Skip to content

Exclusions in Cyber Insurance Coverage

Learn about what cyber liability insurance does not cover, unpatched known vulnerabilities, phishing attacks, social engineering, and more, through the Frequently Asked Questions (FAQs) below. Please schedule a free consultation, if you are looking for security experts to help you implement security controls and reduce your cyber insurance premium. 

Table of Contents

What does cyber liability insurance NOT cover? 

 

Cyber liability insurance contains a range of standard exclusions that limit or eliminate coverage in specific circumstances. Common exclusions include: losses arising from war, acts of terrorism, or nation-state cyberattacks (though the scope of war exclusions is actively litigated and varies by policy); prior known incidents or breaches the insured was aware of before the policy inception date; losses caused by the insured’s intentional or fraudulent acts; bodily injury and tangible property damage, which are typically addressed under general liability or property policies; infrastructure failures unrelated to a cyber event, such as utility power outages; and unpatched vulnerabilities the insured knew about and failed to remediate. Losses from insider theft may be covered under a crime policy rather than a cyber policy. Systemic technology concentration events, such as a major cloud provider outage, are increasingly sublimited rather than excluded. Reading the exclusions section of a cyber policy is as important as reading the coverage grants, since coverage scope and exclusion scope together define what is actually protected. 

 

Does cyber liability insurance cover nation-state or state-sponsored cyberattacks? 

 

Nation state and state sponsored cyberattacks fall into a genuinely contested part of cyber liability insurance. Most policies carry a war or hostile acts exclusion, and insurers have tried to apply it to government attributed incidents, most notably the 2017 NotPetya attack, attributed to Russia’s military intelligence service. In the closely watched Merck v. ACE American case, US courts rejected that argument and found the exclusion did not apply, though the case settled in 2024 before a final precedent was set. Lloyd’s of London mandated in 2023 that standalone cyber policies address state backed attacks, but the most common resulting clause, LMA5567, only excludes attacks that cause major damage to a state’s core functions, not nation state attacks generally. Coverage still comes down to your policy’s exact wording, how attribution is determined, and where a dispute is heard, so it is worth asking your broker directly how state sponsored incidents are treated. 

 

Does cyber liability insurance cover a data breach caused by an employee? 

 

Cyber liability insurance generally covers data breaches caused by employee negligence, such as falling for a phishing email, misconfiguring a database, or accidentally emailing sensitive data to the wrong recipient, because these are unintentional acts that fall within the scope of covered events. However, most policies exclude losses arising from intentional, dishonest, or fraudulent acts by employees acting with malicious intent, for example, an employee who deliberately steals and sells customer data. The distinction between negligent and intentional acts is important and may be contested in claims where the employee’s intent is unclear. Insider theft of funds or data is more commonly addressed under a commercial crime policy, which covers dishonest acts by employees, rather than under a cyber policy. Buyers with significant insider threat exposure should confirm how their cyber and crime policies interact and whether any coverage gap exists between the two.

 

Does cyber liability insurance cover losses from a known, unpatched vulnerability? 

 

Cyber liability insurance typically does not cover losses arising from a vulnerability that the insured knew about and failed to remediate within a reasonable timeframe. This exclusion is grounded in the principle of insurable risk: insurers expect policyholders to take reasonable steps to mitigate known exposures, and willful failure to patch a documented vulnerability is generally treated as a failure of due care. Many underwriters explicitly ask applicants whether they have a patch management program and how quickly critical patches are applied; misrepresenting patch compliance can result in rescission of coverage. In practice, the exclusion is most cleanly applied when a threat actor exploits a vulnerability for which a vendor-issued patch was publicly available and the insured had failed to apply it within a defined window, for example, more than 30 days after a critical Common Vulnerabilities and Exposures (CVE) advisory. Organizations with legacy systems or complex environments should engage their broker on how this exclusion is worded and enforced in their specific policy.

 

Does cyber liability insurance cover phishing attacks and social engineering? 

 

Cyber liability insurance typically covers the consequences of phishing attacks, such as credential theft leading to a network intrusion or data breach, under the network security and data breach response coverage sections of the policy. However, direct financial fraud losses resulting from social engineering (where an employee is manipulated into transferring funds or sharing credentials) require a specific social engineering fraud or funds transfer fraud endorsement, which is a separate and often sublimited coverage not automatically included in all cyber policies. The distinction matters in practice: if a phishing email leads to ransomware deployment, the resulting costs are generally covered under standard cyber coverage; if the same phishing email persuades an employee to wire $500,000 to a fraudulent account, that financial loss requires the social engineering endorsement. Buyers should confirm that both coverages are present if their organization processes wire transfers or other financial transactions that could be targeted by business email compromise.

 

Does cyber liability insurance cover a breach originating at a third-party vendor? 

 

Cyber liability insurance can cover losses resulting from a breach at a third-party vendor, but the type and extent of coverage depend on how the breach affects the insured and which coverage sections are triggered. If a vendor breach exposes the insured’s customer data, for example, a payroll processor is compromised and employee PII is stolen, the insured’s data breach response and third-party liability coverages typically respond to the insured’s notification obligations and any resulting lawsuits, because the insured is still responsible for the data regardless of where the breach occurred. If the vendor breach causes the insured’s own systems to be disrupted, contingent business interruption (CBI) coverage may respond to revenue losses. However, CBI sublimits are common and may be lower than first-party BI limits. The insured’s right of recovery against the breached vendor exists separately from insurance and should be pursued in parallel. Buyers with material third-party dependencies, cloud providers, managed service providers, SaaS platforms, should map vendor exposures and confirm CBI sublimit adequacy. 

 

Does cyber liability insurance cover infrastructure failures such as power outages? 

 

Cyber liability insurance does not cover losses caused by infrastructure failures that are unrelated to a cyber event, such as a utility power outage, a telecommunications network failure, or a natural disaster that disrupts physical systems. These perils are addressed under different insurance products, commercial property insurance, business interruption insurance, and utility services coverage. Cyber policies are specifically designed to respond to digital incidents: network intrusions, malware, data theft, and cyber-enabled system failures. The distinction becomes nuanced in cases where a cyber attack deliberately targets infrastructure, for example, a malware-caused power grid disruption. In those cases, a cyber policy may respond, though nation-state involvement could trigger the war exclusion. Organizations seeking coverage for technology service disruptions caused by their cloud or internet service providers should look specifically at contingent business interruption coverage and confirm whether the policy covers non-malicious vendor outages, which some policies exclude or sublimit separately from malicious cyber events.

 

 

All FAQs and their responses are provided for informational and reference purposes. They do not constitute legal, insurance, or regulatory advice. Organizations should consult a licensed cyber insurance broker and qualified legal counsel for guidance specific to their risk profile, jurisdiction, and coverage needs.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties