Cyber Insurance: What It Covers (and What It Doesn’t)

QUICK ANSWER: Cyber insurance typically covers incident response costs, ransomware payments, data breach notifications, business interruption losses, and legal or regulatory fees following a covered cyberattack. However, most policies exclude losses tied to nation-state attacks, employee negligence, failure to maintain required security controls, and pre-existing vulnerabilities. Understanding the exclusions is just as critical as knowing what is included.

Cyber insurance has moved from “nice to have” to “table stakes” for most businesses. But a policy in your files doesn’t guarantee a payout when something goes wrong. According to the National Association of Insurance Commissioners, only about one-third of cyber insurance claims filed by small- to mid-size businesses in 2024 actually resulted in payment. [1] Nearly 50,000 claims were filed that year, and three times as many were closed without payment as were paid out.[2] That is not a rounding error. That is a coverage crisis.

If you have a cyber policy, or you are shopping for one, here is what you need to know before you need to use it.

What Does Cyber Insurance Actually Cover?

Cyber insurance policies generally fall into two buckets: first-party coverage (costs your business incurs directly) and third-party coverage (claims made against you by customers, partners, or regulators). Most comprehensive policies include both.

First-Party Coverage

• Ransomware and extortion payments: Reimbursement for ransom paid to recover encrypted data or prevent a leak.
• Incident response and forensics: The cost of hiring investigators to determine how the breach happened and what was accessed.
• Data breach notification: Required by law in most states, notifying affected individuals and offering credit monitoring.
• Business interruption: Lost revenue and operating expenses when a cyberattack forces your systems offline.
• Crisis communications and PR: Reputation management costs in the aftermath of a public breach.

Third-Party Coverage

• Legal defense and settlement costs from customer or partner lawsuits.
• Regulatory fines and penalties under frameworks like HIPAA, PCI DSS, or state privacy laws.
• Media liability if you inadvertently expose third-party data through your systems.

What Does Cyber Insurance NOT Cover?

This is where most businesses get surprised. Exclusions are buried in policy language, and they are far more common than most policyholders realize.

1. Nation-State and War Exclusions

If an attack can be attributed to a foreign government or military operation, many policies will not pay. This is not hypothetical. After the NotPetya cyberattack in 2017, Merck and Mondelez International sought a combined $1.4 billion from their insurers, only to have claims denied or severely limited under war exclusions[3]. The challenge is that attribution takes time, and the answer is not always clear-cut. Ransomware from a criminal group and ransomware from a state-sponsored actor can look identical on your network.

2. Failure to Maintain Security Controls

When you apply for cyber insurance, you attest to having specific security controls in place: multi-factor authentication (MFA), regular patching, endpoint protection, and so on. If a breach occurs and your insurer discovers those controls were not actually in place, or had been disabled, the claim can be denied. Coalition’s 2024 data found that 82 percent of denied claims involved organizations that did not have MFA fully implemented[4]. One municipality had an $18.3 million claim denied for exactly this reason, despite having MFA active on most of its accounts.

3. Employee Negligence and Human Error

Many policies limit or exclude coverage for losses caused by an employee clicking a phishing link, misconfiguring a system, or failing to follow documented security procedures. If your organization lacks a formal security awareness training program, and your insurer asks for one, that gap could void your coverage for human-error incidents. (For more on building that defense, see our post on transforming employees into your human firewall.)

4. Unnotified IT Changes

Migrating to the cloud, completing a merger or acquisition, onboarding a major new technology platform: any significant change to your IT environment can introduce new risks that your existing policy does not cover. If you do not notify your insurer and update your policy accordingly, incidents tied to those changes can fall outside your coverage.

5. Pre-Existing Vulnerabilities and Incidents

If attackers gained access to your systems before your policy took effect, and a breach surfaces later, coverage is typically denied. Insurers are also beginning to exclude events tied to known, unpatched vulnerabilities where a patch was available but not applied.

