| Policy Type | Claims-made (most common); some occurrence forms exist |
| Most Commonly Excluded Peril | Nation-state / war and terrorism attacks (Industry standard policy language, Lloyd's of London market guidance 2023) |
| Social Engineering Coverage | Usually requires a separate endorsement — not included in base form |
| Business Interruption Waiting Period | Typically 8–12 hours before losses accrue |
| Regulatory Fines | Partially covered where legally permissible; HIPAA and GDPR fines often excluded or sublimited |
| Physical Hardware Damage | Excluded — falls under commercial property coverage |
| Reputational / Future Revenue Loss | Not covered under any standard cyber form |
| Prior Acts | Excluded unless retroactive date explicitly covers them |
Why Exclusions Are the Most Important Part of Any Cyber Policy
Most business owners buy cyber liability insurance and assume the hard work is done. It isn't. The real risk isn't going without coverage — it's believing you have coverage that doesn't actually exist when a breach happens. Cyber policies are loaded with exclusions, sublimits, and conditions that can gut a claim before you even file it.
This article is a direct, plain-language breakdown of what cyber liability policies typically do not cover. Treat it as a reference you return to when you're reviewing a policy or shopping for coverage. If you want the full picture of what cyber insurance does cover, start with Cyber Liability Insurance: What It Covers and Why Businesses Need It first.
One more thing to understand upfront: not all exclusions are permanent. Some are negotiable endorsements. Others are absolute. Knowing which is which changes how you evaluate a policy.
| Policy Type | Claims-made (most common); some occurrence forms exist |
| Most Commonly Excluded Peril | Nation-state / war and terrorism attacks (Industry standard policy language, Lloyd's of London market guidance 2023) |
| Social Engineering Coverage | Usually requires a separate endorsement — not included in base form |
| Business Interruption Waiting Period | Typically 8–12 hours before losses accrue |
| Regulatory Fines | Partially covered where legally permissible; HIPAA and GDPR fines often excluded or sublimited |
| Physical Hardware Damage | Excluded — falls under commercial property coverage |
| Reputational / Future Revenue Loss | Not covered under any standard cyber form |
| Prior Acts | Excluded unless retroactive date explicitly covers them |
The Core Exclusions Found in Most Cyber Liability Policies
These are the exclusions you'll encounter across virtually every standard cyber policy form. Assume they apply unless your policy explicitly states otherwise.
Prior Acts and Known Incidents
If a breach started before your policy's retroactive date, the claim is almost certainly denied. This catches businesses that buy coverage after noticing suspicious activity — or worse, after an incident they haven't yet disclosed. Insurers aren't absorbing losses they never priced in.
Intentional, Fraudulent, or Criminal Acts by the Insured
If your own employees deliberately exfiltrate data or an owner knowingly violates privacy laws, don't expect the policy to pay. This exclusion typically applies to acts by any insured party — not just principals. Note that this is distinct from third-party fraud or social engineering attacks; those may be covered separately, though not always. See Social Engineering Fraud and Cyber Insurance: What's Actually Covered for how insurers draw that line.
Infrastructure Failures and Utility Outages
A power grid failure, ISP outage, or cloud provider going down is not a cyber incident under most policy definitions. If your systems go offline because AWS had a regional failure, your cyber policy likely won't cover the resulting business interruption losses. You'd need specific contingent business interruption language — which few standard policies include without negotiation.
Physical Damage to Hardware
Cyber policies cover digital losses, not the cost of replacing destroyed servers, melted drives, or physically damaged networking equipment. That exposure belongs under commercial property coverage. If ransomware triggers hardware failure during encryption, you may face a gap between what cyber pays and what property pays.
Bodily Injury and Property Damage
A cyberattack that causes physical harm — say, a breach of an industrial control system that injures a worker — typically falls outside a cyber policy's scope. General liability handles bodily injury and property damage, but GL policies have their own cyber exclusions. This creates a potential gap that neither policy fills cleanly. Why General Liability Insurance Won't Save You From a Cyberattack explains exactly why you can't rely on GL as a backstop.
War, Terrorism, and Nation-State Attacks
This is one of the most contested exclusions in the market today. Most cyber policies exclude losses caused by acts of war — and insurers have argued that attributing an attack to a nation-state triggers this exclusion. Courts have begun weighing in, with inconsistent results. The practical takeaway: if your business is in a sector targeted by nation-state actors (energy, healthcare, critical infrastructure), read this exclusion closely and ask your broker how courts in your jurisdiction have treated it.
