Business Insurance reference

What Cyber Liability Insurance Does Not Cover

Business owner reviewing cyber liability insurance policy documents with cybersecurity warnings visible on screens
Policy Type Claims-made (most common); some occurrence forms exist
Most Commonly Excluded Peril Nation-state / war and terrorism attacks (Industry standard policy language, Lloyd's of London market guidance 2023)
Social Engineering Coverage Usually requires a separate endorsement — not included in base form
Business Interruption Waiting Period Typically 8–12 hours before losses accrue
Regulatory Fines Partially covered where legally permissible; HIPAA and GDPR fines often excluded or sublimited
Physical Hardware Damage Excluded — falls under commercial property coverage
Reputational / Future Revenue Loss Not covered under any standard cyber form
Prior Acts Excluded unless retroactive date explicitly covers them

Why Exclusions Are the Most Important Part of Any Cyber Policy

Most business owners buy cyber liability insurance and assume the hard work is done. It isn't. The real risk isn't going without coverage — it's believing you have coverage that doesn't actually exist when a breach happens. Cyber policies are loaded with exclusions, sublimits, and conditions that can gut a claim before you even file it.

This article is a direct, plain-language breakdown of what cyber liability policies typically do not cover. Treat it as a reference you return to when you're reviewing a policy or shopping for coverage. If you want the full picture of what cyber insurance does cover, start with Cyber Liability Insurance: What It Covers and Why Businesses Need It first.

One more thing to understand upfront: not all exclusions are permanent. Some are negotiable endorsements. Others are absolute. Knowing which is which changes how you evaluate a policy.

Policy Type Claims-made (most common); some occurrence forms exist
Most Commonly Excluded Peril Nation-state / war and terrorism attacks (Industry standard policy language, Lloyd's of London market guidance 2023)
Social Engineering Coverage Usually requires a separate endorsement — not included in base form
Business Interruption Waiting Period Typically 8–12 hours before losses accrue
Regulatory Fines Partially covered where legally permissible; HIPAA and GDPR fines often excluded or sublimited
Physical Hardware Damage Excluded — falls under commercial property coverage
Reputational / Future Revenue Loss Not covered under any standard cyber form
Prior Acts Excluded unless retroactive date explicitly covers them

The Core Exclusions Found in Most Cyber Liability Policies

These are the exclusions you'll encounter across virtually every standard cyber policy form. Assume they apply unless your policy explicitly states otherwise.

Close-up of insurance policy document with exclusion stamp highlighted in red ink on specific clauses
Standard cyber policy forms contain dozens of exclusions — many buried in conditions rather than the exclusions section itself.

Prior Acts and Known Incidents

If a breach started before your policy's retroactive date, the claim is almost certainly denied. This catches businesses that buy coverage after noticing suspicious activity — or worse, after an incident they haven't yet disclosed. Insurers aren't absorbing losses they never priced in.

Intentional, Fraudulent, or Criminal Acts by the Insured

If your own employees deliberately exfiltrate data or an owner knowingly violates privacy laws, don't expect the policy to pay. This exclusion typically applies to acts by any insured party — not just principals. Note that this is distinct from third-party fraud or social engineering attacks; those may be covered separately, though not always. See Social Engineering Fraud and Cyber Insurance: What's Actually Covered for how insurers draw that line.

Infrastructure Failures and Utility Outages

A power grid failure, ISP outage, or cloud provider going down is not a cyber incident under most policy definitions. If your systems go offline because AWS had a regional failure, your cyber policy likely won't cover the resulting business interruption losses. You'd need specific contingent business interruption language — which few standard policies include without negotiation.

Physical Damage to Hardware

Cyber policies cover digital losses, not the cost of replacing destroyed servers, melted drives, or physically damaged networking equipment. That exposure belongs under commercial property coverage. If ransomware triggers hardware failure during encryption, you may face a gap between what cyber pays and what property pays.

Bodily Injury and Property Damage

A cyberattack that causes physical harm — say, a breach of an industrial control system that injures a worker — typically falls outside a cyber policy's scope. General liability handles bodily injury and property damage, but GL policies have their own cyber exclusions. This creates a potential gap that neither policy fills cleanly. Why General Liability Insurance Won't Save You From a Cyberattack explains exactly why you can't rely on GL as a backstop.

War, Terrorism, and Nation-State Attacks

This is one of the most contested exclusions in the market today. Most cyber policies exclude losses caused by acts of war — and insurers have argued that attributing an attack to a nation-state triggers this exclusion. Courts have begun weighing in, with inconsistent results. The practical takeaway: if your business is in a sector targeted by nation-state actors (energy, healthcare, critical infrastructure), read this exclusion closely and ask your broker how courts in your jurisdiction have treated it.

Contractual Liability

If you agreed in a vendor contract to indemnify the other party against data breaches, your cyber policy may not honor that assumed liability. Policies cover your legal obligations under applicable law — not obligations you voluntarily accepted in a contract. Review your vendor agreements and confirm whether your policy extends to contractually assumed liability.

