Cyber Insurance Coverage Checklist

First-party coverage

First-party coverage pays for losses your organization incurs directly from a cyber incident. These are the costs you control and bear yourself.

Incident response costs

What it covers: The cost of investigating, containing, and remediating a security incident, including hiring forensic investigators, legal counsel, and incident response consultants.

What to check:

• Coverage limit is sufficient for a major incident ($500,000 to $2 million for midsize companies)
• Pre-approved vendor panels are acceptable — some carriers require you to use their panel vendors; confirm the panel includes reputable firms
• You can engage your own incident response retainer firm, not only the carrier’s panel
• First-party legal counsel for breach assessment and notification obligation analysis is covered
• Coverage applies from the moment of detection, not from the moment of carrier notification

Common gap: Some policies have a 24- to 72-hour notification requirement. Failing to notify the carrier within that window can void coverage for the entire incident. Know the notification timeline and have the carrier’s claims number accessible to your incident response team.

Data restoration

What it covers: The cost of restoring, recreating, or recovering data that was destroyed, corrupted, or encrypted during an incident.

What to check:

• Coverage includes both data restoration from backups and data recreation when backups are unavailable
• Coverage extends to third-party costs (vendors, contractors) for restoration, not only internal labor
• Sublimit is adequate — data restoration for a major ransomware event can exceed $500,000

Common gap: Policies may exclude data restoration costs if the organization did not maintain adequate backups. The insurer’s position: if you had tested backups, restoration would cost a fraction of what you are claiming. See business continuity and disaster recovery for backup requirements.

Business interruption

What it covers: Lost income and extra expenses incurred while business operations are disrupted by a cyber incident.

What to check:

• Waiting period (deductible period) before coverage begins — typically 8 to 24 hours. A 24-hour waiting period means the first day of downtime is uninsured
• Coverage includes both lost revenue (income the business would have earned) and extra expenses (costs of operating from backup systems, overtime labor, temporary facilities)
• Coverage period is adequate — major incidents can disrupt operations for weeks or months
• Sublimit for business interruption is sufficient relative to your daily revenue
• Coverage extends to dependent business interruption — losses caused by a cyber incident at a critical vendor or supplier

Common gap: Many policies have inadequate sublimits for business interruption relative to actual daily revenue. If your business generates $200,000 per day in revenue and the business interruption sublimit is $1 million, you have five days of coverage. Calculate your actual exposure and ensure the sublimit matches.

Ransomware and cyber extortion

What it covers: Ransom payments, cryptocurrency acquisition costs, negotiation specialist fees, and costs associated with determining whether payment will result in data recovery.

What to check:

• Ransom payment coverage is explicitly included (some policies exclude it)
• Coverage includes professional negotiation services
• Coverage is not voided by paying without prior carrier approval — but always notify the carrier before paying
• Sublimit is adequate for current ransom demands (median ransom payments exceeded $200,000 in 2025, with demands against midsize companies routinely reaching $1 million to $5 million)
• Coverage includes costs when you choose not to pay (restoration, extended downtime, data recreation)
• OFAC compliance is addressed — payments to sanctioned entities can create legal liability; confirm the carrier’s position and process

Common gap: Some policies cover the ransom payment but have an inadequate sublimit for the business interruption that accompanies a ransomware event. The ransom itself is often a fraction of the total incident cost. See incident response plan template for ransomware response planning.

Notification and credit monitoring

What it covers: The cost of notifying affected individuals, regulators, and other parties as required by breach notification laws, plus credit monitoring or identity protection services for affected individuals.

What to check:

• Coverage includes notification costs across all applicable jurisdictions (US state laws, GDPR, sector-specific regulations)
• Credit monitoring coverage period aligns with regulatory and legal expectations (typically 12 to 24 months)
• Costs of establishing and operating a call center for affected individuals are covered
• Costs of legal analysis to determine notification obligations are covered

Crisis management and public relations

What it covers: The cost of managing the reputational impact of a cyber incident, including PR firms, crisis communications, and media management.

What to check:

• Coverage is adequate for a sustained crisis (not just a single press release)
• You can engage your preferred PR firm, not only the carrier’s panel
• Coverage applies to proactive communications (getting ahead of the story), not only reactive statements

Third-party liability coverage

Third-party coverage protects against claims made by others — customers, regulators, business partners, payment card brands — arising from a cyber incident at your organization.

Regulatory defense and fines

What it covers: Legal defense costs and regulatory fines resulting from a data breach or privacy violation.

What to check:

• Coverage includes defense costs in addition to fines (defense costs alone for a major regulatory action can exceed $1 million)
• Coverage applies in your operating jurisdictions — GDPR fines (up to 4% of global revenue) require adequate coverage for EU operations
• Fines are insurable in your jurisdiction — some jurisdictions prohibit insurance coverage of certain regulatory penalties
• Coverage extends to regulatory investigations and inquiries, not only formal enforcement actions
• SEC cyber disclosure requirements and related enforcement risk are addressed

Litigation and settlements

What it covers: Defense costs, settlements, and judgments arising from lawsuits by individuals, customers, or business partners affected by a data breach.

What to check:

• Coverage includes class action defense (data breach class actions are increasingly common)
• Coverage extends to contractual liability — claims from business partners alleging you failed to meet contractual security obligations
• Defense costs are in addition to the coverage limit (duty to defend), not eroding it
• Coverage applies to claims in all operating jurisdictions

PCI fines and assessments

What it covers: Fines and assessments imposed by payment card brands (Visa, Mastercard) following a breach involving cardholder data.

What to check:

• PCI fines coverage is explicitly included (many standard policies exclude it)
• Sublimit is adequate — card brand fines can reach $500,000 or more
• Coverage includes card reissuance costs imposed by the acquiring bank
• Forensic investigation costs mandated by card brands (PFI investigation) are covered

See PCI audit for compliance requirements.

Exclusions to scrutinize

Every cyber insurance policy contains exclusions. The following are the exclusions most likely to result in denied claims.

War and nation-state exclusion

Most policies exclude losses arising from acts of war. The critical question is how the carrier defines war and whether nation-state cyberattacks fall within the exclusion. Following the NotPetya litigation (Merck v. Zurich, Mondelez v. Zurich), carriers have introduced more specific cyber war exclusions. Lloyd’s Market Bulletin Y5381 (effective 2023) requires standalone cyber policies to exclude state-backed attacks and include attribution provisions.

What to verify: Read the exact war exclusion language. Does it exclude all nation-state attacks, only those constituting armed conflict, or attacks attributed by a specified government authority? Who determines attribution? What is the burden of proof?

Failure to maintain security controls

If your application or attestation stated that you have MFA deployed on all remote access and email, the carrier may deny a claim arising from a breach that exploited the absence of MFA. This exclusion is the most common basis for claim disputes.

What to verify: Understand exactly what you attested to in the application. Ensure those attestations are accurate at the time of binding and remain accurate throughout the policy period. If a control lapses, notify the carrier and document the remediation timeline.

Operator note: I’ve reviewed cyber insurance applications where the CISO checked “MFA enforced on all remote access” while three legacy VPN concentrators still accepted password-only authentication. The CISO wasn’t lying; they didn’t know. The attestation became the denial basis for a seven-figure claim eighteen months later. Before signing any cyber insurance application, run a technical verification of every security control you’re attesting to. The application is a legal document, not a survey.

Known but unpatched vulnerabilities

Some policies exclude losses arising from the exploitation of vulnerabilities that the organization knew about but failed to remediate within a reasonable timeframe.

What to verify: Does the policy define a specific remediation timeframe (e.g., 30 days from vulnerability disclosure)? Does it apply to all vulnerabilities or only those with known exploits? How does it interact with your vulnerability management SLAs?

Social engineering and voluntary transfer

Standard cyber policies may not cover losses from social engineering attacks (business email compromise) where an employee voluntarily transfers funds based on fraudulent instructions. This requires a separate social engineering or crime coverage endorsement.

What to verify: Is social engineering covered? If so, what is the sublimit? Is there a verification procedure requirement (dual authorization for wire transfers above a threshold)?

Prior acts and retroactive date

Policies typically cover incidents that occur during the policy period. The retroactive date determines how far back coverage extends for incidents that began before the current policy period but were discovered during it.

