to meet minimum security requirements, including missing multi-factor authentication, unpatched vulnerabilities, and outdated incident response protocols, and even long-standing exclusions are now being applied more rigorously.

The Coverage Limit Problem

Even when a claim is approved, the policy limit may not be enough to cover the cost of the incident.

A small business with a $100,000 policy limit facing a $500,000 data breach will incur significant out-of-pocket expenses. Coverage limits that seemed adequate when the policy was purchased, often several years ago, may not reflect what a breach actually costs today. Ransomware recovery, forensic investigation, legal fees across multiple states’ notification requirements, customer credit monitoring, and lost business add up faster than most small business owners anticipate.

There are also sublimits to watch for within the headline coverage number (the big number on the front page of the policy). Business email compromise, where an attacker impersonates a vendor or executive and tricks someone into wiring money, is now the single most common claim driver, but some policies exclude it entirely or apply a much lower sublimit than the headline policy limit. If your policy has a $500,000 limit but a $25,000 sublimit for social engineering losses, and an attacker tricks an employee into wiring $80,000 to a fraudulent account, you’re recovering $25,000 of an $80,000 loss.

What to Do with This Information

None of this is an argument against cyber insurance; it’s an argument for understanding what you have before you need it. Here’s where to start.

Read your policy’s exclusions, not just the coverage summary. The coverage summary tells you what the policy is designed to cover. The exclusions tell you when it won’t. These are different documents, and the exclusions are the ones that matter when a claim is filed.

Verify that your security controls match what you said on your application. If you certify that MFA is enforced everywhere, but it isn’t, you have a problem that isn’t theoretical. It will become very concrete the day you file a claim.

Make sure you know your reporting requirements. Find out exactly how many hours you have to notify your insurer after discovering a breach. Write that number down somewhere accessible. Make sure the people most likely to discover a breach, like your IT staff, your office manager, whoever monitors your systems, know to make that call before they do almost anything else.

Ask your broker specifically about sublimits for ransomware, business email compromise, and contingent business interruption. If the sublimit on any of these is dramatically lower than your headline limit, that’s your real coverage for the most likely scenarios.

Don’t treat cyber insurance as a substitute for cybersecurity. So many CFOs wrongly believe their cyber insurance policies cover most attack-related losses, meaning most people making security budget decisions are operating on a false assumption. Insurance pays for some of the damage after a breach. It does not prevent the breach or customer loss. It does not protect your reputation. And as the claims data makes clear, it doesn’t always pay at all.

The businesses that survive a breach aren’t typically the ones with the biggest insurance payout. They’re the ones that had the security controls in place to limit the damage in the first place, and the documentation to prove it when the insurer came looking.

If you want to understand where your security posture stands, including what controls you have, what you’re missing, and what gaps might affect a future insurance claim, a risk assessment is a reasonable place to start. MainNerve has been helping organizations understand their real security posture for over 20 years. Contact us for a free consult.