What Does Cyber Insurance Not Cover? (And Why Claims Get Denied)

Buying cyber insurance is not the same as having cyber coverage when you actually need it. IBM’s 2024 Cost of a Data Breach Report puts the global average cost of a data breach at $4.88 million. Cyber insurance exists to absorb a share of that exposure. The problem is that the policy language most SMB owners never read closely contains exclusions that can deny coverage in the exact scenario their business faces.

Insurers have tightened claim review significantly as ransomware losses mounted through the early 2020s. What looked like comprehensive coverage at application time can carry conditions that effectively void it at claim time. That language rarely gets scrutinized until a breach forces the conversation.

The most predictable cyber insurance exclusions follow clear patterns. They include failure to maintain required security controls, act of war clauses applied to nation-state attacks, and structural gaps between what a policy covers and what a business actually needs. Knowing these patterns before a breach is the only time that knowledge does any good.

Why Cyber Insurance Claims Get Denied

Most SMB owners assume a valid policy means a paid claim. Insurers operate from a different premise: coverage applies when the policy’s conditions are satisfied at the time of loss, not just at the time of purchase.

Denials trace back to a short list of predictable triggers:

• Excluded causes of loss, such as an attack attributed to a nation-state actor
• Missing or misconfigured security controls at the time of breach
• Application discrepancies between what the business attested and what insurers found at claim review

The fine print rarely gets read until it’s too late. The consequences in cyber are unusually severe. The loss event, the insurer dispute, and the operational recovery all happen simultaneously, during the most chaotic period any SMB will ever face.

Failure to Maintain Security Controls: The Most Common Claim Trigger

Cyber insurance policies require security controls to be active, correctly configured, and functional at the time of loss, not just when the application was submitted. An MFA deployment disabled after an employee complained can void an entire claim regardless of how the breach occurred. So can a backup process that hadn’t been tested in months.

Controls that most frequently trigger this exclusion include:

• MFA not enforced on email or remote access. Most cyber applications now require multi-factor authentication as a condition of coverage. If MFA had exceptions or was disabled at the time of breach, the exclusion applies.
• Critical vulnerabilities unpatched beyond the policy window. Many policies specify a patching timeline for critical CVEs, commonly 14 to 30 days. Systems unpatched within that window can constitute a security failure under the policy terms.
• Backup processes untested or nonfunctional at time of loss. Having a backup tool running is not the same as having a verified, working backup. Insurers ask for test results, not tool configurations.
• Endpoint detection not deployed across all systems. Coverage gaps between managed and unmanaged endpoints are a frequent dispute point.
• No documented evidence that controls were active. Logs, configuration records, and testing documentation carry weight at claim time. Verbal assurance does not.

This is a policy conditions issue, not a simple negligence argument. An external attacker can cause a breach entirely on their own. The claim can still be denied if a required control was absent when it happened. Understanding cyber insurance requirements for small businesses before purchasing a policy is the starting point; maintaining those controls continuously after purchase is what keeps coverage enforceable.

For Chicagoland businesses that partner with managed cybersecurity solutions, control verification and documentation are built into the ongoing service relationship rather than treated as a one-time application exercise.

The Act of War and Nation-State Attack Exclusion

Most cyber policies exclude losses caused by acts of war. Carriers have argued in court that major attacks attributed to nation-state actors fall under this clause. Outcomes have varied by jurisdiction.

The highest-profile legal test came from the 2017 NotPetya attack. Merck sued Ace American Insurance over approximately $1.4 billion in insurance coverage after Ace denied the claim by invoking the war exclusion. The New Jersey Appellate Division ruled in Merck’s favor in May 2023, finding that the traditional war exclusion language did not apply to that cyberattack. The legal landscape remains unsettled in other jurisdictions, and the ruling turned on specific policy language that may differ from what your policy contains.

Many policies have since added explicit cyber warfare and state-sponsored attack language that goes further than the traditional war exclusion. This language does not require a formal declaration of war to trigger.

Ransomware groups with documented state affiliations create attribution ambiguity that insurers can exploit at claim time, even when an attack appears commercially motivated. When the tools and techniques match those of known state actors, that association alone can trigger the war exclusion before your IT team has finished assessing the damage. For a closer look at how this plays out in ransomware-specific scenarios, ransomware coverage pitfalls for SMBs covers the operational detail.

Before renewing, ask your broker two direct questions. How does this policy define a nation-state attack: by confirmed government attribution, or by the tools and techniques used? And what evidence standard must the insurer meet before the exclusion applies?

Employee Negligence and Intentional Acts: Where the Line Falls

When an employee clicks a phishing link, credentials get compromised and ransomware deploys across the network. Most cyber policies cover this outcome. Unintentional errors are a standard covered peril because they’re the most common breach entry point, and insurers price that risk into the premium.

