Common Cyber Insurance Exclusions and How to Avoid Them

Most business owners focus on their cyber insurance limit — the maximum the policy will pay. But exclusions determine whether the policy pays at all. A $5 million policy with a broad exclusion that applies to your incident pays exactly zero dollars. Cyber insurance policies contain more exclusions than most other commercial insurance products. The cyber risk landscape evolves rapidly, and carriers use exclusions to manage emerging risks they are not yet comfortable underwriting. This means the exclusions in your policy today may be different from those in your policy last year — and different from those in the policy you are comparing from another carrier. The challenge for SMB owners is that exclusions are written in dense legal language buried deep in the policy document. Most business owners never read them. Most brokers provide only a summary. And the first time many businesses discover an exclusion is when their claim is denied. Reading and understanding your policy exclusions before an incident is one of the most valuable things you can do for your business. This guide covers the most common and most dangerous exclusions, explains how they work in practice, and shows you how to close the gaps.

The war exclusion is the most controversial and potentially devastating exclusion in cyber insurance. Originally designed to exclude losses from conventional warfare, carriers have attempted to apply this exclusion to cyberattacks attributed to nation-state actors. The landmark case is Merck v. Ace American Insurance, where Merck suffered $1.4 billion in losses from the NotPetya malware. Ace American (now Chubb) denied the claim under the war exclusion, arguing that NotPetya was a Russian military cyberattack. A New Jersey court ruled against the carrier, finding that the war exclusion applied to traditional armed conflict, not cyberattacks. However, the ruling applied to Merck's specific policy language, and carriers have since revised their war exclusions to explicitly address cyber warfare. Modern cyber policies use updated "cyber war" or "hostile cyber activity" exclusions that specifically address cyberattacks by nation-state actors. The language varies significantly between carriers. Some exclude only attacks that occur during a declared cyber war (narrow exclusion). Others exclude any cyberattack attributed to a nation-state actor (broad exclusion). The difference can be millions of dollars. To protect yourself, request policies with narrow war exclusions that require a formal attribution by a recognized government authority before the exclusion applies. Avoid policies with broad war exclusions that allow the carrier to deny claims based on their own assessment of attribution. Discuss this specific exclusion with your broker — it is one of the most important coverage details in your policy. Cyber Defense Agent cannot prevent a nation-state attack, but strong security controls reduce the likelihood of your business being collateral damage in state-sponsored campaigns. Most nation-state-attributed malware exploits basic security gaps that CDA identifies.

Beyond the war exclusion, several other exclusions frequently catch SMBs off guard. Failure to maintain minimum security standards is becoming more common. If your policy requires specific controls (MFA, encryption, patching) and you fail to maintain them, the carrier can deny claims. This is different from material misrepresentation on your application — this exclusion applies even if you truthfully told the carrier about your controls at application time but subsequently stopped maintaining them. Cyber Defense Agent's continuous monitoring creates documented evidence that you maintained controls throughout the policy period. Prior knowledge or prior acts exclusions deny coverage for incidents that began before the policy inception or that you knew about before purchasing coverage. If you discovered a vulnerability, experienced suspicious activity, or were notified of a breach before your policy started, related claims may be excluded. This is why retroactive dates matter — a policy with a retroactive date that predates any potential prior acts provides better protection. Unpatched or known vulnerability exclusions deny claims for incidents exploiting vulnerabilities for which patches were available but not applied within a reasonable timeframe (typically 30-60 days after patch release). Ransomware groups routinely exploit vulnerabilities that have been patched for months. This exclusion is entirely avoidable with a disciplined patch management program. Social engineering exclusions are particularly dangerous because BEC and social engineering attacks are among the most common cyber incidents. Many standard policies exclude losses resulting from employees being tricked into transferring funds or sharing credentials. You need a specific social engineering endorsement to cover these losses. Infrastructure and utility failures may be excluded. If a power outage, internet service provider failure, or cloud service outage causes your data loss or business interruption, standard cyber policies may not cover the resulting losses. These events are not cyberattacks, so they fall outside the policy's triggering events. Bodily injury and property damage are almost universally excluded from cyber policies. If a cyberattack causes physical harm (compromised medical devices, manipulated industrial controls), the resulting bodily injury and property damage claims are excluded from your cyber policy and may or may not be covered by your general liability or property policies.

No policy covers everything, but you can significantly reduce your exposure to exclusions through proactive measures. Read your policy before an incident. This sounds obvious, but most business owners have never read their cyber policy exclusions. Set aside one hour to read the exclusions section with your broker. Identify every exclusion and assess whether it applies to your business. Negotiate narrower exclusions. Many exclusions can be narrowed or removed through negotiation. Carriers have more flexibility than most businesses realize. Use your Cyber Defense Score as leverage — carriers are more willing to narrow exclusions for businesses that demonstrate strong security controls. Add endorsements for critical gaps. Social engineering coverage, system failure coverage, contingent business interruption, and other endorsements can close common gaps. Each endorsement adds cost, but the coverage is worth it if the risk applies to your business. Maintain the controls your policy requires. If your policy requires MFA, encryption, patching, or other specific controls, maintain them continuously throughout the policy period. Cyber Defense Agent's weekly scanning creates documented evidence of ongoing compliance with policy requirements, protecting you from the "failure to maintain" exclusion. Coordinate with other policies. Exclusions in your cyber policy may be covered by other policies (general liability, property, professional liability). Review all your policies together with your broker to identify and close coordination gaps. The goal is a coverage program with no gaps between policies. Document everything. In the event of a claim dispute over an exclusion, documentation is your best defense. Cyber Defense Agent scan history, remediation records, and continuous monitoring evidence all support your position that you maintained reasonable security practices throughout the policy period.