How Cybersecurity Insurance Policies Work: Coverage, Gaps, and Skyrocketing Premiums
Cyber insurance covers data breach costs and ransomware response—but with significant gaps. Learn first-party vs third-party coverage, underwriting requirements, and why premiums have surged.
The Insurance Market That Collapsed Under Ransomware Claims
In 2021, ransomware payments tracked by blockchain analytics firm Chainalysis totaled $602 million—nearly double the 2020 figure. Colonial Pipeline paid $4.4 million to DarkSide ransomware operators in May 2021 (later partially recovered by the FBI). JBS Foods paid $11 million to REvil. Insurance companies that had been happily collecting premiums for cyber policies discovered, almost simultaneously, that their loss ratios had exploded. The combined ratio for cyber insurance in 2021 reached 107%—meaning insurers paid out $1.07 in losses and expenses for every $1.00 in premium collected. Premiums doubled in 2021, then rose another 50% in 2022. Coverage terms tightened. Ransomware sublimits appeared. The market restructured around a reality it had underpriced for years.
First-Party vs. Third-Party Cyber Coverage
Cyber insurance policies bundle two distinct types of coverage that address fundamentally different risks.
First-party coverage addresses costs the insured incurs directly from a cyber incident:
- Incident response costs: forensic investigators, breach coaches, legal counsel engaged to manage the incident
- Data recovery and restoration: rebuilding encrypted or corrupted systems, recovering data from backups
- Business interruption losses: revenue lost during downtime (typically subject to a waiting period of 8–12 hours)
- Ransomware payments: the actual payment to attackers (where legal and covered)
- Notification costs: mailing breach notifications to affected individuals as required by state law
- Credit monitoring: providing free monitoring services to breach victims
- Public relations: crisis communications management
Third-party coverage protects against claims made by others who suffered harm because of your breach:
- Liability for exposing customers' personally identifiable information (PII)
- Payment card industry (PCI) fines and assessments from card brands after a cardholder data breach
- Regulatory defense and fines (coverage for regulatory fines varies significantly and some are uninsurable)
- Media liability for copyright infringement or defamation in online content
What Policies Actually Cover in 2024
| Coverage Component | Typically Included | Common Limitations |
|---|---|---|
| Ransomware payment | Yes (in most policies) | Sublimit (e.g., $500K on a $2M policy); OFAC compliance required |
| Business interruption | Yes | 8–72 hour waiting period; contingent BI for third-party vendors limited |
| Data breach notification | Yes | Usually full coverage up to policy limit |
| Social engineering/fraud | Sometimes (with rider) | Often sublimited; requires verification controls |
| Nation-state attacks | Increasingly excluded | War exclusion clauses expanding post-Ukraine conflict |
| Prior acts | Sometimes (retroactive date) | Incidents occurring before retroactive date excluded |
| Infrastructure failure | Rarely | Most exclude non-malicious cloud or utility outages |
Underwriting Requirements Have Dramatically Tightened
Before 2021, cyber insurance was relatively easy to obtain. Applicants answered a basic questionnaire—do you use antivirus software?—and premiums were low. The claims surge changed everything. Modern cyber underwriting looks more like a security audit.
- Multi-factor authentication (MFA) is now required for remote access and privileged accounts—applications without it face rejection or extremely high premiums
- Endpoint detection and response (EDR) tools must be deployed across endpoints
- Regular backups with tested restore procedures, including offline or immutable backups, are typically required
- Email filtering, including anti-phishing and business email compromise controls, is expected
- Vulnerability scanning and patch management programs must be documented
- Incident response plans must exist and have been tested within the past 12 months
Carriers now commonly perform external security scans of applicants' internet-facing infrastructure before issuing quotes. Companies with exposed Remote Desktop Protocol (RDP) ports or unpatched critical vulnerabilities visible from the internet will face significant challenges obtaining coverage.
Premium Trends and Market Dynamics
| Year | Average Premium Change (Year-Over-Year) | Key Driver |
|---|---|---|
| 2019 | +5% | Market growth; few major incidents |
| 2020 | +22% | COVID-related remote work attacks; early ransomware surge |
| 2021 | +95% | Colonial Pipeline, JBS, Kaseya; loss ratios collapse |
| 2022 | +50% | Continued ransomware; LockBit, BlackCat emerge |
| 2023 | +11% | Market stabilizes; improved underwriting standards |
| 2024 | +3% to +8% (est.) | Continued moderation; AI-driven phishing adding new risks |
The Coverage Gaps That Catch Policyholders Off Guard
The war exclusion is the most consequential emerging gap. After Russia's NotPetya malware attack in 2017 caused an estimated $10 billion in global damage—affecting companies like Merck, FedEx, and Maersk—insurance companies began litigating whether such attacks constituted "acts of war" excluded from coverage. Merck sued its insurers in a landmark case; a New Jersey court ruled in Merck's favor in 2021, finding the war exclusion didn't apply to nation-state cyberattacks on commercial entities. Lloyd's of London subsequently mandated that its syndicates add explicit cyber war exclusions to policies beginning in 2023.
- Systemic risk events—widespread infrastructure attacks affecting thousands of companies simultaneously—may exhaust aggregate industry capacity to pay claims
- Contingent business interruption from third-party cloud or SaaS outages is typically excluded or sublimited below meaningful levels
- Reputational harm from a breach—loss of customers who leave after a data breach—is generally not covered
- Bodily injury or property damage resulting from a cyberattack (e.g., a hack of a medical device or industrial control system) may fall under general liability rather than cyber policy
This article is for informational purposes only and does not constitute financial advice. Cyber insurance policy terms vary significantly. Consult a licensed insurance professional to evaluate coverage for your organization's specific risk profile.
Related Articles
insurance
Annuities Explained: Types, Costs, and When They Make Sense
Fixed, variable, and indexed annuities compared by fees, surrender schedules, and payout options. Includes 1035 exchange rules and Secure 2.0 QLAC provisions.
9 min read
insurance
Business Interruption Insurance: What It Covers, What It Doesn't, and COVID Lessons
Business interruption insurance replaces lost income when a covered event forces your business to close. Learn how coverage is triggered, what losses are reimbursed, and the critical lessons from pandemic-era disputes.
9 min read
insurance
Buy-Sell Agreements: Using Life Insurance to Protect Business Succession
Cross-purchase, entity purchase, and wait-and-see buy-sell agreements compared. Covers valuation methods, IRC Section 2703, transfer-for-value rules, and disability buyout provisions.
9 min read
insurance
Critical Illness Insurance: Lump-Sum Coverage for Cancer, Heart Attack, and Stroke
Critical illness insurance pays a tax-free lump sum upon diagnosis of cancer, heart attack, or stroke. Learn how it works, what it costs, and who benefits most.
9 min read