What Does Cyber Insurance Not Cover? The Exclusions That Cost Businesses the Most

By: Shoreline Public Adjusters

Updated: March 2026 · 10 min read

In This Post:

• The Eight Most Common Cyber Insurance Exclusions
• The "Failure to Maintain" Exclusion — The Biggest Denial Driver
• War and Nation-State Attack Exclusions
• Social Engineering and Voluntary Parting
• Sub-Limits That Function as Hidden Exclusions
• What to Do When a Cyber Insurance Claim Is Denied
• Real Outcome: Tampa IT Services Firm After Ransomware Attack
• Common Mistakes Businesses Make With Cyber Insurance
• Frequently Asked Questions About Cyber Insurance Exclusions

A Tampa-area IT services company was hit by a ransomware attack that encrypted their client management system, billing records, and backup servers. Total losses — including incident response, forensic investigation, business interruption, and client notification — exceeded $290,000. Their cyber insurance policy had a $1 million limit. The insurer paid $0.

The denial letter cited a "failure to maintain minimum security standards" exclusion. The insurer pointed to a supplemental application where the company had attested to enforcing multi-factor authentication across all remote access points.

Three employee accounts didn't have MFA enabled. The insurer treated that as a material misrepresentation and denied the entire claim.

Why Most Businesses Don't Understand Their Cyber Insurance Exclusions

I hold a CISSP and CISA — certifications that most cybersecurity professionals spend years earning — and I spent over a decade in enterprise risk management, designing the same security control frameworks that insurers now use to underwrite cyber policies. I've reviewed hundreds of cyber policy exclusion endorsements from both sides of the claim.

What I see consistently is that business owners buy cyber insurance the way they buy general liability — they look at the limit, the premium, and maybe the deductible. They don't read the exclusions. The exclusions are where cyber policies diverge from every other line of coverage, and they're where most denials originate.

The Eight Most Common Cyber Insurance Exclusions

Every cyber policy is different, but these eight exclusions appear in some form across nearly every policy we review. Understanding them before a breach is the only way to know whether your coverage is real.

1. Failure to Maintain Minimum Security Standards

This is the exclusion that denies the most cyber claims. The policy requires the insured to maintain specific security controls — MFA, endpoint detection, encrypted backups, patch management — as a condition of coverage. If the insurer finds any gap in compliance after a breach, they invoke this exclusion.

The problem is that "minimum security standards" are defined by the application questionnaire, not by the policy language. Business owners sign the application attesting to controls they believe are in place. One misconfigured server or one employee who disabled MFA can void the entire claim.

2. War, Terrorism, and Nation-State Attacks

Since Lloyd's of London issued its 2023 war exclusion mandate, most cyber policies exclude losses from state-backed cyberattacks. The exclusion language varies — some policies exclude "hostile cyber operations," others exclude attacks "attributable to a nation-state."

The attribution problem is the real issue. After a breach, the insurer hires a forensic firm that may attribute the attack to a state-sponsored group. The policyholder has no control over that attribution and limited ability to challenge it.

This exclusion has turned what used to be a covered ransomware event into a denied claim based on who the insurer says was behind it.

3. Social Engineering and Voluntary Parting

If an employee is tricked into wiring money, clicking a phishing link that authorizes a transfer, or voluntarily providing credentials to a fraudster, many cyber policies exclude the loss. The "voluntary parting" exclusion says the insured willingly transferred funds or access — even though it was under false pretenses.

Some policies offer social engineering coverage as a separate endorsement with its own sub-limit, often $25,000–$100,000. That won't cover a six-figure wire fraud loss.

4. Prior Known Vulnerabilities and Pre-Existing Breaches

If the insurer can demonstrate the breach exploited a known vulnerability that the business failed to patch, the claim may be denied. Similarly, if the breach began before the policy's retroactive date, losses are excluded.

This is where patch management documentation matters. The insurer's forensic team will look at when the vulnerability was publicly disclosed (the CVE date) versus when the business applied the patch. A 30-day gap is often enough for a denial.

5. Bodily Injury and Property Damage

Cyber policies exclude physical harm and tangible property damage. If a cyberattack causes a manufacturing system to malfunction and injure a worker, or corrupts industrial controls that damage equipment, those losses fall outside cyber coverage.

This gap matters most for manufacturing, healthcare, and critical infrastructure businesses. The cyber policy covers the data breach and IT restoration. The physical consequences need separate coverage.

6. Regulatory Fines and Penalties

Coverage for regulatory fines is split across the industry. Some policies cover defense costs for regulatory actions but exclude the fines themselves. Others offer sub-limited coverage for specific regulations (HIPAA, PCI-DSS) or exclude fines entirely.

State law adds another layer. In some jurisdictions, insuring against regulatory penalties is against public policy — meaning even if the policy covers fines, the coverage may be unenforceable.

7. Insider Threats and Intentional Acts

If a current or former employee causes the breach intentionally, most policies exclude the loss. The "intentional acts" exclusion applies to acts by the insured or anyone acting on their behalf.

