You signed up for cyber insurance to protect your business from digital threats. You have been paying your premiums, and you feel confident that if something goes wrong, your policy has you covered. But have you actually read the exclusions section? Because that section — often buried in dense legal language — defines the boundary between a covered claim and a costly surprise.

TL;DR — Key Takeaways

  • Cyber insurance does not cover everything
  • Understand why Exclusions Exist
  • Identify the Most Common Cyber Insurance Exclusions before they impact your business

Visual Overview

flowchart TD
    A["Policy Exclusions"] --> B["Acts of War"]
    A --> C["Known Vulnerabilities"]
    A --> D["Insider Threats"]
    A --> E["Prior Incidents"]
    B --> F["Claim Denied"]
    C --> F
    D --> F
    E --> F

Every cyber insurance policy contains exclusions: specific types of incidents, circumstances, or losses that the insurer will not pay for. Understanding these exclusions is not optional — it is essential for making informed decisions about your risk management strategy. In this guide, we will walk through the most common cyber insurance exclusions, explain why they exist, and show you how to address the gaps they create.

Why Exclusions Exist

Before we dive into specific exclusions, it helps to understand why insurance companies use them. Exclusions serve several purposes:

  • Managing moral hazard: If policies covered everything regardless of the insured's behavior, there would be little incentive to invest in security. Exclusions for negligence and failure to maintain controls encourage businesses to keep their defenses strong.
  • Defining scope: Cyber insurance is a specific product. Exclusions prevent it from overlapping with other insurance types (property, general liability, errors and omissions) and ensure each policy covers its intended risks.
  • Controlling catastrophic risk: Some exclusions, like acts of war, protect insurers from events so large they could threaten the insurer's ability to pay all claims.
  • Keeping premiums affordable: By excluding certain high-risk scenarios, insurers can offer lower premiums for the risks they do cover.

The Most Common Cyber Insurance Exclusions

1. Acts of War and Nation-State Attacks

Nearly every cyber insurance policy excludes losses resulting from acts of war, terrorism, or hostile acts by nation-states. This has become one of the most controversial exclusions in cyber insurance because the line between a criminal cyberattack and a nation-state operation is often blurry.

The landmark case involved a global shipping company whose systems were destroyed by the NotPetya malware in 2017. The company's property insurer denied the claim, arguing that NotPetya was an act of war by Russia against Ukraine. The case was eventually settled, but it exposed a massive gap in coverage that many businesses had not considered.

The war exclusion in cyber insurance is evolving rapidly. Some insurers have introduced more specific language to clarify what constitutes a "cyber war" versus a criminal attack. Read your policy's war exclusion carefully and discuss it with your broker.

2. Prior Known Events and Pre-Existing Conditions

Your policy will not cover breaches or security incidents that you were aware of before the policy began. If you knew about a vulnerability, an ongoing intrusion, or a previous breach when you applied for coverage, any resulting claim may be denied.

This exclusion also covers "known circumstances" — situations where you were aware of conditions likely to lead to a claim. For example, if you knew your systems were unpatched and vulnerable but applied for insurance without addressing or disclosing the issue, the insurer may argue you had prior knowledge of a condition that led to the breach.

3. Failure to Maintain Minimum Security Standards

When you apply for cyber insurance, you attest to certain security practices: using multi-factor authentication, maintaining backups, deploying endpoint protection, conducting employee training. If the insurer discovers during a claim investigation that you were not actually doing what you said you were doing, they may deny the claim based on material misrepresentation.

This exclusion is why it is critical to be honest on your insurance application and to actually maintain the controls you commit to. Saying you have MFA deployed when half your accounts still use single-factor authentication is not just a security risk — it is a coverage risk.

4. Intentional Acts and Insider Threats

Cyber insurance generally does not cover losses caused intentionally by the insured or their authorized representatives. If an employee deliberately destroys data, steals customer information, or sabotages systems, the policy may not respond.

However, many policies do cover losses caused by "rogue employees" acting outside their authority, as long as the company itself did not direct or condone the behavior. The distinction between an authorized insider acting maliciously and an unauthorized action is critical and varies by policy.

5. Bodily Injury and Property Damage

Cyber insurance covers digital losses — not physical ones. If a cyberattack on your systems causes physical damage to equipment, injury to people, or destruction of tangible property, those losses typically fall under your general liability or property insurance, not your cyber policy.

