Cyber insurance has become a standard component of organizational risk management, but most policyholders have a dangerously incomplete understanding of what their policy actually requires. The application questionnaire asked about MFA, EDR, and backups, and the organization checked the right boxes. The policy was bound, the premium was paid, and the certificate sits in a folder somewhere. But between the application and an actual claim lies a minefield of conditions, requirements, and exclusions that can reduce or eliminate coverage precisely when the organization needs it most.
This article examines what cyber insurance policies commonly require with respect to incident response, the coverage gaps that catch organizations off guard, and the claim-time surprises that can turn a covered loss into an out-of-pocket expense. If you carry cyber insurance, you owe it to your organization to understand these dynamics before you need to file a claim.
Common Policy Requirements: MFA, EDR, Backups, and IR Plans
Cyber insurance underwriters have significantly tightened their requirements over the past several years in response to escalating claim costs, particularly from ransomware. Most policies now require, as conditions of coverage, that the insured organization maintain specific security controls. Multi-factor authentication on all remote access, email, and privileged accounts is nearly universal. Endpoint detection and response coverage across all endpoints, including servers, is increasingly standard. Offline or immutable backup capabilities with tested restoration procedures are commonly required. And a documented, current incident response plan is a baseline expectation.
The critical distinction that many policyholders miss is between application representations and ongoing conditions. The application asks whether these controls are in place at the time of binding. If the organization represented that MFA was deployed on all remote access but a VPN concentrator was later configured without MFA, and an attacker exploits that gap, the insurer may argue that the claim is not covered due to a material misrepresentation on the application. Some policies include a 'subjectivity' endorsement that explicitly conditions coverage on maintaining specific controls throughout the policy period. Others rely on the application representations as a basis for rescission if controls are found to be absent or incomplete at the time of a claim.
The practical implication is that the security controls described in the insurance application are not just security measures; they are contractual obligations. Organizations must track which representations were made on the application, verify that those controls remain in place throughout the policy period, and document compliance in a way that can withstand scrutiny during a claim investigation. A quarterly attestation process that validates MFA deployment, EDR coverage, backup functionality, and IR plan currency is a reasonable approach that protects both security posture and insurance coverage.
Panel Firm Requirements and Notification Timelines
Most cyber insurance policies include a panel of pre-approved service providers: law firms, forensic investigation firms, crisis communication firms, and breach notification vendors. When an incident occurs, the policy typically requires the insured to use panel firms for these services, or at minimum to obtain pre-approval from the carrier before engaging non-panel providers. Using a non-panel firm without approval can result in the carrier refusing to reimburse those costs, even if the work was necessary and well-executed. This catches organizations that have existing relationships with forensic firms or law firms and naturally turn to those trusted partners first.
Notification timelines are another area where policyholders are frequently caught off guard. Most policies require the insured to notify the carrier of a potential claim 'as soon as practicable' or within a specified timeframe, often 48 to 72 hours from discovery. Late notification can be grounds for coverage denial, even if the underlying claim would otherwise be covered. The challenge is that organizations in the first hours of an incident are focused on containment and investigation, and insurance notification may not be top of mind. This is why the incident response plan should include insurance carrier notification as a specific step in the first-phase response procedures, with the carrier's claims contact information and policy number readily accessible.
Some policies also require the insured to obtain the carrier's consent before incurring certain categories of expense, such as ransom payments, public relations expenditures, or notification costs above a specified threshold. Incurring these expenses without consent, even under time pressure, can jeopardize reimbursement. Understanding these consent requirements before an incident occurs allows the response team to build carrier communication into the response workflow rather than discovering the requirement mid-crisis.
Coverage Gaps Most Organizations Do Not Realize Exist
Cyber insurance policies contain exclusions and limitations that create coverage gaps catching policyholders by surprise at claim time. One of the most significant is the war and nation-state exclusion. Most policies exclude losses arising from acts of war or hostile actions by nation-states. As more cyberattacks are attributed to state-sponsored actors, insurers have begun asserting this exclusion more aggressively. The NotPetya litigation demonstrated the real-world impact of this exclusion, and many carriers have since introduced more specific cyber war exclusions with varying definitions of what constitutes a state-sponsored attack.
Other common coverage gaps include: sublimits on specific cost categories like ransomware payments, business interruption, or regulatory fines that are far below the overall policy limit; waiting periods for business interruption coverage that exclude the first 8 to 24 hours of downtime, which is often the most costly period; exclusions for unencrypted data or data stored in environments that do not meet specified security standards; and retroactive date limitations that exclude breaches where the initial compromise occurred before a specified date, even if the breach was not discovered until the policy period. Social engineering and funds transfer fraud may be covered under a separate endorsement with its own sublimit, or may not be covered at all under the cyber policy.
Perhaps the most insidious gap is the difference between first-party and third-party coverage. First-party coverage pays for the insured's own losses: forensic investigation, notification costs, business interruption. Third-party coverage pays for claims by others against the insured: lawsuits, regulatory fines, contractual penalties. Many organizations assume their policy covers both, but the extent of coverage varies significantly. Regulatory fines may be excluded entirely or subject to insurability limitations in certain jurisdictions. Understanding the specific scope of both first-party and third-party coverage is essential for accurate risk assessment.
Claim-Time Surprises and How to Avoid Them
The most effective way to avoid claim-time surprises is to read your policy before you need it and engage your broker in a detailed coverage review. This is not as obvious as it sounds. Many organizations purchase cyber insurance through a broker, receive the policy document, and never read it. The broker's summary may highlight coverage limits and deductibles but gloss over conditions, exclusions, and procedural requirements that determine whether a specific claim is actually covered. A pre-loss coverage review with your broker and, ideally, coverage counsel should walk through realistic claim scenarios and map them against the actual policy language.
Another common claim-time surprise involves the interaction between the cyber policy and other insurance lines. A business email compromise that results in fraudulent wire transfers may implicate the cyber policy, the crime policy, and the directors and officers policy. Coverage disputes between carriers on different policy lines can delay claim resolution by months. Understanding which policy responds to which aspect of a loss, and whether there are gaps between policies, requires pre-loss analysis that most organizations neglect. Your broker should be able to produce a coverage map that shows how different policies interact for common incident scenarios.
Finally, organizations should conduct an annual insurance readiness review that validates compliance with policy conditions, updates the IR plan to reflect policy requirements (including panel firm contacts and notification procedures), and tests the claim notification process. This review should involve the CISO, the risk manager, legal counsel, and the insurance broker. The goal is to ensure that when an incident occurs, the organization's response workflow is fully aligned with the policy's requirements, so that procedural missteps do not jeopardize the coverage the organization is paying for. Insurance is only valuable if it pays claims, and it only pays claims when conditions are met.