6. Systemic and Infrastructure Events

A major cloud provider outage that shuts down your operations is not the same as a cyberattack, even though the impact to your business may be identical. Most policies exclude losses caused by widespread infrastructure failures or events that affect a massive number of policyholders simultaneously. This exclusion category is growing as insurers protect themselves from catastrophic systemic risk.

Why Are So Many Cyber Insurance Claims Being Denied?

The short answer: what businesses believe their policy covers and what insurers are actually willing to pay are increasingly different things.

Cyber claim volume rose nearly 40 percent in 2024, with nearly 50,000 claims reported[5]. As claims increase, insurers have responded by tightening policy language, adding new exclusions, and more closely scrutinizing whether organizations actually meet the security standards they attested to on their applications.

The most common reasons for denial include: failure to implement or maintain required security controls (especially MFA), inadequate documentation of security practices, incidents attributable to excluded categories like nation-state activity, and changes to IT infrastructure that were not reported to the insurer. For a deeper look at the data landscape behind modern threats, see the 5 Key Takeaways from the 2025 Verizon Data Breach Report.

How Do You Make Sure Your Coverage Actually Holds Up?

Cyber insurance is not a substitute for cybersecurity. It is a financial backstop for when your security controls are tested and fall short. To keep your coverage intact, your security posture needs to match what you told your insurer.

At a minimum, most insurers now require:

Sentry uses a structured framework called the Technology Maturity Model to help clients build and maintain the security posture insurers expect. Starting with Operate (stable, reliable systems) and moving through Secure (controls and compliance), Integrate (connected tools and workflows), and Innovate (growth-enabling technology), the TMM ensures you are not just buying a policy but actually earning your coverage.

Not sure whether your current coverage aligns with your actual security controls? That gap analysis is exactly what Sentry does. You can also read about the business case for cyber insurance if you are still evaluating whether a policy makes sense for your organization.

Frequently Asked Questions

Does cyber insurance cover ransomware payments?

Most cyber insurance policies do cover ransomware extortion payments, as well as the costs of ransomware response, forensics, and recovery. However, coverage depends on whether you meet your policy’s security control requirements at the time of the incident. Some policies also have sub-limits on extortion payments that are lower than your overall policy limit.

Does cyber insurance cover business email compromise (BEC)?

This varies significantly by policy. Some policies cover social engineering and BEC losses under a separate endorsement, while others exclude them entirely or apply strict sublimits. If BEC is a concern for your organization (and it should be), verify your policy language explicitly before assuming you are covered.

Can a cyber insurance claim be denied even if I have a policy?

Yes, and it happens frequently. The most common reasons include failing to maintain the security controls listed in your application, having an incident that falls under an excluded category (war, nation-state activity, employee negligence), or experiencing a breach tied to a pre-existing vulnerability. Reviewing your policy annually and aligning your security controls with your insurer’s requirements is the most effective way to protect your coverage.

Does cyber insurance replace the need for strong cybersecurity?

Not at all. Cyber insurance is a financial safety net for when things go wrong, not a shield that prevents breaches. In fact, the stronger your security posture, the more likely your claims will be paid and the lower your premiums will be. The two work together, not as substitutes for each other.

How often should I review my cyber insurance policy?

At minimum, annually at renewal. You should also review your policy any time your IT environment changes significantly: adding new software, migrating to cloud infrastructure, completing a merger or acquisition, or onboarding a major new vendor. Failing to notify your insurer of material changes is one of the most common reasons claims are denied.

References

• National Association of Insurance Commissioners (NAIC). 2025 Cybersecurity Insurance Report. content.naic.org/sites/default/files/inline-files/2025_Cybersecurity_Insurance%20Report.pdf
• Coalition. 2024 Cyber Claims Report. Data cited in: comparecheapssl.com/cyber-insurance-statistics (retrieved April 2026).
• Reuters / Public court filings. Merck & Co. v. Ace American Insurance Company; Mondelez International cyber claims. Combined litigation value from publicly reported figures.