Our board mandated that we purchase cybersecurity insurance this year. The reasoning was sound. Breaches are expensive, risk is real, insurance transfers some of that risk to insurers. I supported the decision but didn’t appreciate how complex cyber insurance is until we went through the purchasing process.

Here’s what we learned about what cyber insurance actually covers, what it doesn’t, and whether it’s worth the cost.

The Coverage Sounds Comprehensive

Cyber insurance policies cover a lot on paper. Data breach response costs including forensics, legal counsel, and notification expenses. Business interruption from cyber incidents. Cyber extortion and ransomware payments. Liability from third-party claims if customer data is compromised.

The policy documents make it sound like comprehensive protection against cyber risk. Any financial impact from a cyber incident should be covered. That’s the theory.

The Exclusions Are Extensive

Reality is far more limited. The exclusions and conditions buried in policy documents dramatically narrow what’s actually covered.

Most policies exclude losses from known vulnerabilities. If a vulnerability exists and you haven’t patched it, any incident exploiting that vulnerability isn’t covered. The insurer will argue you failed to maintain basic security hygiene and therefore the loss is your fault.

The problem is determining what counts as a “known vulnerability.” If a zero-day exploit hits and the vendor issues a patch, how long do you have to deploy that patch before it becomes a “known vulnerability?” The policy doesn’t specify clearly. This ambiguity creates substantial dispute risk when filing claims.

Acts of war and nation-state attacks are excluded. Sounds reasonable until you realise that many major cyberattacks are attributed to nation-state actors. If your organisation gets caught up in a nation-state cyber campaign, your insurance probably won’t pay.

Determining attribution is difficult. If you suffer a ransomware attack, is it criminal opportunism or nation-state activity? The insurer has incentive to argue nation-state involvement to deny claims. You have to prove otherwise.

Prior acts exclusions mean anything related to security incidents that happened before your policy started isn’t covered. If an attacker established persistence in your network months before your policy began, and they activate later, the claim might be denied as a prior act.

The Requirements Are Demanding

Getting coverage requires meeting minimum security standards. Multifactor authentication for remote access. Endpoint protection on all devices. Regular backups with offline copies. Security awareness training. Incident response plans.

These requirements are reasonable and most organisations should do them anyway. But failing to meet them can void coverage. If you suffer a breach and the insurer discovers you didn’t have MFA enabled as required, they can deny the entire claim.

Proving compliance during a claim is your burden. You need to document that you had required controls in place and operating effectively. Insurers don’t take your word for it. They want evidence.

We had to implement more rigorous documentation of our security practices to meet insurer requirements. This is probably good for us anyway, but it’s real work and cost that gets added to the insurance expense.

The Premiums Aren’t Cheap

Cyber insurance isn’t like general liability insurance. The premiums are substantial because the risk is high and loss severity can be extreme.

Our premium for reasonably comprehensive coverage was about two percent of our IT budget. That’s not trivial. We’re essentially paying tens of thousands annually for coverage we hope never to use.

The cost-benefit calculation is difficult. If we never have a major incident, the premiums are wasted expense. If we do have an incident, the coverage might not pay out if the insurer finds reasons to deny the claim. We’re betting on a scenario where we have a major incident that meets all policy conditions.

Deductibles and Limits Matter

Our policy has a substantial deductible. The first hundred thousand dollars of loss is our responsibility. Only losses above that trigger insurance coverage.

For many incidents, we’ll never reach the deductible. Smaller breaches that cost tens of thousands to respond to come entirely out of our pocket. The insurance only helps with catastrophic losses.

The policy also has coverage limits. We can recover up to a maximum amount annually. For truly catastrophic incidents, we could exceed policy limits and be on the hook for the excess.

Between deductibles and limits, the actual coverage window is narrower than it initially appears. We’re insured against incidents that are big enough to exceed the deductible but not so large they exceed limits.

Filing Claims Is Contentious

We haven’t filed a claim yet, but I’ve talked to peers who have. The process is adversarial. Insurers look for reasons to deny or reduce claims. You need extensive documentation to prove that the incident is covered and that costs were necessary.

Insurers often require you to use their preferred vendors for incident response. You can’t just hire the forensics firm you trust. You need to use whoever the insurer directs. This creates delay and potentially reduces response quality.

The insurer also has substantial control over response decisions. They might refuse to pay for measures you think are necessary if they deem them excessive. This creates conflict during incident response when you’re trying to protect the business and the insurer is trying to minimize their payout.

The Risk Transfer Isn’t Complete

The fundamental promise of insurance is risk transfer. You pay premiums and the insurer assumes your risk. Cyber insurance doesn’t really work that way.

You still bear substantial risk through deductibles. You have ongoing obligations to maintain security controls that, if failed, void coverage. Claims are uncertain due to complex policy conditions and exclusions. The insurer has substantial discretion in claim decisions.

What you’re buying isn’t risk transfer. It’s partial risk mitigation for a specific category of major incidents, subject to extensive conditions and disputes. That’s valuable but much less than the marketing materials suggest.

Is It Worth It?

We maintain the insurance despite these limitations. The coverage, even with all its gaps, provides some protection against catastrophic loss. The board and our stakeholders expect us to have cyber insurance. It’s becoming standard practice for organisations of our size.

But I’m under no illusion that the insurance provides comprehensive protection. It’s one tool in a risk management program, not a substitute for good security practices.

The requirements imposed by insurers are actually valuable. They force us to maintain security hygiene and document our practices. This makes us more secure regardless of whether we ever file a claim. That might be the primary value of cyber insurance, the incentive it creates for better security rather than the financial payout if incidents occur.

Advice for Other IT Leaders

Read the policy documents carefully. Don’t rely on the broker’s summary. Understand what’s actually covered and what exclusions apply. Most policies are far more limited than they first appear.

Document your security controls thoroughly. You’ll need this documentation if you ever file a claim. The insurer won’t trust verbal assurances that you had required controls in place.

Factor in the premium cost honestly when evaluating whether insurance is worth it. It’s expensive. Make sure you’re getting value for that expense.

Consider the coverage in context of your overall risk management program. Insurance is one layer, not a complete solution. You still need good security practices, incident response capabilities, and business continuity planning.

Finally, set realistic expectations with your board and leadership. Cyber insurance provides limited protection subject to complex conditions. It’s not a guarantee that cyber incidents won’t be financially devastating. Manage expectations appropriately so leadership doesn’t have false confidence that insurance fully protects them.

Cyber insurance is probably worth having, but it’s more complex and less comprehensive than you might expect. Go in with eyes open.