What Risks Are Excluded From Cyber Liability Insurance?

Understanding the Limits of Cyber Liability Coverage in a Digital First World

As cyber threats evolve and data breaches become more frequent, businesses are increasingly turning to cyber liability insurance to protect themselves from financial losses, legal liabilities, and reputational damage. These policies are designed to cover the costs associated with cyber incidents such as ransomware attacks, data theft, and business interruption.

However, while cyber liability insurance is a critical layer of defense, it’s not a catch-all safety net. Many business owners assume that once they have a cyber policy in place, they’re fully protected from any and all cyber-related losses. Unfortunately, that’s not the case. Like any form of insurance, cyber liability coverage comes with specific exclusions risks and situations that insurers will not cover under the policy.

Understanding these exclusions is essential to managing risk effectively and ensuring that your organization isn’t blindsided by uncovered incidents.

Why Cyber Liability Insurance Excludes Certain Risks

Insurers exclude certain risks for several reasons: some are uninsurable due to moral hazard (when the insured knowingly takes on risk because they have coverage), while others are excluded because they’re preventable, intentional, or already covered by another type of policy.

Cyber insurance policies are also written to encourage strong cybersecurity hygiene. For example, if a business fails to patch known vulnerabilities or ignores security recommendations, the insurer may decline to pay for losses that could have been avoided through reasonable diligence.

By understanding what’s excluded, you can make informed decisions about risk management, negotiate better policy terms, and fill coverage gaps with additional endorsements or specialized coverage.

1. Intentional or Criminal Acts by the Insured

Perhaps the most fundamental exclusion in any cyber liability insurance policy relates to intentional misconduct.

If an employee, executive, or owner commits a cybercrime such as theft, fraud, forgery, or data manipulation, the resulting losses are not covered. Insurers will not pay for damages resulting from deliberate or dishonest acts, even if those acts were carried out by someone within your organization.

For instance:

• If a company executive manipulates data for financial gain, the insurer will deny the claim.
  
• If an employee steals confidential data or funds from the business, the act is considered intentional misconduct, and coverage is excluded.
  

Some policies may offer limited protection under a “rogue employee” clause, covering damages caused by a former employee acting maliciously, but even this is tightly constrained and typically only applies if the employer had no knowledge or involvement.

2. Known Vulnerabilities and Poor Cyber Hygiene

A growing number of cyber policies now exclude losses resulting from known vulnerabilities or unpatched software that the organization failed to address.

If your company was aware of a critical security weakness—say, an outdated firewall or an unpatched operating system—and a cyberattack exploited that weakness, your insurer may determine that the breach resulted from negligence rather than unforeseen risk.

For example, if a ransomware attack entered your system through a server that was flagged as vulnerable months before, the insurer could deny coverage, arguing that the risk was preventable.

To mitigate this exclusion, businesses must demonstrate active cybersecurity management, including:

• Regular patching and software updates.
  
• Conducting vulnerability scans and penetration tests.
  
• Documenting compliance with data protection frameworks such as ISO 27001 or NIST standards.
  

Failing to prove due diligence can mean the difference between a covered claim and a denied one.

3. Regulatory Fines and Penalties

Cyber incidents often trigger regulatory investigations under data privacy laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or other local and national frameworks.

While cyber liability insurance typically covers the cost of legal defense and notification expenses related to a breach, it often excludes regulatory fines or penalties imposed by government agencies.

Why? Because many jurisdictions consider fines and penalties to be non-insurable, as they result from legal violations rather than accidents. Paying them on behalf of the insured would go against public policy.

However, the landscape is evolving. Some insurers offer optional endorsements or partial coverage for regulatory fines, depending on local laws and the nature of the infraction. Always review your policy’s definition of “insured loss” to understand how it treats penalties or legal fees stemming from noncompliance.

4. Infrastructure Failures Beyond the Company’s Control

Cyber liability insurance is primarily designed to cover cyber incidents, not infrastructure failures.

If your business operations are disrupted because of a power outage, internet service failure, or third-party cloud provider downtime, your policy may exclude or limit coverage for those losses unless the failure resulted directly from a cyberattack.

For example, if Amazon Web Services (AWS) experiences an outage that takes down your e-commerce site for several hours, your cyber policy may not respond unless the outage was caused by a malicious act.

To fill this gap, companies often combine cyber liability insurance with business interruption coverage or contingent business interruption (CBI) extensions that explicitly include third-party service provider disruptions.

5. Acts of War, Terrorism, or State-Sponsored Attacks

Another major exclusion found in nearly every cyber insurance policy involves acts of war or terrorism—particularly state-sponsored cyberattacks.

These exclusions stem from the difficulty in attributing responsibility for such attacks and the massive scale of potential losses. Insurers generally classify these events as uninsurable catastrophic risks.

For instance, if your company suffers damages due to a cyberattack later attributed to a foreign government or military entity, your insurer may argue that the event falls under the “war exclusion.”

This issue came to prominence following the NotPetya cyberattack in 2017, when insurers denied claims from companies whose losses stemmed from malware believed to be linked to a state actor. Legal disputes from that incident are still shaping how insurers handle future nation-state attacks.

Businesses operating in high-risk sectors—such as energy, defense, or technology—should pay close attention to these exclusions and consider specialized cyber war coverage if available.

6. Contractual Liabilities and Service Agreement Breaches

If your company signs a contract agreeing to certain cybersecurity standards or performance guarantees and later fails to meet them, resulting in damages to another party, standard cyber liability insurance may not apply.

Most policies exclude losses arising from breaches of contract, unless those obligations would have existed even without the contract.

For example:

• If a managed service provider (MSP) promises 99.9% uptime and a client suffers financial loss during a system outage, the insurer may deny coverage under the contractual liability exclusion.
  
• Similarly, failure to comply with data processing agreements or vendor security clauses can trigger uncovered losses.
  

To address this, some companies purchase technology errors and omissions (Tech E&O) insurance, which complements cyber liability coverage and protects against contractual and performance-related disputes.

7. Failure to Maintain Security Standards or Disclose Material Facts

When applying for cyber liability insurance, businesses must provide accurate details about their security controls, data handling practices, and risk management policies.

If it’s later discovered that the insured provided false information, failed to disclose material facts, or didn’t maintain agreed-upon security measures, the insurer can void the policy or deny claims.

This exclusion reinforces the importance of transparency during the underwriting process. Companies should be honest about their security posture and promptly report any material changes to their infrastructure or risk exposure.

Taking Action: How to Protect Against Excluded Risks

Understanding exclusions is only the first step. Businesses must also take proactive measures to close coverage gaps and strengthen their overall resilience:

• Review your policy line by line with a cybersecurity insurance specialist.
  
• Implement best practices for patch management, employee training, and data protection.
  
• Consider complementary policies, such as crime insurance, Tech E&O, or business interruption coverage.
  
• Document all compliance and remediation efforts, as this strengthens your position in potential claims.
  

By aligning robust cybersecurity practices with comprehensive insurance planning, your organization can minimize both insured and uninsured risks.

Final Thoughts

Cyber liability insurance is an invaluable safeguard in an era of escalating digital threats. But it’s not a substitute for good cybersecurity governance. Knowing which risks are excluded—such as intentional acts, regulatory fines, and preventable vulnerabilities empowers you to make smarter coverage decisions and build true resilience.

Always remember: insurance is a safety net, not a replacement for vigilance.