Cyber Insurance Exclusions: What’s NOT Covered in 2026

Buying cyber insurance feels like buying peace of mind — until you file a claim and discover the attack that crippled your business falls into an exclusion. The difference between a covered incident and a denied claim often comes down to fine print that most buyers never read.

After analyzing hundreds of cyber insurance policies, we’ve identified the most common exclusions that catch businesses off guard. Understanding these gaps is essential whether you’re purchasing your first policy or renewing existing coverage.

The 12 Most Common Cyber Insurance Exclusions

1. Unencrypted Portable Devices

The exclusion: Losses arising from unencrypted laptops, USB drives, or mobile devices are frequently excluded or subject to reduced limits.

Real scenario: A sales rep’s laptop is stolen from a car. The laptop contained 15,000 customer records. The insurer denies the claim because the hard drive wasn’t encrypted — only password-protected.

How to address it:

• Implement full-disk encryption on all portable devices (BitLocker, FileVault)
• Document encryption policies and verify compliance
• Consider mobile device management (MDM) solutions that enforce encryption

2. Acts of War and Nation-State Attacks

The exclusion: Losses from state-sponsored cyber attacks are increasingly excluded following the NotPetya precedent, where insurers argued the attack was “war-like” and therefore not covered.

Real scenario: A manufacturing company’s systems are wiped by malware later attributed to a nation-state actor. The insurer invokes the war exclusion and denies the €4 million claim.

How to address it:

• Push back on broad “cyber war” language during negotiations
• Seek policies with narrow, specific war exclusions
• Understand that attribution matters — if the attacker can’t be definitively linked to a state, coverage may still apply

3. Infrastructure Failures (Not Cyber Attacks)

The exclusion: Business interruption from infrastructure outages — cloud provider downtime, ISP failures, or power grid problems — may not be covered unless directly caused by a cyber attack.

Real scenario: AWS us-east-1 goes down for 8 hours. Your e-commerce platform loses €200,000 in sales. The claim is denied because the outage wasn’t a cyber attack.

How to address it:

• Add contingent business interruption coverage for cloud dependencies
• Negotiate broader trigger language that includes infrastructure failures
• Maintain offline backups and redundancy for critical systems

4. Prior Known Breaches or Security Gaps

The exclusion: If you knew about a vulnerability before the policy inception and didn’t remediate it, related claims may be excluded.

Real scenario: A penetration test identified critical vulnerabilities in March. You renew your policy in April without fixing them. A breach exploiting those exact vulnerabilities occurs in June. The claim is denied.

How to address it:

• Disclose known vulnerabilities during the application process
• Create remediation timelines for identified issues
• Document security improvements between policy periods

5. Social Engineering Without Verification Bypass

The exclusion: Social engineering losses where the attacker simply convinced an employee to transfer funds may be excluded or subject to sub-limits. Some policies require “verification bypass” — the attacker must have circumvented established verification procedures.

Real scenario: A finance employee receives an email appearing to be from the CEO requesting an urgent wire transfer. They send €150,000 to the fraudster. The insurer partially denies the claim because the employee didn’t follow the company’s verbal verification policy.

How to address it:

• Ensure social engineering coverage doesn’t require verification bypass
• Train employees on verification protocols and document compliance
• Consider social engineering sub-limits as part of overall coverage

6. Failure to Maintain Minimum Security Standards

The exclusion: Many policies require policyholders to maintain specific security controls. Failure to do so can void coverage entirely.

Common requirements include:

• Multi-factor authentication on privileged accounts
• Endpoint detection and response (EDR)
• Regular patching of known vulnerabilities
• Employee security awareness training
• Data backups with tested restoration procedures

Real scenario: A company claims its policy requires MFA on all admin accounts. An attacker compromises an admin account protected only by a password. The claim is denied due to security control failure.

How to address it:

• Read and understand all warranty clauses
• Document compliance with required controls
• Schedule regular audits to verify ongoing compliance

7. Bodily Injury and Property Damage

The exclusion: Physical harm to people or property is typically excluded from cyber policies and should be covered under general liability or property policies.

Real scenario: A ransomware attack disables a hospital’s systems, leading to delayed treatment and patient death. The cyber policy excludes bodily injury, and the general liability policy excludes cyber-related incidents — creating a coverage gap.

