Reading between the lines of a cyber insurance policy

Enterprises in regulated industries often carry cyber insurance policies because contracts require it or boards ask for documented risk transfer. The global market for these policies reached about $16 billion in premiums in 2024. Coverage has become widespread. Payouts have grown less predictable.

cyber insurance coverage

The gap between exposure and coverage

The Global Federation of Insurance Associations, which represents insurers accounting for close to 90 percent of premiums worldwide, quantified the cyber protection gap at about $900 billion in a 2023 report, with annual economic losses from cyber incidents exceeding that figure. A 2024 white paper from Marsh McLennan and Zurich Insurance Group amplified those findings and called for public-private action to close the gap. The Global Federation of Insurance Associations reached similar conclusions independently, describing insured losses as covering only a small share of annual global cyber losses.

The US cyber market contracted in premium volume for the first time on record, driven by eleven consecutive quarters of rate decreases. Excess capacity has pulled prices down even as reported losses have climbed.

The underwriting bargain

Applications for cyber coverage run long. Some questionnaires now include more than fifty items covering multifactor authentication, backup practices, endpoint detection, patching cadence, and incident response testing. Answers become legal representations. A control that lapses after binding, or a partial deployment described as universal, can shift a later claim into dispute.

“Cyber insurance has a legitimate role, but it is not a control plane, a trust model, or a resilience strategy. It is a residual-risk financing tool,” Dr. Chase Cunningham, a former NSA analyst who publishes analysis under the DrZeroTrust name, told Help Net Security.

Denials cluster around recurring themes. Independent analyses place the denial rate for cyber claims between 40 and 44 percent. Cases hinge on misrepresentation, lapses in required controls, and application answers signed off by staff without deep technical understanding of the attestations.

Exclusions carved out of catastrophe

Merck’s litigation over NotPetya damages, which the company put at roughly $1.4 billion, tested the war exclusion in “all risks” property policies and produced a New Jersey appellate ruling favoring the pharmaceutical company in May 2023. The case settled confidentially in January 2024. Lloyd’s of London had already moved in the same direction, issuing a market bulletin in August 2022 that required standalone cyber policies to explicitly exclude state-backed attacks from March 31, 2023 onward, with four model clauses offering different levels of restriction.

Social engineering sits in a similar zone. Standard policies often exclude these events entirely or cap payouts at $250,000, a figure that sits well under the average loss for this attack type.

Systemic risk and public policy

Lloyd’s scenario modeling has estimated that a major attack on global financial services payment systems could cost the world economy roughly $3.5 trillion. That figure sits far above the total premiums the entire cyber insurance market collects each year.

Cunningham sees room for a federal cyber backstop along the lines of the Terrorism Risk Insurance Act, with conditions attached. “I think a federal cyber backstop is worth exploring for truly catastrophic systemic cyber events, but only if it is designed as a last-resort resilience mechanism, not as a subsidy for weak security,” he said. He argues that eligibility should require minimum controls tied to NIST CSF and CISA’s Cybersecurity Performance Goals, with evidence-based proof, and that both insurers and policyholders should retain meaningful exposure so taxpayers avoid underwriting preventable negligence.

Guidance for mid-market buyers

Mid-market companies without a dedicated CISO or in-house counsel often lean on brokers to interpret cyber risk. Cunningham recommends a wider circle. “I would tell them to build a small advisory triangle around the insurance process: a cyber-specialist broker, an independent technical advisor or fractional CISO, and outside counsel who understands cyber coverage and breach response,” he said.

He points to CISA’s Cybersecurity Performance Goals and NIST’s small business cybersecurity materials as starting baselines. On broker credentials, he lists PLUS cyber-liability training, RPLU, CPLP, The Institutes’ Associate in Cyber Risk Management, CPCU, ARM, CRM, and CIC as useful screening signals. Claims experience matters as much as any credential.

One question, he says, tends to reveal the difference. “How many cyber claims have you helped manage?” A surface advisor asks about limits, revenue, and MFA. A serious advisor probes where MFA is enforced, who holds privileged access, how backups are protected, when the last restore occurred, and what sub-limits apply to social engineering and business interruption.

Coverage decisions carry legal weight the day a questionnaire is signed. Application answers become the record insurers reference when a claim arrives, and the gap between advertised limits and payable amounts often traces to sublimits, waiting periods, exclusions, and control representations written before an incident. Resilience work sits upstream of any policy. Insurance follows the security program that produced it.

Don't miss