What Cyber Insurance Does Not Cover — Read Your Policy Before You Need It

The Cyber Insurance Contract Is Not a Cyber Defence Strategy

Cyber insurance has become what firewalls were in 1998: a perceived necessity that creates a false ceiling on organisational appetite for genuine security architecture, and the discovery of what is not covered arrives only after the loss is irreversible.

The past eighteen months have exposed a structural misalignment between what boards believe insurance transfers and what claims adjusters actually pay. The Synnovis ransomware cascade across the NHS in June 2024 — a £10 million event that crippled pathology services across southeast England — was nominally covered until the insurer discovered that the organisation had failed to enforce multi-factor authentication on administrative accounts and had no evidence of timely patching of the Citrix NetScaler appliances through which the intruders moved laterally. The policy was voided on the basis of "material non-disclosure of known vulnerabilities". The Scattered Spider operation targeting M&S in December 2024, where initial access came via a resold contractor credential purchased on dark markets, revealed that most cyber policies exclude compromise of third-party access vectors unless specific pre-incident controls can be documented per policy appendix — few organisations maintain them. Change Healthcare's $22 million ransomware event in February 2024 — affecting prescription fulfillment for months across the United States — resulted in an insured loss, but the claims process consumed six months and required forensic reconstruction of what was never encrypted, what was exfiltrated, and what constituted "business interruption" under the policy's narrow definition. The insurer paid approximately 40% of the organisation's claimed losses.

Yet the deeper pattern remains invisible in board papers and risk committee minutes. Insurance is a transfer mechanism for quantifiable tail events in a stable threat model. It is not a control. It is not a deterrent. It transfers money after loss materialises. And it does so only if the organisation can prove, through operational records that most organisations do not maintain, that it was not already in material breach of the policy's technical conditions at the moment of loss.

The industry narrative around cyber insurance — promoted by brokers, underwriters, and compliance frameworks that require it — is that it closes the gap between what you can afford to prevent and what you cannot. The PULSE reading is different: cyber insurance as currently sold is a financial instrument that measures organisational maturity in reverse. What is excluded from the policy is where genuine security architecture begins.

The Standard Cyber Insurance Product: Scope and Silent Gaps

Cyber insurance in its contemporary form emerged as a market segment around 2010, when breach notification laws in California and beyond created a quantifiable liability for data loss. The Lloyd's market, US specialty carriers like Chubb and AIG, and a second wave of digital-native insurers (Coalition, Cybereason, Patchman) built underwriting models on frequency and severity of losses in their book. By 2023, the global cyber insurance market was worth approximately $12 billion in written premium, with average policy limits of $5–50 million for mid-market organisations and $100 million–$1 billion for enterprises.

A standard cyber insurance policy covers four domains: first-party costs (forensics, notification, remediation), third-party liability (regulatory fines, legal defence, settlements), crisis management (PR, legal support, credit monitoring for affected individuals), and business interruption (revenue loss during downtime). The policy is triggered by a "cyber loss event" — typically defined as unauthorised access to systems, data exfiltration, malware deployment, or ransomware encryption. Underwriting relies on a questionnaire (the "cyber risk assessment form"), submitted once at policy inception and often not updated. Premium is calculated from that static snapshot, plus claims history, industry vertical, and employee count.

The exclusions are where the contract becomes meaningful. Most cyber policies exclude losses arising from:

Known vulnerabilities at policy inception. If a CISO can be shown to have known of a CVE (CVE-2023-46805, the Citrix NetScaler vulnerability exploited in both Synnovis and multiple other NHS trusts, is the canonical example) and failed to patch within a defined window (typically 30 or 60 days from patch publication), the insurer will assert that the organisation was already in breach of the implied duty of "reasonable cyber hygiene" and deny coverage. This requires the insurer to obtain your vulnerability scanning records, incident response logs, and change management approvals — most organisations do not retain these at the granularity required to defend the claim.

Failure to enforce MFA on administrative accounts. After Synnovis, this exclusion tightened dramatically across the market. Underwriters now demand proof that MFA (FIDO2 preferred, but TOTP/SMS accepted with qualification) is enforced on all privileged accounts, with exception logs reviewed monthly. Most policies now require attestation every 90 days. If a breach occurs and the forensic investigation shows that initial access came via an administrative account without MFA, the policy is void ab initio.

