Cyber Insurance Exclusions

What's NOT covered, why it matters, and how to negotiate for broader protection.

Understanding what your cyber insurance doesn't cover is just as important as knowing what it does. Every cyber policy includes exclusions — specific situations or losses the insurer won't pay for. Some are standard across the industry; others depend on how you've negotiated your coverage. Gaps in coverage can leave you exposed to significant financial loss.

Common Exclusions Explained

War and Terrorism Exclusion

This is the most controversial exclusion in cyber insurance. Traditional cyber policies automatically exclude claims arising from acts of war, civil unrest, or terrorism. The problem: nation-state cyber attacks — some of the most damaging attacks in history — may fall under this exclusion if the attacker is considered a hostile foreign power. Lloyd's Market Association now requires that insurers explicitly carve out cyber-specific war coverage with separate terms (see the dedicated section below on the war exclusion debate). Without a cyber-specific carve-out, your "cyber insurance" might leave you uninsured against nation-state attacks, which are a growing risk for large organisations and critical infrastructure.

Prior Known Incidents

Your policy will not cover any cyber incident you knew about before the policy start date. "Knew about" typically means you had actual knowledge — you discovered a breach or vulnerability. This protects insurers from insuring losses that have already occurred. However, the definition of "knew about" varies. Some policies interpret this strictly (you only triggered the exclusion if you discovered and reported the incident), while others are broader. Always clarify whether routine vulnerability scans or logs that might hint at a compromise count as "knowledge."

Unpatched Known Vulnerabilities

Many policies exclude losses caused by failure to apply a critical security patch that was publicly available before the incident. The logic: if the vulnerability was known and a patch existed, the breach was preventable through your own negligence. This exclusion creates a moral hazard question: if your systems are breached through an unpatched flaw, is the loss truly insurable? Some policies define this narrowly (only critical patches released more than 30 or 60 days before the breach), while others are broader. Make sure you understand the timeline and what counts as a "critical" patch under your policy.

Failure to Maintain Minimum Security Standards

Policies often exclude coverage if you failed to maintain baseline security controls like multi-factor authentication (MFA), encryption of sensitive data, regular backups, or network segmentation. This exclusion has become more common as cyber insurance has matured — insurers now expect policyholders to meet a minimum standard of care. The risk: vague language like "reasonable security measures" or "industry-standard controls" can lead to disputes. When reviewing a policy, insist on specific, documented security requirements that you can verify you meet.

Bodily Injury and Property Damage

Cyber policies explicitly exclude bodily injury (including personal injury from defamation or privacy violations) and physical property damage. These are covered by other insurance — general liability and property insurance. However, the boundary can be blurry. If a cyber attack causes a power outage that leads to someone being injured, or data theft leads to identity theft and emotional distress, disputes may arise about which policy covers the loss.

Intentional Acts by Employees

Policies typically exclude losses caused by intentional or criminal acts by your own employees or contractors. If an employee deliberately deletes data or exfiltrates client information, the insurer won't pay. Some policies carve out exceptions for acts of rogue employees (one person acting against the interests of the business), though this can be hard to prove. Collusion or intentional misconduct by management is usually not covered.

Infrastructure Failures

Cyber insurance does not cover losses from failures in the underlying internet or power infrastructure — outages affecting your entire city, internet backbone failures, or power grid collapse. The exception: if a cyber attack CAUSES the infrastructure failure (like an attack on a power utility), coverage may apply. But a natural power outage or ISP failure is not an insured cyber incident.

Loss of Future Revenue and Market Value

Cyber policies cover immediate business interruption (lost revenue while systems are down), but generally exclude consequential losses like reduced customer confidence, permanent loss of market share, or decline in company valuation. These are considered "uninsurable" because they're too speculative and difficult to measure. Your policy covers the loss of profit during the outage, but not the client who never comes back.

Contractual Penalties Beyond Legal Requirements

Some policies exclude liability that exceeds what you're legally required to pay. If your service-level agreement (SLA) with a customer promises £1M in compensation for downtime, but the law only requires you to pay £100K, the insurer may only cover the legal minimum. This is a growing risk as contracts include larger liquidated damages clauses.

Improvement Costs

Cyber insurance covers restoring your systems to their pre-incident state, not upgrading them. If a breach reveals that your infrastructure is outdated and needs replacement with modern systems, the insurer will pay to rebuild what you had, not to improve it. This can create a perverse incentive to stay with legacy systems.

Social Engineering and Fraud

Social engineering fraud (wire transfer fraud, CEO fraud, credential compromise) is often excluded from standard cyber policies — or included with very low sub-limits (£50K or less). If this risk is critical to your business, you need to specifically negotiate coverage or purchase a stand-alone social engineering policy. Many businesses discover this gap only after suffering a major loss.