The gray area is negligent insiders — an employee who falls for a phishing email isn't acting intentionally, but an employee who deliberately exfiltrates data is. Insurers sometimes try to stretch the intentional acts exclusion to cover gross negligence. That stretch is challengeable.

8. Third-Party Vendor and Infrastructure Failures

If your cloud provider goes down and you lose revenue, most cyber policies exclude the loss unless you've purchased specific "dependent business interruption" or "system failure" coverage. Standard cyber BI coverage requires a security event — not a service outage.

The same applies to managed service provider breaches that affect your systems through no fault of your own. Unless your policy explicitly covers supply chain incidents, the insurer will argue it wasn't your breach.

⚠️ What Insurers Won't Tell You: The supplemental application you signed when purchasing your cyber policy functions as a warranty. If any attestation is inaccurate at the time of a claim — even if you believed it was true when you signed — the insurer can deny the entire claim as a material misrepresentation. Most business owners don't treat the application as a binding document. Insurers do.

Sub-Limits That Function as Hidden Exclusions

Even when a loss is technically covered, sub-limits can reduce the payout to a fraction of the actual cost. These are the sub-limits we see cause the most damage in cyber attack claims.

Ransomware payment sub-limit. Many policies cap ransomware payments at $100,000–$250,000 while the policy's aggregate limit may be $1 million or more. If the ransom demand is $500,000, the sub-limit creates a $250,000+ gap the business absorbs.

Incident response sub-limit. Forensic investigation, legal counsel, breach notification, and credit monitoring each have their own sub-limits. A mid-size breach can exhaust the incident response sub-limit before notification letters are even mailed.

Business interruption waiting period. Most cyber BI coverage includes a 8–12 hour waiting period before coverage begins. For a business losing $5,000–$10,000 per hour, that waiting period represents $40,000–$120,000 in unrecoverable losses. Some policies extend the waiting period to 24 hours.

Dependent business interruption. If covered at all, this is almost always sub-limited at 25–50% of the main BI limit — and it requires the third-party failure to result from a qualifying security event, not a routine outage.

📋 State-Specific Note: Florida, Minnesota, and Wisconsin each have data breach notification statutes with different requirements and timelines. Failing to meet notification deadlines can trigger regulatory fines that your cyber policy may or may not cover. FL § 501.171 requires notification within 30 days of breach discovery. MN § 325E.61 requires "expeditious" notification. WI § 134.98 requires notification within 45 days. Sources: Florida Legislature, Minnesota Legislature

What to Do When a Cyber Insurance Claim Is Denied

Most cyber claim denials cite one of two things: a policy exclusion or a misrepresentation on the application. Here's what a public adjuster looks at when reviewing a denied cyber claim.

Challenge the exclusion's applicability. The exclusion language must match the actual facts of the loss. If the insurer cites "failure to maintain minimum security standards" but the specific control gap didn't cause or contribute to the breach, the exclusion may not apply. A ransomware attack that entered through a zero-day exploit has nothing to do with whether MFA was enabled on every account.

Review the application for ambiguity. The supplemental application questions are often vague: "Do you enforce MFA on all remote access?" What counts as "enforce"? What counts as "all"? If three out of 200 accounts lacked MFA, that's a 98.5% compliance rate. Ambiguity in the application works in the policyholder's favor under most state insurance laws.

Document the actual damages. Insurers undervalue business interruption losses on cyber claims the same way they undervalue them on property claims — by using narrow definitions of "period of restoration" and excluding consequential revenue losses. The actual business impact is almost always larger than the insurer's calculation.

File a DOI complaint if bad faith applies. If the insurer denied a valid claim or unreasonably delayed investigation, a complaint to the state Department of Insurance creates regulatory pressure. In Minnesota, Minn. Stat. § 72A.201 governs unfair claims practices. In Florida, the Florida Department of Financial Services handles complaints. In Wisconsin, the OCI enforces fair claims handling.

Real Outcome: Tampa IT Services Firm After Ransomware Attack

The company had 47 employees and managed IT infrastructure for medical practices and law firms across the Tampa Bay area. The ransomware encrypted their primary client management system, their ticketing platform, and their backup servers. They were offline for 11 days.

The insurer denied the claim under the "failure to maintain minimum security standards" exclusion. Their basis: three employee accounts on the remote access VPN did not have MFA enabled. The supplemental application had attested to MFA enforcement "on all remote access."

Shoreline Public Adjusters reviewed the policy language, the application, and the forensic report. The ransomware entry point was a compromised vendor credential — not one of the three accounts lacking MFA. The specific security gap the insurer cited had no causal connection to the breach.

We also identified that the policy's exclusion language required "failure to maintain" controls that were "material to the risk." Three accounts out of over 200 represented a 98.5% compliance rate. We argued the gap was not material and the exclusion was being applied beyond its intended scope.