Third-party compromise and shared infrastructure. The MOVEit zero-day exploitation in 2023 (CVE-2023-34362, deployed by Cl0p) affected more than 2,000 organisations. Many were insured; many had policies that explicitly stated: "We do not cover losses arising from vulnerability in third-party software unless the policyholder can demonstrate that it implemented compensating controls documented in writing prior to the incident date." Few organisations did. The Scattered Spider compromise of M&S involved the purchase of a valid contractor credential on Exploit Forum for approximately £10. The M&S policy excluded "compromise of access credentials belonging to third parties", unless M&S could prove it had enforced SSO, credential rotation, and session monitoring per the policy's technical appendix. The claim was denied.

Encryption under contract. This is the most legally subtle exclusion. If the policyholder was holding data under a contract that required it to be encrypted at rest and in transit, and it was not, the insurer will assert that the loss is partly the consequence of the policyholder's breach of contract with its own customer — and therefore falls outside the insurer's duty to cover "cyber losses" (which the policy defines as losses not arising from the policyholder's own negligence). Change Healthcare's claim took six months partly because the insurer spent three months reviewing contracts between Change Healthcare and pharmacy customers to determine whether encryption obligations were material and whether Change Healthcare had breached them.

Why Standard Remediation Deepens the Architectural Problem

The conventional response from compliance and risk teams is to tighten the controls that the underwriter values: patch faster, enforce MFA everywhere, maintain audit logs, reduce time to respond to alerts. These are legitimate operational practices. But they are orthogonal to the question of whether the organisation's infrastructure can survive a breach once it is inside the perimeter.

The vulnerability scanning, patch management, and identity-and-access-management (IAM) stacks that most organisations implement are detection-and-response tools. They identify what should be done; they do not prevent the loss if someone with a valid credential or a zero-day exploit moves laterally within the architecture. The NHS trusts that were compromised in the 2024 cascade had EDR (Crowdstrike, SentinelOne, Microsoft Defender for Endpoint), had SIEM (Splunk, QRadar, Sentinel), had IDS/IPS (Palo Alto Networks, Fortinet, Cisco ASA). None of these stopped the lateral movement once the initial Citrix NetScaler appliance was compromised, because the east-west data plane was not segmented, and the appliances were not isolated via zero-trust network access controls. They detected the movement, but after the fact. The forensic reconstruction took weeks. The insurance claim took months. The damage was irreversible.

This is the architectural ceiling that PULSE identifies as the core failure mode of contemporary cyber insurance thinking. The underwriter's questionnaire asks: "Do you have EDR deployed?" not "Can your organisation prove that data cannot leave a compromised zone without defeating cryptographic controls that the organisation itself does not hold the keys to?" The policy excludes known vulnerabilities but does not require the architecture to be indifferent to unknown ones. It prizes detection but transfers no liability for resilience.

Insurance, in this reading, measures the organisation's acceptance of a detection-and-response model. It is a financial instrument that prices the expectation of breach, compensates the victim, and transfers risk to the underwriter — but it does not change the underlying architecture that made the breach costly in the first place.

Architectural Principles Beyond Insurance

A cyber architecture designed for post-breach resistance — rather than pre-breach detection — starts from an inverted premise: assume the perimeter is already compromised, and ensure that the data plane is architected such that exfiltration, encryption, or lateral movement requires defeating controls that the organisation itself does not depend on operationally.

The PULSE doctrine frames this around several structural principles, none of which are reflected in standard cyber insurance underwriting:

Zero-knowledge substrate. Data held by the organisation should be encrypted such that the organisation cannot decrypt it without cryptographic material held outside the organisation (typically by a hardware security module, a distributed key management service, or a threshold scheme where no single party holds a complete key). This means that if an attacker compromises the organisation's infrastructure, they can steal encrypted data, but they cannot read it — and crucially, neither can the organisation's own staff, unless they authenticate to a separate credential system and retrieve the decryption key through a hardware token or out-of-band channel. This is not "defence in depth" (which assumes multiple detection layers working together). It is architecture that makes the asset unusable to an attacker even if the perimeter and all internal systems are compromised.