How to address it:

• Coordinate coverage across policies
• Consider excess umbrella coverage
• For critical infrastructure, seek specialized policies that bridge this gap

8. Intentional Acts by Senior Management

The exclusion: Deliberate wrongdoing by executives or senior management is typically excluded.

Real scenario: A CFO deliberately bypasses security controls to exfiltrate data to a competitor. The resulting losses are excluded as intentional acts.

How to address it:

• This exclusion is generally reasonable and standard
• Focus on internal controls and segregation of duties
• Crime/fidelity policies may provide separate coverage for employee dishonesty

9. Cryptocurrency and Digital Asset Losses

The exclusion: Some policies exclude or limit coverage for cryptocurrency theft or losses related to digital assets.

Real scenario: A company’s hot wallet is drained of €500,000 in cryptocurrency. The policy either doesn’t cover it or has a sub-limit far below the loss.

How to address it:

• Disclose all cryptocurrency holdings during application
• Seek specific coverage for digital assets
• Consider cold storage and multi-signature wallets to reduce risk

10. Regulatory Fines and Penalties (in Some Jurisdictions)

The exclusion: Coverage for regulatory fines varies by jurisdiction. In the EU, insuring against GDPR fines may be prohibited as against public policy.

Real scenario: A company receives a €2 million GDPR fine following a breach. The cyber policy’s regulatory coverage doesn’t apply in that jurisdiction.

How to address it:

• Understand local insurability of fines
• Focus coverage on defense costs and remediation, which are typically insurable
• Budget for potential fines as an uncovered risk

11. Reputational Harm Without Direct Costs

The exclusion: Pure reputational damage — lost future business, brand devaluation — is typically not covered unless it translates to documented, quantifiable losses during the policy period.

Real scenario: A breach exposes customer data. While no immediate financial loss occurs, the company loses 30% of its customer base over the following year. The policy doesn’t cover this “slow-burn” reputational impact.

How to address it:

• Focus on crisis communication coverage to mitigate reputational damage
• Document all costs related to customer churn post-breach
• Negotiate for broader business interruption triggers

12. Supply Chain Attacks (Third-Party Dependencies)

The exclusion: Some policies limit or exclude coverage for attacks that enter through third-party software or service providers.

Real scenario: A company is affected by a SolarWinds-style supply chain attack. The policy contains exclusions for third-party software vulnerabilities, limiting recovery.

How to address it:

• Review supply chain attack language carefully
• Ensure contingent business interruption covers key vendors
• Assess and document security of critical suppliers

How to Protect Against Coverage Gaps

1. Read the Full Policy Before Binding

Don’t rely on the proposal or binder. Request and review the complete policy form, including all exclusions and conditions. Highlight anything unclear and demand written clarification.

2. Disclose Everything Materially Relevant

Non-disclosure is the fastest route to a denied claim. When in doubt, disclose. Work with your broker to present risks accurately and completely.

3. Document Your Security Program

Maintain evidence of:

• Security policies and employee acknowledgments
• Patch management and vulnerability remediation
• Incident response plan and tabletop exercises
• Third-party security assessments
• Training completion records

This documentation can be critical in disputing coverage denials based on alleged security failures.

4. Coordinate Across Policies

Cyber insurance doesn’t exist in a vacuum. Ensure your:

• General liability policy coordinates with cyber
• Crime/fidelity policy covers employee dishonesty
• Property policy addresses equipment replacement
• Directors & officers policy covers management liability

5. Negotiate Key Terms

Not all exclusions are non-negotiable. Push for:

• Narrow war exclusion language tied to official government attribution
• Social engineering coverage without verification bypass requirements
• Broader business interruption triggers
• Higher sub-limits for high-risk categories

6. Conduct Annual Coverage Reviews

Your cyber risk profile changes. So should your coverage. Review your policy annually with these questions:

• What new systems or data have we added?
• What new third-party dependencies exist?
• What security improvements have we made?
• What incidents or near-misses have we experienced?

The Bottom Line

Cyber insurance is valuable risk transfer — but only if you understand what it doesn’t cover. The most expensive policy is one that gives you false confidence.

Before your next renewal, audit your exclusions against your actual risk profile. The gaps you find today could save your business tomorrow.

---

Need help understanding your cyber insurance coverage? Use our NIS2 Compliance Checker to assess your regulatory posture, or try our Cyber Risk Calculator to quantify your exposure.