Contractual Liability
If you agreed in a vendor contract to indemnify the other party against data breaches, your cyber policy may not honor that assumed liability. Policies cover your legal obligations under applicable law — not obligations you voluntarily accepted in a contract. Review your vendor agreements and confirm whether your policy extends to contractually assumed liability.
Coverage Gaps That Catch Businesses Off Guard
Beyond the standard exclusions above, these are the gaps that tend to surface only when a claim is already in dispute. They're less obvious, but just as damaging.
Unencrypted or Improperly Stored Data
Many policies include a condition requiring reasonable security practices. If an investigation finds that the breached data was stored in plain text, transmitted without encryption, or protected by outdated software, the insurer may invoke a breach-of-condition defense to deny or reduce the claim. This isn't hypothetical — it's a documented claims denial pattern. Document your security controls and keep them current.
Failure to Maintain Security Standards
Closely related: if your policy application stated you had multi-factor authentication, endpoint detection, or regular patching cycles — and an audit after a breach finds you didn't — the insurer has grounds to rescind the policy entirely based on material misrepresentation. This is separate from the security condition above. It's not a partial denial; it's voiding coverage retroactively.
Reputational Harm and Lost Future Revenue
Cyber policies cover defined, quantifiable losses — breach response costs, regulatory fines (where permitted), notification expenses, and business interruption during the recovery window. They do not cover the long-tail revenue loss from customers who left because they no longer trust your business. That reputational damage is real, but it's not insurable under standard cyber forms.
Intellectual Property Theft
If a competitor or nation-state actor steals your trade secrets through a cyberattack, your cyber policy typically won't compensate for the competitive loss or the value of the stolen IP itself. Coverage focuses on the costs of responding to the breach, not the economic value of what was taken. This is an underappreciated gap for businesses in R&D-heavy industries.
Social Engineering and Funds Transfer Fraud
This one surprises business owners every time: standard cyber policies often don't automatically cover losses from phishing scams, business email compromise (BEC), or fraudulent wire transfers. These events are covered under a separate social engineering or funds transfer fraud endorsement — which you may or may not have purchased. Check your policy declarations carefully. The dollar amounts involved in BEC fraud are staggering, and the base cyber form may offer zero protection without that rider.
$4.88M
Average cost of a data breach globally
According to IBM's Cost of a Data Breach Report 2024, the average total cost of a data breach reached a record high.
74%
Of breaches involve a human element
Verizon Data Breach Investigations Report 2024 — phishing, credential theft, and social engineering drive the majority of incidents.
$2.9B
BEC fraud losses reported to the FBI in 2023
FBI Internet Crime Report 2023 — business email compromise remains the highest-dollar cybercrime category, often underinsured.
40%
Of cyber claims involve a coverage dispute
Industry analysis from Woodruff Sawyer suggests a significant share of cyber claims face insurer pushback on scope or exclusions.
Regulatory Fines in Certain Jurisdictions
Some cyber policies include regulatory defense costs and, where legally permissible, fines from regulators like state attorneys general or the FTC. But coverage for fines under GDPR, certain state privacy laws, or HIPAA is often excluded or sublimited. Healthcare businesses especially need to read this section carefully — see Cyber Insurance for Healthcare Practices: HIPAA Exposure and Coverage Gaps for a sector-specific breakdown.
Policy Structure Issues That Function Like Exclusions
Even when coverage technically exists, structural policy elements can produce the same result as a flat exclusion. These aren't buried — they're in plain sight if you know what to look for.
Sublimits
Your policy may have a $1 million aggregate limit but only $100,000 available for ransomware payments, $50,000 for social engineering, and $250,000 for business interruption. Each of those sub-coverages has its own ceiling, regardless of your overall limit. In a significant incident, you'll hit those sublimits fast — and the remainder of your aggregate limit is functionally useless for those covered events. Gaps That Leave Businesses Exposed When Their Cyber Policy Falls Short covers sublimits in detail.
Waiting Periods for Business Interruption
Business interruption coverage under cyber policies typically includes a waiting period — often 8 to 12 hours — before losses begin accruing for coverage purposes. If your systems recover in six hours, you receive nothing for that downtime. For businesses where every hour offline costs thousands, this threshold matters enormously.
Retroactive Date Gaps
Cyber policies are claims-made forms, meaning coverage depends on both when the incident occurred and when the claim was made. If you switch insurers without aligning retroactive dates, you can create a gap period where incidents that occurred before the new policy's retroactive date are uninsured by either carrier.