The insurer's initial position was $0. The final settlement was $187,000 — covering incident response costs, business interruption for the 11-day outage, and client notification expenses. The gap between the settlement and the total loss came from sub-limits on ransomware payment and dependent business interruption that were legitimately capped.

Is your cyber claim denied or underpaid? If your insurer is citing an exclusion, a misrepresentation, or a sub-limit to avoid paying what your policy should cover, a free consultation with Shoreline Public Adjusters takes 15 minutes and costs you nothing. Contact Us

Common Mistakes Businesses Make With Cyber Insurance

1. Not reading the supplemental application after signing it The application is a warranty. If your IT environment changes after you sign — and it will — your attestations may no longer be accurate. An inaccurate application gives the insurer a denial path on every future claim. What to do instead: Review your supplemental application annually. Update your insurer in writing if any attested controls change.

2. Assuming the policy limit is the payout limit Sub-limits on ransomware, incident response, business interruption, and dependent BI can reduce the effective coverage to 20–30% of the stated limit. A $1 million policy with aggressive sub-limits may pay out $200,000 on a $500,000 loss. What to do instead: Map every sub-limit against realistic loss scenarios. If the sub-limits don't cover a mid-severity breach, negotiate higher sub-limits or buy additional coverage.

3. Relying on the insurer's forensic firm The insurer selects and pays the forensic investigation firm. That firm's findings directly determine whether the claim is covered. The insurer has a financial interest in an attribution or causation finding that triggers an exclusion. What to do instead: Engage your own forensic consultant before or alongside the insurer's panel firm. Independent findings give you a stronger position if the insurer's report supports a denial.

4. Waiting too long to dispute a denial Cyber claims involve time-sensitive evidence — server logs, network traffic data, forensic images. The longer you wait after a denial, the harder it is to reconstruct the facts that could overturn it. Insurance claims have deadlines, and waiting shrinks your options. What to do instead: Dispute within 30 days. Engage a public adjuster or coverage attorney immediately. Preserve all forensic evidence.

5. Not understanding the war exclusion scope Since the Lloyd's 2023 mandate, war exclusions in cyber policies have expanded dramatically. If your business is in a sector targeted by state-sponsored actors — healthcare, finance, critical infrastructure, government contractors — you may have less coverage than you think. What to do instead: Read the war exclusion endorsement specifically. Ask your broker whether the policy includes a "carve-back" for ransomware even if attributed to a state actor.

Frequently Asked Questions About Cyber Insurance Exclusions

What are the most common cyber insurance exclusions?

The most common exclusions are failure to maintain minimum security standards, war and nation-state attacks, social engineering losses, prior known vulnerabilities, bodily injury and property damage, regulatory fines, insider threats, and third-party vendor failures. The "failure to maintain" exclusion is the leading cause of cyber claim denials.

Does cyber insurance cover ransomware payments?

Most policies cover ransomware payments, but almost always with a sub-limit significantly lower than the policy's aggregate limit. A policy with a $1 million limit may cap ransomware payments at $100,000–$250,000. Some policies also exclude payment if the threat actor is on a government sanctions list.

Can my cyber insurance claim be denied for not having MFA?

Yes. If your supplemental application attested to MFA enforcement and the insurer finds accounts without MFA after a breach, they can deny the claim under the "failure to maintain minimum security standards" exclusion — even if the MFA gap had no connection to the breach. The causal link between the gap and the breach is the strongest argument against this denial.

Does cyber insurance cover social engineering wire fraud?

Standard cyber policies often exclude voluntary wire transfers made under fraudulent pretenses. Some policies offer social engineering coverage as a separate endorsement with its own sub-limit, typically $25,000–$100,000. That sub-limit rarely covers the full loss in a business email compromise attack.

What is the war exclusion in cyber insurance?

Following Lloyd's of London's 2023 mandate, most cyber policies exclude losses from cyberattacks attributed to nation-states or state-sponsored groups. The exclusion creates an attribution problem — the insurer's forensic firm determines who was behind the attack, and the policyholder has limited ability to challenge that finding.

Can a public adjuster help with a denied cyber insurance claim?

Yes. A public adjuster who understands cybersecurity can challenge exclusion applicability, identify ambiguity in supplemental applications, document business interruption losses the insurer undervalued, and negotiate settlements on denied or underpaid claims. Shoreline Public Adjusters brings CISSP and CISA credentials to every cyber claim file.

If your cyber insurance claim has been denied or underpaid, the exclusion the insurer cited may not hold up under scrutiny. Shoreline Public Adjusters works exclusively for policyholders — never for insurers — and we bring actual cybersecurity credentials to every cyber claim we handle. We represent businesses across Florida, Minnesota, and Wisconsin. We don't collect a fee unless you do, and insurance claims have deadlines. Contact Us

You may also find these helpful:

• Cyber Insurance Claims: How to Protect Your Business After a Cyberattack
• Filing a Business Interruption Insurance Claim
• Commercial Claim Support

Shoreline Public Adjusters, LLC is licensed in Florida (FL G199012), Minnesota (MN 40962416), and Wisconsin (WI 21156868).