What Cyber Insurance Does Not Cover and How to Safeguard Your Business

Cyber insurance can provide a safety net for businesses, but it's essential to understand what it doesn't cover.

Intentional acts of cybercrime, such as hacking by an employee or a partner, are often excluded from standard cyber insurance policies.

Businesses need to be aware that cyber insurance typically doesn't cover data loss or theft resulting from human error, like sending sensitive information to the wrong recipient.

Companies should also know that cyber insurance usually doesn't cover losses due to system downtime or business interruption caused by a cyberattack.

To safeguard your business, it's crucial to have a robust cybersecurity system in place, including regular software updates and employee education on cyber threats.

Consider reading: Will Insurance Cover Plan B

Cyber insurance policies often exclude costs related to potential future lost profits, such as those resulting from reputational damage following a breach.

These exclusions can be significant, as they may include decreased valuation of the company and the loss of potential investment opportunities, growth, and more.

Insurance companies are tightening their coverage standards and policies, which may lead to gaps in coverage depending on what losses qualify under the insurance agreement.

Some specific costs that are usually not covered by cyber insurance include loss of future revenue and lost business opportunities.

These costs can be substantial, and understanding what is not covered can help you better prepare and manage risks not covered by your cyber insurance policy.

Here are some examples of costs typically not covered by cyber insurance:

Cyber insurance policies typically exclude coverage for incidents caused by intentional acts by an insured party. This is done to deter fraudulent claims and protect insurers' bottom lines.

Businesses that become aware of cybersecurity vulnerabilities but fail to take adequate precautions in addressing them may also face exclusion from coverage. Insurers expect businesses to take reasonable steps against known risks to stay insured against them.

Ransomware attacks, data breaches, and other cyber threats can be mitigated with Cyber Liability Insurance, but cyber claim denials sometimes occur. In 2022, 27% of data breach claims had some exclusion written into the policy that meant Cyber Insurance was not paying out.

If this caught your attention, see: Cyber Insurance Data Breach

Here are some common exclusions to be aware of:

These exclusions, also known as cyber war exclusions, leave it unclear what incidents may or may not be covered. This is especially true today as cyber attacks can essentially be considered invasions.

Mondelez International, Inc., a snack food manufacturer, was infected by the malware NotPetya in 2017. The infection caused significant damage as well as disruption to global supply chains. But when Mondelez went to file a $100 million claim under an all-risk property policy, it was denied based on the war exclusion.

Some cyber insurance policies include an act of war or nation-state attack clause. This clause may deny coverage if an attack is declared an act of war or claimed to have been conducted by a nation-state.

Lloyd’s of London released four new cyber war and cyber operation exclusion clauses in November 2021. These clauses deny coverage for losses resulting from nation-state sponsored cyber-attacks.

Acts of war and attacks by nation-states involve highly sophisticated, coordinated efforts. Addressing the aftermath often requires international cooperation and diplomacy.

Here's an interesting read: Does State Insurance Cover Therapy

Exclusions are an important part of understanding what cyber insurance covers and what it doesn't. Here are some common exclusions you should be aware of:

Intentional acts are typically excluded from coverage, as insurers want to deter fraudulent claims and protect their bottom lines.

Vulnerabilities can also be excluded if a business is aware of cybersecurity vulnerabilities but fails to take adequate precautions to address them.

Regulatory non-compliance can lead to exclusions for fines and penalties resulting from non-compliance with data protection regulations such as GDPR or HIPAA.

Ransomware attacks, data breaches, and other cyber threats can be mitigated with cyber liability insurance, but cyber claim denials can still occur.

Socially engineered financial fraud, such as business email compromise (BEC) scams, may not be covered if employees voluntarily and willingly provide funds to attackers.

Data loss is a common case of what cyber insurance doesn't cover, and it's often difficult to prove that an incident was caused by an outside actor rather than a human or technical error.

Here are some reasons carriers may deny cyber claims:

Failure to take required security measures can lead to exclusion from coverage, and insurers often include questions about security practices in the application process.

Employment-related claims can be tricky to navigate, especially when it comes to cyber insurance. Claims related to employment practices, such as discrimination or wrongful termination, are generally not covered under cyber insurance.

Employment practices liability insurance is usually the best option for these types of claims. However, if your employees' personal information is compromised, your cyber policy might cover related privacy violations.

It's essential to have a clear understanding of what's covered and what's not to avoid any confusion or financial losses.

Worth a look: Why Is Anucort-hc Not Covered by Insurance?

Cyber insurance policies often include a time deductible, a waiting period of usually between 8 and 12 hours, during which losses are not covered.