Coverage Gaps That Catch Businesses Off Guard

Beyond the standard exclusions above, these are the gaps that tend to surface only when a claim is already in dispute. They're less obvious, but just as damaging.

Digital network diagram showing broken links between business systems with red vulnerability indicators
Coverage gaps often emerge at the intersections between policy types — where cyber, GL, and property coverage each assume another policy applies.

Unencrypted or Improperly Stored Data

Many policies include a condition requiring reasonable security practices. If an investigation finds that the breached data was stored in plain text, transmitted without encryption, or protected by outdated software, the insurer may invoke a breach-of-condition defense to deny or reduce the claim. This isn't hypothetical — it's a documented claims denial pattern. Document your security controls and keep them current.

Failure to Maintain Security Standards

Closely related: if your policy application stated you had multi-factor authentication, endpoint detection, or regular patching cycles — and an audit after a breach finds you didn't — the insurer has grounds to rescind the policy entirely based on material misrepresentation. This is separate from the security condition above. It's not a partial denial; it's voiding coverage retroactively.

Reputational Harm and Lost Future Revenue

Cyber policies cover defined, quantifiable losses — breach response costs, regulatory fines (where permitted), notification expenses, and business interruption during the recovery window. They do not cover the long-tail revenue loss from customers who left because they no longer trust your business. That reputational damage is real, but it's not insurable under standard cyber forms.

Intellectual Property Theft

If a competitor or nation-state actor steals your trade secrets through a cyberattack, your cyber policy typically won't compensate for the competitive loss or the value of the stolen IP itself. Coverage focuses on the costs of responding to the breach, not the economic value of what was taken. This is an underappreciated gap for businesses in R&D-heavy industries.

Social Engineering and Funds Transfer Fraud

This one surprises business owners every time: standard cyber policies often don't automatically cover losses from phishing scams, business email compromise (BEC), or fraudulent wire transfers. These events are covered under a separate social engineering or funds transfer fraud endorsement — which you may or may not have purchased. Check your policy declarations carefully. The dollar amounts involved in BEC fraud are staggering, and the base cyber form may offer zero protection without that rider.

$4.88M

Average cost of a data breach globally

According to IBM's Cost of a Data Breach Report 2024, the average total cost of a data breach reached a record high.

74%

Of breaches involve a human element

Verizon Data Breach Investigations Report 2024 — phishing, credential theft, and social engineering drive the majority of incidents.

$2.9B

BEC fraud losses reported to the FBI in 2023

FBI Internet Crime Report 2023 — business email compromise remains the highest-dollar cybercrime category, often underinsured.

40%

Of cyber claims involve a coverage dispute

Industry analysis from Woodruff Sawyer suggests a significant share of cyber claims face insurer pushback on scope or exclusions.

Regulatory Fines in Certain Jurisdictions

Some cyber policies include regulatory defense costs and, where legally permissible, fines from regulators like state attorneys general or the FTC. But coverage for fines under GDPR, certain state privacy laws, or HIPAA is often excluded or sublimited. Healthcare businesses especially need to read this section carefully — see Cyber Insurance for Healthcare Practices: HIPAA Exposure and Coverage Gaps for a sector-specific breakdown.

Policy Structure Issues That Function Like Exclusions

Even when coverage technically exists, structural policy elements can produce the same result as a flat exclusion. These aren't buried — they're in plain sight if you know what to look for.

Sublimits

Your policy may have a $1 million aggregate limit but only $100,000 available for ransomware payments, $50,000 for social engineering, and $250,000 for business interruption. Each of those sub-coverages has its own ceiling, regardless of your overall limit. In a significant incident, you'll hit those sublimits fast — and the remainder of your aggregate limit is functionally useless for those covered events. Gaps That Leave Businesses Exposed When Their Cyber Policy Falls Short covers sublimits in detail.

Waiting Periods for Business Interruption

Business interruption coverage under cyber policies typically includes a waiting period — often 8 to 12 hours — before losses begin accruing for coverage purposes. If your systems recover in six hours, you receive nothing for that downtime. For businesses where every hour offline costs thousands, this threshold matters enormously.

Retroactive Date Gaps

Cyber policies are claims-made forms, meaning coverage depends on both when the incident occurred and when the claim was made. If you switch insurers without aligning retroactive dates, you can create a gap period where incidents that occurred before the new policy's retroactive date are uninsured by either carrier.

Consent Requirements

Many cyber policies require the insurer's prior consent before you hire a breach coach, forensic firm, or outside counsel. If you retain your own team first and then notify the insurer, the insurer may refuse to reimburse those costs. In a crisis, the instinct is to act fast — but skipping that consent requirement is an expensive mistake. Read the notification and consent obligations in your policy before an incident happens, not during one.

For a structured review of all these elements before you commit to a policy, see Cyber Liability Insurance: Evaluating a Policy Before You Sign.

What to Do With This Information

Knowing the exclusions is step one. Closing the gaps is step two.