Consent Requirements
Many cyber policies require the insurer's prior consent before you hire a breach coach, forensic firm, or outside counsel. If you retain your own team first and then notify the insurer, the insurer may refuse to reimburse those costs. In a crisis, the instinct is to act fast — but skipping that consent requirement is an expensive mistake. Read the notification and consent obligations in your policy before an incident happens, not during one.
For a structured review of all these elements before you commit to a policy, see Cyber Liability Insurance: Evaluating a Policy Before You Sign.
What to Do With This Information
Knowing the exclusions is step one. Closing the gaps is step two.
- Audit your current policy against this list. Pull your declarations page and policy form. Cross-reference each exclusion category above. Mark which ones apply to you and which are modified by endorsements you've purchased.
- Verify your security representations are accurate. If your policy application stated you have MFA, EDR software, or a patching schedule, confirm those controls are actually in place. A post-breach audit that contradicts your application is a claim denial waiting to happen.
- Identify your highest-exposure gap. For most small businesses, that's either social engineering fraud (missing endorsement) or business interruption sublimits. For service businesses handling sensitive client data, it's often the regulatory fine exclusion or contractual liability gap.
- Ask your broker specifically about endorsements. Social engineering coverage, contingent business interruption, and broader war/terrorism carve-backs are available in the market. They cost more, but the baseline cyber form without them may be inadequate for your actual risk profile.
- Understand the claims process before you need it. Consent requirements, notification windows, and cooperation obligations are conditions of coverage. Violating them — even unintentionally — jeopardizes your claim. Review The Cyber Liability Claims Process: What Happens After a Breach so you know the sequence.
Cyber liability insurance is a genuinely useful product when it's properly structured. The businesses that get burned are the ones who bought a policy, filed it away, and assumed the problem was solved. It isn't solved until you've verified the coverage actually matches your exposure — and that means understanding every line of what it doesn't cover.
For a broader look at how insurers structure exclusions across policy types, Policy Limits & Exclusions is a useful reference. And if you want to see how cyber exclusions compare to the gaps in general liability, see What General Liability Insurance Does Not Cover.
Retroactive Date
The date in a claims-made policy before which incidents are not covered. Any breach that began prior to this date will be excluded, even if the claim is filed during the active policy period.
Sublimit
A coverage cap within a policy that applies to a specific category of loss — such as ransomware payments or social engineering fraud — regardless of the overall policy aggregate limit.
Business Email Compromise (BEC)
A fraud scheme in which attackers impersonate a trusted party via email to trick employees into transferring funds or sensitive data. Often not covered under base cyber forms without a specific endorsement.
Breach of Condition
A policy defense allowing an insurer to deny a claim when the policyholder failed to meet a security requirement stated in the policy, such as maintaining encryption or multi-factor authentication.
Contingent Business Interruption
Coverage for income losses caused by a disruption at a third-party provider — such as a cloud hosting company or ISP — rather than a direct attack on your own systems. Rarely included in standard cyber policies.
Material Misrepresentation
A false or misleading statement in a policy application that could allow the insurer to void coverage entirely, retroactively, if discovered after a loss.
Nation-State Exclusion
A war or terrorism exclusion applied to cyberattacks attributed to a foreign government or its proxies. The scope and enforceability of this exclusion is actively being litigated in multiple jurisdictions.
Social Engineering Endorsement
An optional add-on to a cyber policy that extends coverage to losses caused by manipulation of employees — such as phishing or impersonation schemes — that result in fraudulent fund transfers or data disclosure.
Cyber Liability Insurance: The Complete Business Owner's Reference
An end-to-end reference covering coverage types, exclusions, the claims process, and premium factors — essential context for any business evaluating cyber coverage.
Cyber Liability vs. Technology E&O Insurance: Sorting Out the Difference
Clarifies how cyber liability and tech errors & omissions policies differ and when your business needs both — critical for technology firms and managed service providers.
Gaps That Leave Businesses Exposed When Their Cyber Policy Falls Short
A detailed look at sublimits, waiting periods, and vague policy language that can undermine a cyber claim even when coverage technically exists.
Common Misconceptions About Cyber Liability Insurance
Addresses the myths that leave businesses dangerously underinsured — from 'only big companies get targeted' to 'my IT team handles this.'
The Cyber Liability Claims Process: What Happens After a Breach
A step-by-step walkthrough of the claims process from incident detection through resolution — including the consent and notification requirements that trip up policyholders.
Cyber Liability Insurance: Evaluating a Policy Before You Sign
A structured checklist for scrutinizing cyber policy terms, sublimits, exclusions, and endorsements before committing to a carrier or renewing coverage.
All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.