If your company manages to restore its systems within this time frame, the policy won't apply. This can be particularly challenging for businesses that experience rapid damage from cyber attacks.

The OECD notes that losses incurred during this waiting period can be significant, and it's essential to understand these exclusions to plan better and take additional steps to safeguard your business.

Cyber claim denials can be frustrating and costly for businesses. Sometimes, they occur due to reasons that can be avoided with proper precautions.

Businesses that fail to install software updates and patches, implement strong password policies, or train employees in security best practices risk invalidating coverage or having claims denied on grounds of negligence.

In 2022, 27% of data breach claims had some exclusion written into the policy that meant Cyber Insurance was not paying out. This highlights the importance of understanding what Cyber Insurance usually does and doesn’t cover.

If losses or expenses incurred exceed coverage limits, the insurance company may deny the claim for the excess amount. It's essential to review and understand the coverage limits to avoid this situation.

A waiting period is typically stipulated in Cyber Insurance policies. Carriers may deny claims stemming from short-term outages, so businesses should have plans for weathering brief periods of business interruption.

Proper documentation and evidence are crucial to support a Cyber claim. This includes incident reports, forensic analysis, and financial records. Without sufficient evidence, the carrier may deny the claim.

Delays in reporting complicate the process and may result in a Cyber claim denial. Businesses should establish procedures for reporting incidents promptly to avoid this issue.

Here are some common reasons for Cyber claim denials:

Cyber insurance typically excludes bodily injury and property damage, which are usually covered under a commercial general liability policy.

Some cyber insurance policies might cover mental anguish or emotional distress caused by a data breach, but this is not guaranteed.

Bodily injury and property damage are not typically covered by cyber insurance, so it's essential to have a separate policy for these types of risks.

Cyber liability is another area where cyber insurance may not provide adequate coverage, as it can be difficult to prove that an incident was caused by an outside actor rather than the company's own fault.

Most cyber insurance policies do not include cyber liability as a default option, so it's crucial to purchase an additional policy if you want this type of coverage.

Expand your knowledge: What Does Personal Property Insurance Cover

In recent years, the cost of cyber risks has been rising, leading insurance companies to tighten policy terms to minimize their losses. This means that policyholders can expect more stringent requirements and potentially lower payouts.

Insurance companies are getting more cautious about covering cyber risks, which is resulting in higher premiums for policyholders. Cyber risks have become a major concern for businesses, and insurance companies are taking steps to mitigate their exposure.

The rising costs of cyber risks are causing insurance companies to rethink their underwriting processes, making it more difficult for businesses to secure coverage. This trend is expected to continue as the threat of cyber attacks grows.

Businesses need to be aware of these changes in the market and adjust their risk management strategies accordingly.

Loss of Data is a common case of what cyber insurance often doesn't cover. Data loss is an ongoing danger for businesses.

A breach or virus can lead an organization to lose any data stored on its network. Private data can be leaked or stolen, or erased or destroyed without authorization.

It's often difficult to prove that an incident was caused by an outside actor rather than a human or technical error.

A unique perspective: What Does Loss of Use Insurance Cover

Bodily injury and property damage are typically not covered under cyber insurance.

Cyber insurance usually excludes bodily injury and property damage, which are usually covered under a commercial general liability policy.

Some cyber policies might cover mental anguish or emotional distress caused by a cyber attack, but this is not guaranteed.

If a data breach leads to emotional distress claims, coverage may vary.

Consider reading: Does Insurance Cover Towing Damage

Physical damage from a cyber attack can be a huge financial burden, especially if the insurer doesn't cover the costs of repairing or replacing destroyed infrastructure or equipment.

If a cyber attack destroys physical assets, the insurer may deny coverage for repairs or replacements, leaving the business to bear the costs themselves.

Cyber insurance is designed to get businesses back to their pre-attack state, not to provide an opportunity for upgrades.

Upgrades can be a necessary evil if they're the only safe option, but they're still a cost of doing business.

Broaden your view: What Does Physical Damage Insurance Cover

Liability is a critical aspect of liability and damage, and it's essential to understand what it entails. Cyber Liability is a specific type of liability that refers to a company's accountability for financial losses caused by data breaches.

Fraudsters are growing more competent at locating and exploiting weaknesses, which can result in significant regulatory fines. This makes Cyber Liability especially problematic.

Demonstrating that an incident was caused by an outside actor rather than the company's own fault is a significant challenge. If the company has purchased an additional cyber liability insurance policy, liability coverage can be given.

Most cyber insurance policies do not include Cyber Liability as a default option.

Broaden your view: Electronic Data Liability Coverage