Understand what's NOT covered under your US cyber policy, how state laws create gaps, and how to negotiate broader protection.
Every cyber insurance policy in the US includes exclusions β specific situations the insurer won't cover. Some are standard across the industry; others depend on your negotiation. What makes US exclusions particularly important is the patchwork of state regulations. A breach that violates California's CPRA requirements creates different liability than one in a less-regulated state. Your policy may exclude coverage for state-specific compliance failures without you realizing it.
The war exclusion is the most controversial exclusion in US cyber insurance. Most policies automatically exclude losses from acts of war, cyberwarfare, or terrorism. The problem: a sophisticated nation-state cyber attack could fall under this exclusion.
After the NotPetya attack in 2017 β attributed to Russian military intelligence and causing billions in damages β the vaccine manufacturer Merck filed a cyber insurance claim. Insurers denied it, arguing NotPetya was an act of war. After years of litigation, Merck largely lost. Other organizations similarly recovered nothing from their cyber insurance for nation-state attacks.
In response, Lloyd's Market Association issued new endorsements (LMA5567, 5568, 5569, 5570) that allow insurers to carve out cyber-specific war coverage. These are increasingly common in new US policies, but older policies may not include them. If your policy was written before 2018 and doesn't explicitly carve out cyber-war coverage, you have a significant gap.
What this means: Ask your broker explicitly: "Does my policy cover cyber attacks attributed to foreign governments or military actors?" If the answer is unclear, demand a cyber-war endorsement in writing before you need to make a claim.
Healthcare providers in the US face strict HIPAA requirements enforced by HHS. Cyber policies often exclude coverage if you failed to maintain HIPAA-required safeguards: encryption, audit logging, access controls, and risk assessments. If a breach occurs because your encryption was weak or your audit logs weren't properly configured, the insurer may deny coverage, arguing you failed to maintain HIPAA standards.
The risk is compounded because HIPAA penalties themselves (up to $1.5M per violation category per year) are separate from breach costs. Some policies explicitly exclude HIPAA penalties. Document your HIPAA compliance thoroughly β this is your defense against exclusion disputes.
All 50 US states require notification of affected individuals following a data breach, but timelines and requirements vary. California (CPRA) requires notification within 60 days and includes specific language requirements. New York requires notification "without unreasonable delay" (typically interpreted as 72 hours). If your cyber policy doesn't cover the full cost of state-mandated notifications, you're exposed.
Some policies exclude notification costs entirely or cap them at $50,000 β far less than the actual cost of notifying thousands of individuals with mailed letters and credit monitoring. The bigger risk: if your policy doesn't account for California's CPRA requirements (which impose stricter notification and credit monitoring obligations than most states), you'll face gaps in coverage that are expensive.
This is one of the largest coverage gaps in US cyber insurance. Standard cyber policies exclude or severely limit social engineering fraud (CEO fraud, wire transfer fraud, credential compromise). If an attacker cons your finance team into wiring $500,000 to a fake vendor account, or if a compromised email leads to a $2M loss, your cyber policy may provide zero coverage.
Losses are often capped at $50,000 or less β far below the typical impact of a major social engineering attack. If this risk is critical for your business, negotiate a dedicated social engineering endorsement or purchase a separate social engineering policy. Many US businesses discover this gap only after suffering a major loss.
Most US policies exclude losses caused by failure to apply a publicly known security patch within 30 or 60 days of release (timelines vary). If a vulnerability was known and a patch existed, the breach is treated as preventable through your own negligence. However, the definition of "critical" patch is often vague. Some policies will waive this exclusion if you can prove you have a documented patching process, even if you missed some patches.
More broadly, policies exclude coverage if you failed to maintain "reasonable security controls" β but "reasonable" is undefined and leads to disputes. Some insurers expect MFA, encryption, and regular backups; others may have lower expectations depending on your industry and company size. Get specific security requirements in writing from your insurer before you need to make a claim.
Cyber policies cover immediate business interruption (lost revenue while systems are down) but exclude consequential losses. If a breach causes you to lose a major customer permanently, or if your company valuation drops 20%, your policy won't cover that loss. The policy covers the profit you lost while the system was down, but not the client who never comes back or the reputational damage that persists.
This exclusion is particularly important for businesses in regulated industries (healthcare, financial services) where reputational damage can be catastrophic. If regulatory penalties or loss of clients are your biggest breach risks, make sure your insurance covers legal defence costs and regulatory response, even if consequential damages are excluded.
Get a specialist US broker to review your policy and identify coverage gaps specific to your state, industry, and risk profile.
Find a Broker Now β