Voluntary Shutdown

If you voluntarily shut down your systems as a precautionary measure without an actual confirmed incident, you may not be covered. Policies require evidence of an actual cyber attack, not just suspicion. This can create a dilemma: shut down immediately to minimise damage (risking no coverage) or wait for confirmation (risking greater damage).

The War Exclusion Debate

The cyber war exclusion is the single most important exclusion to understand, because it represents a fundamental gap in many cyber policies. Here's what happened:

In 2017, the NotPetya malware attacked thousands of organisations worldwide, causing billions in damages. NotPetya was widely attributed to Russian military intelligence. Several large companies, including the vaccine manufacturer Merck, filed cyber insurance claims. Insurers denied the claims, arguing that NotPetya was an act of war or cyberwarfare, which fell under standard policy exclusions. Merck sued and, after years of litigation, largely lost — the court ruled that the war exclusion applied. Other organisations similarly recovered little or nothing from their cyber insurance.

The NotPetya case exposed a critical problem: traditional "war" exclusions, written for physical warfare, were being applied to cyber attacks in ways that left policyholders uninsured for some of the most damaging incidents. In response, Lloyd's Market Association (which sets standards for London insurance market) issued new endorsements (LMA5567, 5568, 5569, 5570) that allow insurers to explicitly carve out coverage for certain cyber-specific acts of war, cyber-enabled attacks on infrastructure, and acts of terrorism. These endorsements are now increasingly common in new cyber policies.

What this means for you: If your policy is old (pre-2018) or doesn't include a cyber-specific war carve-out, you may have a significant gap in coverage. A sophisticated nation-state attack could go uninsured. Ask your broker explicitly: "Does my policy cover cyber attacks attributed to foreign governments or military actors?" If the answer is unclear or "probably not," you need to renegotiate.

How to Handle Exclusions

Exclusions are not immovable. Here's how to improve your coverage:

  • Work with a specialist broker: A good broker knows the market and can negotiate endorsements to narrow exclusions or carve out coverages you need. Don't accept a policy as written; ask for amendments.
  • Add endorsements for key gaps: If social engineering is a major risk for your business, pay extra for a social engineering endorsement. If war coverage is important, ensure you have an explicit cyber-war carve-out in writing.
  • Document your security controls: If you maintain robust security controls (MFA, encryption, regular patching), make sure the insurer knows. Some policies will waive or narrow exclusions for security failures if you can prove compliance.
  • Ensure war exclusion language is narrow: Insist on an explicit definition of what is and is not excluded. Don't accept vague language that could cover nation-state attacks.

Red Flags in Policy Wording

When reviewing a cyber insurance policy, watch for these red flags that suggest poor coverage:

  • Vague security requirements: "Failure to maintain reasonable security" is too vague. You need specific, measurable controls (e.g., "MFA on all administrative accounts", "encryption of data at rest using NIST-approved algorithms").
  • Overly broad war or terrorism exclusion: If the policy doesn't explicitly carve out cyber-specific attacks, you're exposed. Ask for a cyber-war endorsement in writing.
  • Low or undefined sub-limits: A policy that doesn't clearly state sub-limits for major coverages (ransomware, notification, business interruption) is a liability. Unknown limits can mean nasty surprises when you file a claim.
  • Restrictive notification requirements: Some policies require you to notify the insurer within 24 hours of discovering a breach. If you can't meet this timeline, coverage may be denied. Make sure notification timelines are reasonable.
  • Requirement to purchase from specific vendors: Some policies require you to use insurer-appointed incident response or legal counsel. This limits your choices and can increase costs. Negotiate the right to choose your own vendors.
  • No coverage for unpatched legacy systems: If your business relies on older systems that aren't regularly patched (common in healthcare and manufacturing), an exclusion for unpatched vulnerabilities could be catastrophic. Carve out an exception for systems where patches aren't available or would break critical operations.
Important: Exclusions and policy wording vary significantly between insurers and policy versions. Always have a specialist broker review your specific policy language before you need to make a claim. Don't assume something is covered just because it sounds like cyber insurance.

Ready to find cyber insurance with the right coverage for your business?

Get a Quote → and we'll connect you with a broker who can explain every exclusion and negotiate the gaps that matter most to your risk profile.

Related Pages

What IS Covered What Is Cyber Insurance?
Last updated: March 2026

Don't let exclusions leave you uninsured

Get expert help to identify coverage gaps and negotiate the protection your business needs.

Find a Specialist Broker →