Cyber Insurance: Your Safety Net or a Paper Shield?
- University of Bristol Commercial Awareness Society
- Nov 17
- 3 min read
By Hoi Yau Rene Yeung
Recent years have seen a surge in cyber attacks in the UK, with the National Cyber Security Centre reporting a total number of 204 “nationally significant” cyber attacks in the 12 months to August 2025 — a sharp rise from 89 in the previous year. High-profile cyber attacks targeting major retailers such as Marks & Spencer and Co-op have further highlighted the urgent need for enhanced cyber resilience. In today’s digital landscape, cybersecurity is no longer a matter of compliance or reputation management; it has become a question of business survival. In view of this, more and more business moguls have sought to improve their resilience to cyberattacks through investing in a cyber insurance policy.
What is Cyber Insurance?
Cyber insurance, also known as cyber liability or cybersecurity insurance, helps businesses mitigate the risks associated with cybercrime activities such as cyberattacks and data breaches. It covers financial losses resulting from ransomware incidents, data breaches, and other cyber events that are not typically included under traditional liability or commercial insurance policies. According to IBM’s Cost of a Data Breach Report, the global average cost of a data breach reached USD $4.44 million between March 2024 and February 2025, highlighting the growing financial impact of cyber incidents. Against this backdrop, cyber insurance has become an essential component of modern risk management, helping organizations reduce the financial burden of cybersecurity breaches.
The Scope of Cyber Insurance and Its Exclusions
In most cases, cyber insurance policies offer options for first-party and third-party coverage. First-party coverage pays for losses incurred through data destruction, hacking, data extortion, and data theft, while third-party coverage pays for damages suffered by parties in relation to the business, such as clients and partners. The main losses that cyber insurance covers include business interruptions, threat response and remediation, legal expenses, data breach recovery. Although cyber insurance may seem comprehensive at first blush, it is not the case upon closer inspection.
In fact, there are myriad common exclusions in cyber insurance policies. Firstly, as with most types of insurance, acts of war or terrorism are excluded and considered uninsurable. Furthermore, cyber insurance does not cover damage to physical property or bodily injury, such as death, sickness, disease, or personal injury resulting from a cyber incident, as its protection focuses on losses in the digital sphere. Insider threats are another common exclusion, with losses caused by malicious or negligent employees rarely covered. Lastly, coverage limitations often apply to losses arising from previously known incidents or vulnerabilities that were not disclosed during underwriting. To put it another way, if hackers exploit a flaw the company was aware of but failed to fix, the resulting losses will likely be excluded from coverage.
The Main Challenge in the Cyber Insurance Market
Building on the aforementioned exclusions, it becomes evident that the current cyber insurance market faces several significant challenges. One of the most alarming challenges is the persistent uncertainty surrounding the scope of coverage, thanks to the ambiguous and complex exclusions in policies. Policyholders struggle to understand what is actually covered, with reports indicating that 71% of CFOs believe their insurer would cover “most or all” of the losses their company might incur in a cyberattack. Many of the damages they anticipate, such as brand devaluation, investor scrutiny, revenue decline, and market share loss, are typically excluded from cyber insurance policies. This apparent disconnect exemplifies that greater clarity in underwriting cyber insurance coverage has never been more important.
Apart from policyholders, such uncertainty may also place brokers who explain coverage and exclusions to clients in a challenging position. When policies contain complex or ambiguous terms, even experienced brokers can misinterpret or overlook critical requirements, which may lead to professional negligence claims. In Watford Community Housing Trust v Arthur J. Gallagher Insurance Brokers Ltd, the Court held the broker liable for the client’s losses as a result of a failure to advise timely notification of a data breach to all relevant insurers in the cyber insurance policies. This demonstrates how ambiguity in cyber insurance wordings, particularly around notification obligations, exclusions, and overlapping coverage, can expose brokers to significant professional liability.
Artificial Intelligence “AI” and Cyber Insurance
While the advent of AI brought numerous benefits to businesses, the increased integration of AI technologies into business operations has created additional targets for cyber attacks. For instance, the risk of “data poisoning,” where attacks deliberately import false or incorrect information into AI training data sets in order to compromise the output generated by AI algorithms, as well as cyber criminals weaponising AI technology to generate attacks. Insurers have therefore begun introducing AI-specific exclusions. Policyholders should review their cyber insurance coverage for any advance insurer consent provisions in order to protect their own interests.
References
Comments