What to verify: What is the retroactive date? Does it match prior policy periods, or is there a gap? Are prior known incidents or circumstances specifically excluded?

Security controls that affect premiums

Insurers evaluate your security posture during underwriting. The following controls have the most significant impact on premium pricing and coverage availability.

Controls that carriers require

Absence of these controls may result in coverage denial or exclusion:

• MFA on all remote access (VPN, RDP, cloud management consoles) and all email accounts
• EDR deployed on all endpoints (workstations, laptops, servers)
• Backup strategy with offline or immutable copies and tested restoration procedures
• Incident response plan that is documented, tested, and current
• Patch management with defined SLAs for critical vulnerabilities
• Privileged access management (separate admin accounts, credential vaulting)
• Security awareness training conducted at least annually

Controls that reduce premiums

These controls demonstrably reduce risk and are rewarded with lower premiums:

• Network segmentation limiting lateral movement
• DMARC email authentication at enforcement (p=reject)
• Vulnerability scanning with regular cadence and documented remediation
• 24/7 security monitoring (internal SOC or MDR)
• Tabletop exercises conducted at least annually
• Cyber risk quantification program (demonstrates mature risk management)
• Third-party vendor risk management program

Organizations with mature security programs and documented controls receive premiums 20 to 40 percent lower than comparable organizations with weaker postures. The security investment often pays for itself through premium reduction alone.

Operator note: The single highest-ROI action for reducing cyber insurance premiums is documenting what you already do. Most mid-market companies have better security controls than their applications reflect because no one mapped existing controls to the underwriter’s questionnaire systematically. A cybersecurity risk assessment that produces a controls inventory aligned to insurer requirements typically saves 15-25% on the next renewal without changing a single security tool.

Policy evaluation checklist

Use this checklist when evaluating cyber insurance proposals.

Coverage adequacy

• Aggregate limit is appropriate for your risk profile (use cyber risk quantification to determine probable maximum loss)
• Sublimits for each coverage category are adequate, not just the aggregate
• Business interruption waiting period is acceptable and sublimit covers at least 30 days of lost revenue
• Ransomware/extortion sublimit reflects current demand levels
• Regulatory fines coverage is adequate for all operating jurisdictions

Exclusions and conditions

• War/nation-state exclusion language is reviewed and understood
• Security control requirements are documented and currently met
• Known vulnerability exclusion language and remediation timeframes are clear
• Social engineering coverage is included or purchased separately
• Retroactive date provides continuous coverage from prior policies

Claims process

• Notification requirements (timeframe, method, contact) are documented and accessible to the incident response team
• Pre-approved vendor panels are acceptable, or you can engage your own vendors
• Claims process and average time to payment are understood
• The carrier has a dedicated cyber claims team (not a general claims adjuster handling cyber as a side assignment)

Insurer evaluation

• Carrier has meaningful cyber insurance experience and dedicated underwriting team
• Carrier’s financial strength rating (AM Best A- or above) supports their ability to pay large claims
• Broker specializes in cyber insurance (not a general commercial broker adding cyber as a line)

Renewing and maintaining coverage

Cyber insurance is not a one-time purchase. Maintaining coverage requires ongoing attention.

Annual renewal preparation:

• Update the application with current security posture (adding MFA, EDR, or other controls may reduce premiums)
• Disclose any incidents or near-misses from the prior year — failure to disclose can void future coverage
• Review and update coverage limits based on business growth, new regulations, or changes in risk profile
• Review exclusions in the renewal offer — carriers may add exclusions or modify terms at renewal
• Start the renewal process 90 days before expiration to allow time for negotiation and market comparison

Continuous obligations:

• Maintain all security controls attested to in the application
• Document changes to security posture (positive and negative) and notify the carrier of material changes
• Keep the incident response plan and carrier notification procedures current
• Conduct security control verification on the same cadence the carrier’s application implies (if you attested to quarterly access reviews, conduct quarterly access reviews)

See cybersecurity risk assessment for the broader risk management context and how to measure cybersecurity ROI for evaluating whether your combined spending on controls and insurance is producing optimal risk reduction.