Intentional acts fall outside that coverage. Insider data theft, deliberate system sabotage, or an employee acting in coordination with an external attacker are almost universally excluded. The policy covers accidents, not crimes committed from inside the organization.

The harder question involves repeat negligence. Some policies exclude losses where the insured failed to remediate a known vulnerability or implement a required control after a prior incident. This exclusion punishes inaction after a warning. It can apply even when the second breach has a different cause than the first.

Security awareness training addresses this on two levels. First, it reduces the phishing exposure that triggers most accidental compromises. Second, it creates a documentation trail establishing that the business took reasonable precautions. That record protects coverage in edge-case disputes by demonstrating a good-faith compliance posture.

Other Exclusions That Catch SMBs Off Guard

Several cyber policy exclusions surprise SMB owners precisely because they sound like they should be covered. They aren’t.

• Hardware and physical damage. Replacing destroyed or corrupted equipment is a property insurance question. Cyber policies respond to data losses, business interruption, and third-party liability; not the cost of new servers or workstations.
• Bodily injury. If a cyberattack causes physical harm, such as a hospital system failure or an industrial control system compromise, bodily injury and physical property damage claims fall outside standard cyber coverage.
• Reputation and brand damage. Lost future revenue from reputational harm after a breach is rarely covered. Cyber policies respond to first-party response costs and documented third-party liability, not speculative revenue losses.
• Errors and omissions gap. If a breach at your business causes measurable financial harm to a client, errors and omissions (E&O) coverage typically applies, not cyber liability. Holding only a cyber policy leaves that exposure open.
• Directors and officers gap. Executive liability for failing to oversee adequate cybersecurity practices is a D&O question. Cyber policies don’t respond to governance claims against leadership.
• Pre-existing incidents. Breaches that began before the policy effective date are almost always excluded under the known-loss doctrine, even when discovered after inception.

Each of these exclusions points to a gap that no adjustment to a cyber policy will close. They require separate lines of coverage, or in some cases, operational changes before the next renewal.

How to Audit Your Policy Before You File a Claim

A policy audit maps the exclusions on paper against the actual security environment running in your business right now. Five steps make that audit actionable.

1. Pull the exclusions and definitions sections of your policy. Map each exclusion against your actual security posture today, not your intended posture or the snapshot from your application.
2. Confirm every attested control is documented, tested, and currently active. Build a controls log with timestamps. Configuration records and test results carry weight at claim time; screenshots and verbal assurances do not.
3. Ask your broker in writing what would lead to a denied claim under this policy. Get the answer before an incident. A broker who can’t answer that question clearly is a signal worth paying attention to.
4. Review how the policy defines key terms. “Act of war,” “nation-state attack,” “computer system,” “security failure,” and “retroactive date” each carry legal weight at claim time. The definitions section is where disputes begin.
5. Schedule a review annually and after any significant change to your IT environment. New vendors, cloud migrations, major workforce changes, and new integrations all affect your risk posture and your exposure to policy exclusions.

Working with IT compliance services that manage ongoing control documentation turns this audit from an annual scramble into a continuous process. It also produces the records your insurer will request if a claim faces scrutiny.

What Fills the Gaps Cyber Insurance Won’t

Cyber insurance transfers residual risk. It doesn’t compensate for the absence of security. The controls required to keep claims payable are the same controls that prevent most breaches in the first place.

The failure to maintain security controls exclusion is not a technicality. It’s a direct statement from insurers that a verified, active security posture is a precondition of coverage. A policy without functioning controls behind it is a financial instrument with an undisclosed void condition.

Coverage gaps around hardware, bodily injury, and nation-state attacks can’t be closed by adjusting a cyber policy. They require operational resilience:

• Tested recovery processes verified before a breach occurs
• Maintained control records documenting active security postures
• Incident response procedures that have been practiced, not just documented

Continuous control monitoring, built into an ongoing IT partnership rather than a once-a-year policy review, is what keeps coverage enforceable when it’s actually needed. That partnership also produces the logs, configuration records, and testing documentation that an insurer will request if a claim faces dispute.

When your security controls are current, documented, and verifiable, a cyber insurance claim is a financial recovery process. When they aren’t, it becomes a months-long dispute over whether a required safeguard was active when the breach occurred. Your business handles that dispute while already under the maximum pressure it will ever face.

LeadingIT provides managed IT and cybersecurity services to Chicagoland SMBs, including:

• MFA enforcement on email and remote access
• Patch management within policy-required windows
• Endpoint protection deployed across all systems
• Tested backup processes with documented results
• Documentation trails that insurers require at claim time

Talk to LeadingIT about Chicago cybersecurity services to see where your current controls stand against the requirements your policy demands, or call 815-788-6041.