The Rise of the Paper Shield
Cyber liability insurance has exploded in popularity, becoming a standard line item in risk management budgets. Faced with the escalating threat of ransomware, data breaches, and business email compromise, companies have flocked to insurers for protection.
These policies are designed to cover costs associated with cyber incidents, including forensic investigations, data recovery, legal fees, regulatory fines, and business interruption losses. For many, simply having the policy is a sign of due diligence. The problem is that purchasing a policy is not the same as having guaranteed coverage. As the frequency and cost of cyberattacks have soared, insurers have responded by tightening underwriting standards and denying a shocking number of claims, leaving businesses to foot multimillion-dollar bills they assumed were covered.
When Your Security Voids Your Policy
Perhaps the most common reason for a denied claim is the “failure to maintain security standards” exclusion. In years past, insurers might have taken your word that you had basic protections in place. Today, they operate more like security auditors. Policies now come with strict, non-negotiable requirements for security controls. If you attest on your application that you use multi-factor authentication (MFA) across all remote access points but fail to do so, a subsequent breach can lead to a swift denial. Insurers increasingly demand proof of specific, implemented controls like endpoint detection and response (EDR), regular and tested data backups, and formal incident response plans. A failure to patch a known vulnerability in a timely manner or an inaccurate statement on an application—even an unintentional one—can be grounds for the insurer to rescind coverage entirely, just when you need it most.
The Social Engineering Trap
One of the most frequent and costly cyberattacks involves social engineering, where an employee is tricked into voluntarily sending money to a fraudulent account. This is often called business email compromise (BEC). Many executives are stunned to learn that their standard cyber policy may not cover these losses. Insurers often argue this isn't a “cyber event” in the same way as a hack. In their view, the computer system wasn't compromised; a person was deceived. Some crime insurance policies may cover this, but often with lower limits and their own set of tricky exclusions. This creates a dangerous gap where two different policies each point to the other, leaving the business caught in the middle with a significant financial loss.
The 'Act of War' Get-Out Clause
A particularly thorny exclusion relates to acts of war. Nearly all policies include language that nullifies coverage for losses resulting from war or hostile state-sponsored actions. In the physical world, this is straightforward. In cyberspace, it's dangerously ambiguous. When a cyberattack is launched by a group with ties to a nation-state, insurers can—and have attempted to—invoke this clause to deny coverage. Determining the true origin and motive of an attack is incredibly difficult, creating a gray area that insurers can use to their advantage. As geopolitics become more intertwined with cybercrime, this exclusion poses a systemic risk, potentially leaving companies unprotected from some of the largest and most destructive cyber campaigns.
Human Error and Other Gaps
Beyond major exclusions, policies are riddled with other potential gaps. Many explicitly do not cover losses from insider threats, whether malicious or accidental. If an employee accidentally clicks a phishing link or a disgruntled worker deletes a database, your claim could be denied. Other common exclusions include breaches that occur via a third-party vendor, incidents that were known or foreseeable before the policy was purchased (the "prior knowledge" exclusion), and costs related to improving your technology systems after a breach. The insurer's job is to restore you to where you were, not to pay for you to build a stronger fortress.