This exclusion is becoming more important as operational technology and Internet of Things (IoT) devices become common in business environments. A cyberattack on a building's HVAC system or a manufacturing line could cause physical damage that your cyber policy does not cover.

6. Intellectual Property and Trade Secrets

Most cyber policies do not cover the loss of intellectual property value. If attackers steal your proprietary designs, source code, trade secrets, or competitive strategies, the policy may cover the costs of investigating the breach and notifying affected parties, but it typically will not compensate you for the lost competitive value of the stolen intellectual property.

7. Contractual Liability and Penalties

If you have contracts with clients that specify penalties for data breaches — such as service level agreements with financial consequences — your cyber policy may not cover those contractual penalties. The policy typically covers your direct losses and legal defense costs, but contractual obligations you voluntarily assumed are often excluded.

8. Infrastructure and Utility Failures

If your systems go down because of an internet service provider outage, a power grid failure, or a cloud service disruption that was not caused by a cyberattack, your cyber policy likely will not cover the resulting business interruption. These events are considered infrastructure failures, not cyber incidents.

Some policies offer limited coverage for "dependent business interruption" when a key technology provider experiences a cyber incident that affects your operations, but this coverage is usually optional and subject to specific conditions.

The Gray Areas: Where Disputes Happen

Some of the most contentious claims arise in areas where the policy language is ambiguous:

  • Social engineering fraud: An employee is tricked into wiring money to a criminal. Is this a "cyber" event or a "crime" event? Some cyber policies cover social engineering fraud explicitly, while others exclude it, expecting you to have a separate crime policy.
  • Voluntary shutdown: You suspect a breach and shut down systems proactively to investigate. Was there actual business interruption from a cyber event, or did you cause the interruption yourself? Policies vary on whether voluntary shutdowns are covered.
  • Third-party vendor breaches: Your data is compromised because a vendor was breached. Your policy covers your systems — does it cover your data on someone else's systems? This depends on your first-party vs third-party coverage.
  • Regulatory investigations: A regulator investigates your data handling practices even without a confirmed breach. Are investigation costs covered? Some policies say yes; others require an actual cyber event to trigger coverage.

How to Address Coverage Gaps

Work with a Specialized Broker

Cyber insurance is complex, and policies vary significantly between carriers. A broker who specializes in cyber insurance can help you understand the exclusions in your policy, compare options from different carriers, and negotiate endorsements that close critical gaps.

Consider Endorsements and Add-Ons

Many exclusions can be partially addressed through policy endorsements (add-ons) that provide coverage for specific excluded scenarios. Common endorsements include:

  • Social engineering fraud coverage
  • Dependent business interruption coverage
  • System failure coverage (non-malicious outages)
  • Reputational harm coverage
  • Voluntary shutdown coverage

Layer Your Insurance

Do not rely on cyber insurance alone. A comprehensive risk management strategy includes:

  • General liability insurance for bodily injury and property damage
  • Crime insurance for theft, fraud, and embezzlement
  • Errors and omissions insurance for professional liability
  • Cyber insurance for digital threats and data breaches

What to Do This Week

Understanding your policy's exclusions is just as important as understanding its coverage. Take these steps to ensure your business is not caught off guard:

  1. Read your exclusions section. Pull out your cyber policy and read every exclusion. If you do not understand the language, ask your broker to explain it in plain terms.
  2. Compare exclusions across carriers. If your policy is up for renewal, compare the exclusions from multiple carriers. The differences can be significant.
  3. Verify your security attestations. Review what you committed to on your application and make sure you are actually doing all of it. Fix any gaps immediately.
  4. Ask about endorsements. Talk to your broker about adding coverage for social engineering, voluntary shutdown, and dependent business interruption if these are currently excluded.
  5. Review your other insurance policies. Make sure your general liability, property, and crime policies work together with your cyber policy to provide comprehensive coverage without gaps.
  6. Document your security practices. Maintain records of your training programs, security configurations, and patch management. This documentation is your evidence if an insurer questions whether you met your obligations.
  7. Schedule an annual policy review. The cyber insurance market evolves rapidly. What was excluded last year may be available this year, and vice versa.

Cyber insurance is a critical part of your risk management strategy, but it is not a magic shield. By understanding what your policy does not cover, you can make informed decisions about how to manage the residual risk — whether through additional coverage, stronger security controls, or both.