Not all cyber insurance covers every type of risk. Most policies include exclusions, which are situations or events that the insurer will not cover.Our guide explains what cyber insurance does not cover, why exclusions exist, and how to avoid problems when you make a claim.
Exclusions define what your policy does not cover. They are the limits of your protection, and they affect whether your claim gets paid.
In insurance, an exclusion is a listed event, cause, or condition that the policy will not cover. If a breach occurs due to something on that list, your claim may be rejected.
Exclusions are not hidden. They are written into the policy documents, often under a section called “Exclusions,” “Limitations,” or “What’s Not Covered.”
Insurers use exclusions to set clear boundaries. They avoid covering high-risk or avoidable actions, like using unsupported software or ignoring a known breach.
You will usually find exclusions in the main policy wording. Some are in the core terms, others in endorsements or appendices. They are often written in legal language, so it helps to ask your broker or provider to walk through them with you.
Exclusions are one of the most common reasons claims are declined. If your business suffers an attack, but the cause links to an excluded event, your costs may not be covered.
For example:
Understanding your exclusions provides a clear picture of the risks still on your balance sheet. It also helps you fix issues now, not during a claim. Most UK insurers list exclusions in the core policy wording or appendices. This guide from ABI explains how to spot them before you buy.
Cyber insurance is not a guarantee of protection. Most policies list clear exclusions, situations where cyber insurance claims won’t be paid. Understanding these helps you avoid false assumptions about what’s covered.
Cyber attacks linked to war, armed conflict, or state-sponsored threats are often excluded, including attacks traced back to nation-states or political groups.
Some insurers now offer limited protection against cyber terrorism, but only if the wording is specific and attribution is clearly stated. In practice, that’s rare. If there’s doubt about who was behind an attack, cover may still apply, but not always.
If a breach started before the policy was in place, it’s unlikely to be covered. The same goes for vulnerabilities you knew about but didn’t fix.
For example, if your business failed to patch a known system flaw and a breach occurs later, the insurer may argue the risk was foreseeable and reject the claim.
Fines under GDPR or PCI-DSS are not always covered. Some policies include them, but only where UK law allows. Others cover investigation costs but exclude the penalties themselves. Always check the policy wording. The difference between what’s “insurable” and what’s paid can be significant.
Read our expert guide on cyber insurance costs to fully understand the breakdown and cost to your business.
If your business fails to meet basic security standards, your claim may not be valid. That includes not using multi-factor authentication, skipping software updates, or ignoring staff training.
Some policies also exclude claims if the breach resulted from negligence, such as shared passwords or unsecured devices.
Not all policies cover harm caused by people inside your business. Some exclude losses linked to dishonest staff or third-party contractors, while others offer limited support.
If your data is leaked, deleted, or sold by someone on your payroll, verify whether your insurer considers this a covered event.
Most cyber insurance focuses on digital harm, not physical repair.
For example, a malware attack can damage your server drives. The cost to replace the hardware is not covered, but recovery of lost data might be.
If hackers steal your designs, code, or trade secrets, don’t assume you’ll be reimbursed. Many policies exclude intellectual property loss unless it results in a legal claim from a third party.
This is one of the most misunderstood exclusions. It’s essential to inquire about how your policy addresses IP theft and copyright infringement.
Cyber insurance works when the right conditions are in place. If you fall short of those, your claim may not go through, even if the breach is real.
These examples illustrate how small gaps in protection can result in significant issues at payout.
Scenario: A business continues using an old version of a content management system, despite warnings about security flaws. A known exploit is used to breach their website and steal customer data.
Why it might be rejected: Most policies require you to keep systems up to date. If the breach links to a known vulnerability and you had the chance to fix it, the insurer can argue that you failed to take reasonable precautions.
Insurer's view: The loss was avoidable. You didn’t patch the known risk. That breaks the policy’s minimum security conditions.
Scenario: An attacker gains access to your cloud storage using a stolen password. Sensitive files are leaked, and the ICO begins an investigation. Your business suffers legal and reputational fallout.
Why it might be rejected: Many cyber policies now require multi-factor authentication (MFA) for admin accounts and remote access. If MFA wasn’t in place at the time of the breach, your claim may not meet the policy’s eligibility requirements.
Insurer view: You failed to apply basic, industry-standard controls. That shifts the risk back to you.
Scenario: An employee emails a spreadsheet with client information to the wrong contact. The file includes personal data. The recipient alerts your client, who then issues a formal complaint.
Why it might be rejected: Some policies exclude losses caused by human error or employee negligence, especially if the mistake breaches your own internal policies.
Even if covered, the policy may limit the amount it will pay. If internal processes were unclear or not followed, the insurer may reduce or deny the claim.
Insurer's view: This wasn’t an external attack. It was a mistake that could have been prevented with the right process.
Exclusions don’t just exist on paper; they’re one of the main reasons cyber claims get declined.
Here’s how to stay covered when it matters.
Don’t rely on a summary. The exclusions are in the full policy document, often under “Exclusions” or “What’s Not Covered.”
If something is unclear, ask your broker or insurer. You must get clear answers before you buy, not during a claim.
Look for:
Many policies require you to meet a minimum security standard, and if you fall behind, even unintentionally, your claim might be rejected.
Make sure you:
These are not just best practices; they’re conditions for coverage in many policies.
Not all businesses face the same threats. If you store personal data, work in regulated sectors, or rely on cloud systems, ensure the policy addresses these requirements.
You need to ask
Remember that a cheaper policy that excludes your main risk is not good value. Coverage only applies if you meet the terms. Reading your exclusions, maintaining basic controls, and selecting the right policy upfront is the best way to avoid a declined claim.