What Does Cyber Insurance Not Cover?
Cyber insurance can save your business during a ransomware mess or a data breach, but it is not a “get out of jail free” card. The fastest way companies get burned is thinking they are covered for a scenario, then finding out the policy either excludes it, caps it with a tiny sublimit, or requires a control they were not actually maintaining.
Note from Rhonerisk: If you want someone to sanity-check your policy before you ever need to file a claim, book a call with RhoneRisk or request a quote.
Why “we have cyber insurance” can still turn into a bad day
Most cyber insurance problems are not because the carrier is evil. They happen because:
-
the buyer never reviewed sublimits and exclusions
-
the business cannot prove it actually had the controls it claimed on the application
-
the incident does not match the policy’s exact definitions and triggers
Cyber insurance is a contract, not a vibe. When something happens, the claim gets measured against policy language, not your intentions.
Internal link placement: What to look for in cyber insurance coverage
What cyber insurance commonly does not cover (or only covers partially)
1) Anything that started before the policy period
If the breach began before the effective date or before the retroactive date, you might be out of luck.
Look for:
-
retroactive date
-
prior acts language
-
known circumstances exclusions
2) “You said you had this control, but you didn’t”
This is the biggest quiet killer.
Examples:
-
MFA was “enabled” but not enforced for everyone
-
backups existed but were not isolated and attackers reached them
-
patching was “done” but there is no evidence and systems were months behind
Some policies treat this as:
-
exclusion
-
condition precedent
-
or a warranty tied to the application
Translation: if your app says one thing and reality says another, it can get ugly fast.
Internal link placement: Cyber insurance underwriting: what it is and how it works
3) Social engineering losses beyond the sublimit
Funds transfer fraud and invoice scams are common, but coverage is often limited.
What happens a lot:
-
you have a $1M policy
-
social engineering is capped at $25K to $100K
-
the trigger requires “verification steps” that were not followed
If your team wires money, this section matters more than your headline limit.
4) Long-term reputation damage and “lost future revenue”
Some policies may cover PR help, but they usually do not cover:
-
the customer who leaves months later
-
the deals you never win again
-
the trust damage that lingers
Insurance can help with response costs. It cannot rewind reputation.
5) Contract disputes that are not clearly tied to a covered cyber event
If you breach an SLA or fail to deliver services and the dispute is contractual, it may not be covered unless it fits the policy’s defined cyber event and liability coverage.
This comes up a lot with:
-
MSPs
-
SaaS companies
-
fintech vendors
Cyber policies often cover privacy and security liability, not every contract fight.
6) Bodily injury and property damage in the way people assume
If a cyber event causes physical harm or physical property damage, cyber policies often limit or exclude that. Those losses may fall under other parts of your insurance stack.
This is one of those “it depends” areas that should be reviewed if you operate anything physical or safety-critical.
7) Betterment and upgrades
If you use an incident as a chance to upgrade everything, some policies only want to pay to restore you to your prior state.
Example:
-
you rebuild your network stronger than before
-
the carrier may treat part of that spend as “improvement” rather than “restoration”
8) Fines and penalties that cannot legally be insured
Some policies cover regulatory defense. Some include certain penalties. Some do not.
And in many jurisdictions, certain fines simply cannot be insured, no matter what the policy says.
Do not assume “the policy pays the fine.” Confirm.
9) War or nation-state style exclusions
Many cyber policies have war or hostile act exclusions. The interpretation can be complex and has been disputed in real situations.
This is not something to obsess over, but it is something to understand, especially if your industry is heavily targeted.
10) Outages that do not meet the trigger for business interruption
Business interruption coverage often has:
-
waiting periods
-
strict definitions
-
limited coverage for cloud or vendor outages unless specifically included
If you run on cloud tools, check whether third-party outages are included or excluded.
The “gotcha” that causes the most disappointment: sublimits
A lot of people buy cyber insurance based on the big number.
Then they find out the part they actually needed is capped.
Common low caps:
-
social engineering and fraud
-
certain incident response services
-
business interruption scenarios
-
regulatory-related items
That is why a “policy review” is not fluff. It is the difference between confidence and surprise.
Real talk: how to avoid finding this out the hard way
Here is what we recommend before you ever need to file a claim:
-
Ask for a coverage summary that lists all sublimits
-
Confirm the policy’s security requirements and whether you meet them today
-
Make sure the application answers match reality
-
Know the claims reporting hotline and who to call first
-
Confirm if you must use panel vendors
The finish (the part nobody says out loud)
A lot of cyber policies are not “bad.” They are just built for a fantasy version of your business where everyone uses MFA, backups are tested, wires are verified perfectly, and every vendor outage is covered.
Your job is to buy the policy for the real version of your business.
If you want, RhoneRisk can look at your current policy and tell you, straight up, where it is strong, where it is capped, and what would actually happen if you got hit next week.