  1. Audit your current policy against this list. Pull your declarations page and policy form. Cross-reference each exclusion category above. Mark which ones apply to you and which are modified by endorsements you've purchased.
  2. Verify your security representations are accurate. If your policy application stated you have MFA, EDR software, or a patching schedule, confirm those controls are actually in place. A post-breach audit that contradicts your application is a claim denial waiting to happen.
  3. Identify your highest-exposure gap. For most small businesses, that's either social engineering fraud (missing endorsement) or business interruption sublimits. For service businesses handling sensitive client data, it's often the regulatory fine exclusion or contractual liability gap.
  4. Ask your broker specifically about endorsements. Social engineering coverage, contingent business interruption, and broader war/terrorism carve-backs are available in the market. They cost more, but the baseline cyber form without them may be inadequate for your actual risk profile.
  5. Understand the claims process before you need it. Consent requirements, notification windows, and cooperation obligations are conditions of coverage. Violating them — even unintentionally — jeopardizes your claim. Review The Cyber Liability Claims Process: What Happens After a Breach so you know the sequence.

Cyber liability insurance is a genuinely useful product when it's properly structured. The businesses that get burned are the ones who bought a policy, filed it away, and assumed the problem was solved. It isn't solved until you've verified the coverage actually matches your exposure — and that means understanding every line of what it doesn't cover.

For a broader look at how insurers structure exclusions across policy types, Policy Limits & Exclusions is a useful reference. And if you want to see how cyber exclusions compare to the gaps in general liability, see What General Liability Insurance Does Not Cover.

Retroactive Date

The date in a claims-made policy before which incidents are not covered. Any breach that began prior to this date will be excluded, even if the claim is filed during the active policy period.

Sublimit

A coverage cap within a policy that applies to a specific category of loss — such as ransomware payments or social engineering fraud — regardless of the overall policy aggregate limit.

Business Email Compromise (BEC)

A fraud scheme in which attackers impersonate a trusted party via email to trick employees into transferring funds or sensitive data. Often not covered under base cyber forms without a specific endorsement.

Breach of Condition

A policy defense allowing an insurer to deny a claim when the policyholder failed to meet a security requirement stated in the policy, such as maintaining encryption or multi-factor authentication.

Contingent Business Interruption

Coverage for income losses caused by a disruption at a third-party provider — such as a cloud hosting company or ISP — rather than a direct attack on your own systems. Rarely included in standard cyber policies.

Material Misrepresentation

A false or misleading statement in a policy application that could allow the insurer to void coverage entirely, retroactively, if discovered after a loss.

Nation-State Exclusion

A war or terrorism exclusion applied to cyberattacks attributed to a foreign government or its proxies. The scope and enforceability of this exclusion is actively being litigated in multiple jurisdictions.

Social Engineering Endorsement

An optional add-on to a cyber policy that extends coverage to losses caused by manipulation of employees — such as phishing or impersonation schemes — that result in fraudulent fund transfers or data disclosure.

guide

Cyber Liability Insurance: The Complete Business Owner's Reference

An end-to-end reference covering coverage types, exclusions, the claims process, and premium factors — essential context for any business evaluating cyber coverage.

guide

Cyber Liability vs. Technology E&O Insurance: Sorting Out the Difference

Clarifies how cyber liability and tech errors & omissions policies differ and when your business needs both — critical for technology firms and managed service providers.

guide

Gaps That Leave Businesses Exposed When Their Cyber Policy Falls Short

A detailed look at sublimits, waiting periods, and vague policy language that can undermine a cyber claim even when coverage technically exists.

guide

Common Misconceptions About Cyber Liability Insurance

Addresses the myths that leave businesses dangerously underinsured — from 'only big companies get targeted' to 'my IT team handles this.'

guide

The Cyber Liability Claims Process: What Happens After a Breach

A step-by-step walkthrough of the claims process from incident detection through resolution — including the consent and notification requirements that trip up policyholders.

guide

Cyber Liability Insurance: Evaluating a Policy Before You Sign

A structured checklist for scrutinizing cyber policy terms, sublimits, exclusions, and endorsements before committing to a carrier or renewing coverage.

Marcus Bellingham

Author

Marcus Bellingham

B.B.A. in Finance, University of Texas at Austin, Chartered Property Casualty Underwriter (CPCU)

Marcus Bellingham is a commercial insurance specialist with background in underwriting small-to-mid-size business policies including commercial auto, cyber liability, and specialty lines. He writes to help business owners understand the gaps between personal coverage and the commercial protection their operations actually require. His focus is on practical risk awareness without unnecessary complexity.

commercial autocyber liabilitysmall business insurancecommercial underwriting
View all articles by Marcus Bellingham →

All claims in this article are backed by peer-reviewed research. We follow strict editorial guidelines to ensure accuracy and reliability. Sources available on request from our editorial team.

Disclaimer: The content on Insure Ninja is for informational purposes only and is not a substitute for professional advice. Always consult a qualified professional for guidance specific to your situation.

Related articles