Navigating the Changing Landscape of Cyber Insurance Exclusions

There has been a lot of discussion in the cyber insurance world regarding a new cyber insurance exclusion.

Recent changes to several carriers’ policy language that exclude coverage for cybercrimes committed as acts of war or by a party or individual acting on behalf of or supported by a foreign state are the subject of a heated debate.  

However, the truth is that all policy language is unique. Thus, whether your business is covered or not can depend on how this exclusion is worded in your policy. 

There is another important element at play to consider.

High Demand for Cyber Insurance

The demand for cyber insurance coverage has never been higher. In addition, the risk and severity of cyber-attacks have significantly increased in recent years, making cyber insurance more popular. 

  • According to Varonis, in 2020, the United States was the target of 46% of cyberattacks, more than double any other country. 
  • In 2021, approximately 70% of breaches were financially motivated, 22 billion records were exposed due to data breaches, and only 5% of company folders were properly secured on average. 
  • According to IBM’s Cost of a Data Breach report, the average attack in the US costs $8.6 million. 

With the average ransom demands reaching millions, many companies are turning to cyber insurance to cover payments and protect their corporate finances.

Evolution of Cyber Insurance

The cyber insurance industry is going through a re-adjustment period as carriers learn how to price and model the risks they cover. 

Meanwhile, the market has become increasingly important due to the wave of attacks against companies of all sizes.

For example, insurance companies have paid a great deal of money on claims related to cybercrime perpetrated by foreign entities. However, since insurance companies don’t like losing money, they are taking steps to pull back and evaluate this risk.

Over the past five years, insurance companies have increased the cost of cyber insurance at record rates. Considering the surge in attacks, increased severity, and projections for the future – this is not surprising.

Latest Changes to Policies 

With the uptick in claims and costs, several insurance companies have altered their exclusions language to remove cybercrimes from state-backed individuals or groups. 

Additional language for many carriers has been added to include exclusions for exposures arising from “war” and “non-war” state-backed cyberattacks.

Cyber Insurance Exclusions

Losses from cyber risks are incredibly sophisticated and ever-evolving.

Many believe there will be a lot of litigation over exclusions with this wording because of the difficulty of proving if the attack met the criteria for the exclusion.

For instance, defining the following could prove to be difficult and could lead to disagreements with your insurance company should they deny coverage on this basis:  

  • Was the attack from a group or individual sponsored by a foreign state?
  • Were they supported by a foreign state?
  • Was it a social, ideological, religious, politically, or similarly motivated individual or group of individuals?

These grey areas leave room for claims to be denied and could leave the business owner writing the check for an expensive attack.

In the event you feel a claim was wrongfully denied, you can sue to have a court rule on it. However, that could take years to conclude and leave you financially responsible for everything up to the decision, should they rule in your favor.

Additionally, we are still unsure who is responsible for proving an attack was or wasn’t committed by an individual or group that fits within the policy language.

Choosing the Right Cyber Policy

When choosing a cyber insurance policy, consider if your business can survive the financial and brand impact of a cyber-attack and if you have the funds for potential litigation. Make sure to review your policy for this exclusion language and understand how it applies.

When assessing your cyber insurance policy, it may be helpful to ask yourself these key questions:

  • Can my business survive the costs, financially and brand image, of a cyberattack?
  • Could we survive it and have the funds to pay for litigation against the insurance company if I believe it was denied incorrectly?
  •  Does my cyber insurance policy include this exclusion, and how does the actual policy language apply?
  •  Do I want to risk having my policy with a carrier with this exclusion language?
  • Do I trust that they will pay your claim if it falls into a grey area?


The cyber insurance industry is undergoing changes and adjustments, and carriers are learning how to price and manage the risks they cover.

As a result, policy language is evolving, and some carriers are now excluding coverage for cyber crimes committed as acts of war or by a party or individual acting on behalf of or supported by a foreign state.

It’s crucial to review your policy language and ask yourself important questions, such as whether your business can survive the costs of a cyber attack and whether your policy includes exclusions.

Take Action to Safeguard Your Business

If you have questions or want to review your cyber insurance policy, please don’t hesitate to contact us. If you do not have a cyber insurance policy, I am happy to conduct a free consultation and discuss your options.  

Article By: Andy Clark

For helpful tips on other popular topics, check out articles on: 

Request Your Proposal Here

Are you ready to save time, aggravation, and money? The team at Mason McBride is here and ready to make the process as painless as possible. We look forward to meeting you!