As organizations in India and around the world race to strengthen their defenses against an ever-evolving cyber threat landscape, cyber insurance has become an essential piece of the risk management puzzle. It promises peace of mind, financial protection, and expert assistance in the worst moments of a cyber crisis.
However, the reality many businesses discover only when disaster strikes is this: not all cyber incidents are covered. Modern cyber insurance policies are complex contracts with detailed terms, strict conditions, and, crucially, numerous exclusions that can leave you footing the bill if you’re not prepared.
In 2025, understanding what is not covered is just as important as knowing what is. Let’s break down the common exclusions and limitations that every organization — from startups to large enterprises — must watch out for.
Why Exclusions Exist
Before we get into the details, it’s important to understand why exclusions exist in cyber insurance.
Cyber risk is unique because:
-
The threat landscape changes daily.
-
Attackers innovate constantly.
-
Losses can be huge, unbounded, and difficult to quantify.
-
Insurers rely on customers doing their part to maintain reasonable security standards.
Exclusions allow insurers to limit exposure to risks they cannot control, such as state-sponsored cyber warfare, known but unpatched vulnerabilities, or incidents caused by gross negligence.
Common Exclusions in 2025 Cyber Insurance Policies
✅ 1️⃣ Acts of War and Terrorism
Many cyber policies specifically exclude damage caused by acts of war, including cyber warfare between nation-states.
Example:
If an Indian IT company suffers a catastrophic breach because of a state-backed threat actor targeting critical infrastructure as part of a geopolitical conflict, there’s a good chance the insurer will argue it falls under the “war exclusion.”
Insurers often wrestle with what defines “cyber war” versus organized cybercrime. Some offer endorsements to cover certain nation-state attacks — but they often come with higher premiums and tight conditions.
✅ 2️⃣ State-Sponsored Attacks
Closely related to war exclusions, some policies explicitly exclude attacks attributed to state-sponsored advanced persistent threat (APT) groups.
Given the rise in sophisticated attacks targeting supply chains, government contractors, and critical infrastructure, this is a serious gap for organizations in sensitive sectors.
✅ 3️⃣ Insider Threats and Dishonest Acts
Most policies won’t cover losses caused intentionally by senior executives or owners of the company. Fraudulent or criminal acts by insiders are excluded if they benefit the company directly.
However, unintentional insider threats — like a careless employee clicking a phishing link — are generally covered if other conditions are met.
✅ 4️⃣ Social Engineering and Fraud
One of the biggest blind spots: standard cyber policies often do not cover losses due to deception-based fraud like business email compromise (BEC) or fake invoice scams unless specifically added through endorsements.
Example:
If your accounts team is tricked into wiring ₹2 crore to a fraudulent vendor account, your policy might not cover the loss unless you purchased a separate “social engineering fraud” extension.
✅ 5️⃣ Physical Damage
Most cyber insurance covers data loss, reputational harm, legal liabilities, and digital forensics — but not physical damage caused by a cyber incident.
So, if a hacker disables a factory’s connected machinery, causing a fire or machinery breakdown, your standard cyber policy likely won’t pay for physical repairs — that’s the realm of traditional property insurance.
✅ 6️⃣ Failure to Maintain Minimum Security Standards
This is a crucial — and often misunderstood — limitation. Policies require insured organizations to maintain reasonable security practices:
-
Keeping software and systems patched.
-
Using multi-factor authentication (MFA).
-
Encrypting sensitive data.
-
Following data privacy regulations like India’s DPDPA 2025.
If a breach happens because you failed to maintain these standards, the insurer may deny the claim on the grounds of gross negligence or breach of policy conditions.
✅ 7️⃣ Prior Known Incidents
Most policies will not cover incidents or breaches that occurred before the policy’s retroactive date — or incidents you knew about but didn’t disclose.
Example: If a company discovers suspicious network activity but doesn’t disclose it when buying a policy, and that activity later results in a full-blown breach, the claim will likely be rejected.
✅ 8️⃣ Contractual Liability
Sometimes businesses sign contracts that impose obligations or liabilities that extend beyond normal legal standards.
Cyber insurance typically excludes these special contractual obligations, so if a partner sues you for damages based on custom terms that aren’t standard practice, your policy may not respond.
✅ 9️⃣ Fines and Penalties
While many modern policies cover regulatory fines for data privacy violations, this isn’t always guaranteed — and not all fines are legally insurable in every jurisdiction.
Under India’s DPDPA 2025, for example, some administrative penalties may be insurable, but punitive or criminal fines generally are not.
✅ 10️⃣ Utility or Infrastructure Failures
Some policies exclude losses caused by failure of the internet backbone, power grid, or other essential utilities — unless the failure results directly from a covered cyber incident.
Key Limitations to Watch For
Beyond outright exclusions, there are limitations that restrict how much you can claim.
Common limitations include:
-
Sublimits: Even if you have ₹50 crore in total coverage, there may be much lower sublimits for specific incidents like ransomware payouts, notification costs, or data restoration.
-
Waiting periods: For business interruption losses, there’s usually a time-based deductible — meaning losses must exceed a set period (e.g., 12 or 24 hours) before coverage kicks in.
-
Co-insurance: Some policies share costs with the insured, requiring you to bear a percentage of the loss.
-
Territorial limits: Policies may restrict coverage to incidents occurring within specified jurisdictions.
Practical Example
A mid-size Indian e-commerce firm had cyber insurance that covered data breaches but not social engineering fraud. When an employee was tricked into wiring ₹50 lakh to a fake supplier, the insurer rejected the claim — because the loss wasn’t due to a “network security failure” but human deception.
The company learned the hard way: always read the fine print and understand what extensions are necessary for your actual risk profile.
How the Public Benefits
When companies know what their policies exclude, they must build stronger internal defenses, train employees, and maintain clear procedures. This indirectly protects customer data, reduces breach likelihood, and improves incident response — benefiting every user whose data is in their hands.
Best Practices for Organizations
✅ Read the policy thoroughly: Work with a specialized broker who understands cyber risk nuances.
✅ Disclose accurately: Any misrepresentation can void coverage.
✅ Close coverage gaps: Consider endorsements for social engineering fraud, reputational damage, or supply chain risks.
✅ Align security practices: Keep up with minimum standards, maintain compliance, and document controls.
✅ Test your response: Tabletop exercises ensure you can meet policy conditions when an incident strikes.
Conclusion
Cyber insurance is an indispensable safety net in 2025 — but it’s not a blanket guarantee. Policies are intricate, full of exclusions and limitations designed to balance risk for both the insurer and the insured.
Smart businesses don’t assume they’re protected — they verify, negotiate, and align their security posture to match policy requirements. They ask questions, close gaps with endorsements, and make sure they have enough coverage for the real-world threats they face.
Ultimately, a clear-eyed understanding of what’s not covered is just as powerful as the promise of what is — and it’s the key to building true resilience in an increasingly unpredictable digital world.
