Cyber insurance covers a great deal, but it does not cover everything, and the gaps are predictable. The most common problem is not an exotic exclusion. It is a sublimit on the loss most likely to happen, or a claim denied because the application overstated the practice’s security controls. Knowing these before you buy is how you avoid a surprise at the worst moment.
Sublimits on the loss most likely to happen
The single most common gap is a sublimit on social engineering and funds-transfer fraud. Many policies cap that coverage well below the headline limit. A one-million-dollar policy with a two-hundred-fifty-thousand-dollar social-engineering sublimit is, for the loss most likely to happen, a two-hundred-fifty-thousand-dollar policy. This is not an exclusion, so it is easy to miss. It is the first number to check.
Failure to maintain your controls
Cyber applications ask whether you have multi-factor authentication, backups, and other controls. If you attest to a control you do not actually have, and a loss traces back to that gap, the claim can be denied. This is not the carrier being difficult. It priced the policy on what you told it. Answering the application accurately is part of keeping the coverage valid.
Prior and known events
A policy covers what happens during its term. A breach that began before coverage started, or an incident you already knew about, is generally excluded. This is why prior-acts coverage and honest disclosure at application matter, and why waiting until something has happened to buy is usually too late.
The everyday exclusions
A few exclusions catch people off guard:
- Ordinary infrastructure or power outages with no cyber event behind them.
- Bodily injury and property damage, which belong to other policies unless a specific extension is added.
- Contractual liability you assumed separately, beyond what the policy grants.
- Losses inside a waiting period, since business interruption often does not start paying until an outage passes a set number of hours.
How to avoid the gaps
The fixes are straightforward. Read the sublimit on social engineering and raise it if you move money. Answer the application accurately and confirm your controls. Disclose anything you already know about. And compare policies on the coverage that responds, not the price. A short coverage review checks these before you buy, and our cyber insurance overview explains what a complete policy looks like.
Questions to ask your advisor
- What is the sublimit on social engineering, and is it below my policy limit?
- Did I answer the security-control questions on the application accurately?
- Does the policy include prior-acts coverage, and did I disclose known issues?
- What is the business-interruption waiting period before coverage starts?
- Which everyday exclusions apply, and do I need any of them bought back?
Want guidance first? Compare your coverage. Already know what you need? Get a quote.