Cyber Insurance Is Not a Backup Plan
The application asks you to estimate your annual revenue, describe your patch management process, and confirm that MFA is enabled on email. You click through in about forty minutes, feel vaguely good about your security posture, and have a policy with an eight-figure limit sitting in your inbox by Friday afternoon.
Six months later, ransomware hits. The insurer sends their adjuster. And then things get complicated.
Cyber insurance is one of the fastest-growing areas of enterprise risk management and one of the most misunderstood. Most organizations treat it as a financial backstop - a way to soften the blow of an incident that their security program failed to prevent. The insurers, increasingly, see it differently. And the gap between those two perspectives is where organizations get very unpleasant surprises.
What the Application Does Not Tell You
The questionnaire that precedes a cyber policy is not a security assessment. It is a representation - a set of statements your organization makes about its security posture, under penalty of voided coverage if any of them turn out to be materially false.
"Do you have MFA enabled on all remote access?" seems like a yes or no question. It is not. Does "all remote access" include the legacy VPN appliance that only three contractors use? The partner portal that IT does not manage? The emergency console access to the production environment that gets turned on during incidents? The insurer may have a different answer to that question than you do, and their answer will be rendered at claim time, after the incident, with the benefit of full forensic investigation.
Insurers have gotten considerably better at post-incident forensics. Some now require access to forensic findings as a condition of claim payment. In several documented cases, claims have been denied or significantly reduced because the insured misrepresented its control environment in the application - sometimes accidentally, because the person who filled out the questionnaire did not actually know the state of the environment they were attesting to.
The Exclusions That Actually Matter
Every cyber policy has exclusions. Most buyers focus on the major ones - nation-state attacks, infrastructure broadly defined as war or cyber terrorism - while paying considerably less attention to the operational exclusions that are more likely to apply in a real incident.
"Failure to maintain" clauses are one category. Some policies will not cover losses arising from vulnerabilities that were publicly known and unpatched at the time of the incident. If a CVE was issued nine months before you were breached through that same vulnerability, the question of whether you maintained reasonable patch hygiene is going to come up.
Betterment limitations are another. Insurers typically will not pay to upgrade your environment beyond the state it was in before the incident. If your pre-incident environment had aging servers that need to be replaced as part of recovery, the insurer will pay to restore to equivalent function, not to fund the new environment you have been meaning to build anyway. Organizations that have been quietly hoping to use incidents as a forcing function for infrastructure upgrades are in for a difficult conversation.
Retroactive date clauses define how far back coverage extends. In dwell-time attacks, where adversaries have been in the environment for weeks or months before detection, the initial access may predate coverage entirely. The policy covers the incident. Whether it covers an intrusion that started before the coverage period began is a different question, and the answer is usually no.
How the Market Changed After 2020
Prior to the ransomware surge of 2020 and 2021, cyber insurance underwriting was relatively relaxed. Questionnaires were cursory. Premiums were low. Coverage was broad. Insurers were pricing a risk they did not fully understand, and the loss ratios came due.
What followed was a significant market correction. Premiums increased substantially across the industry. Coverage sub-limits were introduced for ransomware specifically. Deductibles went up. And the underwriting process changed.
Where insurers previously relied on self-attestation, they now frequently require technical validation. On higher-value policies, this may mean a security control scan conducted by the insurer's preferred vendor before binding coverage. MFA on remote access, endpoint detection and response deployment, offline backups: these are no longer checkboxes. Some insurers verify them.
The organizations that went through renewal and discovered they had been attesting to controls that were not fully implemented faced a choice: fix the gaps quickly, accept lower coverage limits, or pay higher premiums. Many had not thought about it until a renewal conversation forced the issue. That is a poor time to discover a discrepancy between what you believed about your own environment and what an outside assessor found.
What Cyber Insurance Covers Well
None of this means cyber insurance is the wrong investment. It covers things that security controls cannot, and for those things it is genuinely valuable.
Incident response costs - forensics, outside counsel, breach notification, credit monitoring services - are the most straightforward coverage category. These costs are real, often substantial, and have no security control equivalent. Insurers typically have preferred vendors for these services who can be engaged quickly under coverage, which has operational value during the chaos of an active incident.
Business interruption coverage matters for organizations whose revenue depends on system availability. The coverage trigger and the calculation methodology for lost revenue are worth understanding before you need them, because disputes about what revenue would have been generated are significantly easier to resolve before an incident than during one.
Third-party liability coverage for data breach notification, regulatory defense, and settlement has driven the most significant claims in recent years. Class actions following a large breach can be very expensive regardless of how the underlying security failure looks technically, and the defense costs alone justify the coverage in many risk profiles.
The Honest Framing
Cyber insurance and a security program are not substitutes for each other. Insurance covers some of what goes wrong. It does not reduce the probability that something goes wrong. It does not cover every category of harm from a significant incident. And it is now, in practice, a mechanism that gives insurers ongoing visibility into your security posture that they will use when a claim arrives.
The organizations that navigate this well treat the underwriting process as a substantive dialogue rather than a form to fill out efficiently. They know what their policy covers and what it excludes. They have read the relevant sections before an incident rather than for the first time while trying to file a claim. And the person attesting to controls in the application is someone who actually knows the state of those controls.
Do not tell your board that the insurance policy makes a significant breach a manageable financial event. A significant breach is never just a financial event. The insurance covers some of the money. It does not cover the customer trust, the regulatory attention, or the eighteen months of remediation work that follows.
The policy is in the inbox. Whether the coverage is actually what you think it is requires reading it.