Data-plane and control-plane separation. Modern infrastructure architecture distinguishes between the plane where data moves (the data plane) and the plane where access decisions are made (the control plane). Standard cyber insurance underwriting focuses on detecting anomalies in the control plane — unusual login patterns, unexpected API calls, lateral movement detected by EDR. But it assumes the data plane is broadly accessible once you are authenticated. Zero-trust architecture inverts this: the data plane is segmented by cryptographic policy, not by network rules that can be bypassed via routing or credential compromise. A breach of administrative credentials does not grant access to customer data unless the attacker also defeats the cryptographic controls that separate data zones.

Adaptive posture drift. Insurance policies assume a static threat model: the organisation patches within 30 days, enforces MFA, maintains 90 days of logs. But threat actors adapt faster than patch cycles. A more resilient architecture continuously adjusts its posture — rotating encryption keys, changing the schema of logs (making tools that depend on static SIEM field mappings ineffective), altering which systems are exposed via API, randomising the location of backup systems — without requiring human intervention. This is not "randomisation for randomisation's sake"; it is engineering the substrate such that reconnaissance, lateral movement, and exfiltration all depend on assumptions that are continuously invalidated.

Domain-specific cryptographic primitives. Rather than deploying commodity encryption (which assumes the attacker has unbounded computational resources but finite time), domain-specific encryption — tied to the semantics of the data itself — can make certain attacks computationally or logically infeasible. Healthcare data encrypted in a schema that links the decryption key to the patient identifier and the treating facility means that even if an attacker exfiltrates the ciphertext, they cannot decrypt it for a different patient or facility without returning to the encrypted organisation's systems. This is not end-to-end encryption (which would require the organisation to give decryption keys to every party). It is architecture that makes the exfiltrated data worthless to anyone except the organisation it was stolen from.

None of these principles can be expressed in an insurance questionnaire, underwritten by an external party, or verified by a third-party auditor without defeating the core benefit — because the architecture's strength lies in the fact that it cannot be observed from outside, and changes continuously.

The Regulatory Direction: Insurance as Insufficient Baseline

Recent regulatory actions have begun to articulate this implicitly. The FCA's Senior Management Certification Regime (SM&CR), introduced in 2019 and tightened in 2023, requires senior leaders to certify that they have taken "reasonable steps" to ensure the firm's cyber resilience. "Reasonable steps" is not defined in the FCA Handbook, but enforcement guidance makes clear that it means architecture that survives compromise of key systems, not merely detection and response to compromise. DORA (the EU's Digital Operational Resilience Act), enforced from January 2025, requires financial institutions to demonstrate "resilience to operational shocks" — which the EBA's technical standards interpret as requiring infrastructure that can maintain critical functions during "the five-day, organisation-wide incident scenario" where all detection systems are assumed offline. NYDFS Part 500 (New York's cybersecurity requirements for financial services firms), finalised in 2023, requires encryption of non-public information "throughout its transmission and storage", but also requires the encryption scheme to be such that the firm itself cannot unilaterally decrypt it (implying third-party or hardware-backed key management).

These are tentative steps toward encoding the principle that cyber insurance is not a substitute for architectural resilience. But they are regulatory minimum standards, not design ideals. And compliance with a regulatory baseline is rarely excellence.

What Remains Uninsurable

The costs that cyber insurance cannot transfer are those that arise from the organisation's inability to operate after a breach. If your architecture is such that a breach of the control plane gives an attacker access to the data plane, then your only recovery path is forensic reconstruction — which takes weeks or months. During that time, the organisation cannot serve customers, cannot access its own data, cannot issue invoices, cannot process claims. The business interruption clause of a cyber policy will cover some of this, but only up to the policy limit, and only if the organisation can prove that it took "all reasonable steps" to prevent the breach in the first place — which, under current underwriting practices, means maintaining a vulnerability scanner, a patch management process, and EDR. If it had these and was still breached, it likely means the zero-day was new, or the patch was not yet available, or the attacker used a supply-chain compromise. The claim will be disputed.

What is insurable is the difference between a resilient architecture and a detection-dependent one. And that difference is paid, after the fact, in the form of a cheque that arrives after the customer has left, the contract is terminated, and the organisation's reputation is destroyed.

---

Organisations that hold or transfer material volumes of data or currency are invited to request a technical briefing on post-breach-resistant architecture under executed mutual NDA.