What is Cyber Insurance?

What Cyber Insurance Covers

Cyber insurance policies vary significantly in structure, coverage scope, and exclusions. Understanding what a policy actually covers requires reading the policy language, not just the marketing materials. Standard coverage categories in modern cyber insurance policies include first-party coverage — losses the insured organization directly incurs — and third-party coverage — claims made against the insured organization by others.

First-party coverage typically includes incident response costs — the forensics firms, legal counsel, and public relations specialists engaged to manage the incident. Business interruption losses — revenue lost and extra expenses incurred during system downtime. Data recovery costs — restoring systems and data from backups. Ransom payment coverage — covering all or part of ransom payments to ransomware attackers, subject to legal requirements and underwriter approval. Notification costs — the legal and operational costs of notifying affected individuals under data breach notification laws.

Third-Party Coverage

Third-party coverage addresses claims made against the insured by customers, partners, or regulators following a security incident. Data breach liability covers claims from individuals whose data was exposed. Regulatory defense and penalties covers legal defense costs and fines from regulatory investigations. Network security liability covers claims from third parties who suffered damages as a result of a security failure in the insured's environment.

What Cyber Insurance Does Not Cover

The exclusions in cyber insurance policies are as important as the coverage, and several have become sources of significant dispute in major claims.

The war exclusion — which most policies include — excludes losses caused by acts of war. Following the NotPetya attack in 2017, which multiple governments attributed to Russian military intelligence, several major insurers attempted to deny claims under the war exclusion. Merck, Mondelez, and other NotPetya victims faced protracted legal battles over whether their policies covered nation-state attributed attacks. This exclusion remains active and contentious in current policies, with some insurers adding specific cyber war exclusion language that creates risk for organizations in sectors with elevated nation-state threat exposure.

Pre-existing vulnerabilities and known system weaknesses may be excluded if the insurer can demonstrate that reasonable remediation measures were not taken. Known unpatched critical vulnerabilities, absent MFA on critical systems, and inadequate backup procedures can all provide grounds for claim denial or reduction.

Cyber Insurance Underwriting and Security Posture

The cyber insurance market has undergone significant transformation since 2020 as claims volume and severity increased dramatically with the ransomware surge. Insurers responded by implementing much more rigorous underwriting standards, reducing coverage limits, increasing premiums, and adding specific security control requirements as conditions of coverage.

Current underwriting questionnaires ask specifically about: MFA deployment across email and remote access, EDR deployment and coverage rates, backup frequency and offline/immutable backup capability, privileged access management, email security configuration including DMARC, and incident response plan existence and testing frequency. Organizations that cannot affirmatively answer these questions face coverage denials, significant premium increases, or coverage exclusions for the specific control gaps identified.

For PE portfolio companies, cyber insurance requirements create a documented security baseline that provides both coverage protection and a minimum security standard for portco operations. The insurance underwriting process effectively enforces a security control checklist that many portcos would not otherwise prioritize.

Real-World Example: Merck vs. Ace American — The $1.4B War Exclusion Battle

Following the 2017 NotPetya attack that caused approximately $1.4 billion in damages to Merck, insurer Ace American Insurance attempted to deny Merck's claim under the policy's war exclusion, arguing that NotPetya — attributed to Russian military intelligence GRU — constituted an act of war. The New Jersey courts ultimately ruled in Merck's favor in 2023, finding that the war exclusion as written applied to traditional military conflicts and not to nation-state cyberattacks on commercial entities. But the case took six years, involved hundreds of millions in legal costs, and established that this coverage dispute will be fought policy by policy. Organizations in sectors with elevated nation-state cyber threat exposure should specifically evaluate war exclusion language in current policies.