Back to Blog
2025-10-076 min read
Compliance

7 Questions to Ask Before You Buy Cyber Insurance

A practical checklist of critical questions every CEO should ask before purchasing cyber insurance to avoid coverage gaps and costly surprises.

Sean P. Conroy

Cyber insurance is one of the fastest-growing lines of commercial coverage in the market. But buying a policy without asking the right questions is like buying a building without an inspection, you might not discover the gaps until it's too late.

Too many CEOs treat cyber insurance as a checkbox. They sign the application, pay the premium, and assume they're covered. Then a breach happens, the claim gets denied, and they learn the hard way that their policy had exclusions they never read.

Key insight: Cyber insurance is not a substitute for cybersecurity. Insurers are increasingly requiring proof of security controls before they'll underwrite your policy, and they'll deny claims if those controls aren't maintained.

Here are seven questions you need to ask before you sign anything.

1. What Exactly Is Covered, and What Isn't?

This sounds obvious, but most policies bury critical exclusions in dense legal language. Common gaps include:

  • Acts of war or nation-state attacks, Many policies exclude attacks attributed to foreign governments. Given recent geopolitical tensions, this exclusion is broader than you might think.
  • Social engineering losses, If an employee is tricked into wiring money, your policy may not cover it unless you purchased a specific endorsement.
  • Prior acts or known vulnerabilities, If you knew about a vulnerability and didn't patch it, your insurer may deny the claim.

Ask your broker to walk you through every exclusion in plain language.

2. Does the Policy Cover Regulatory Fines and Penalties?

Depending on your industry and jurisdiction, a breach can trigger fines under HIPAA, state privacy laws, PCI DSS, or international regulations like GDPR. Not all policies cover regulatory penalties, and some that do will cap the amount at a fraction of your overall coverage limit.

Data point: The average regulatory fine associated with a data breach now exceeds $250,000 for mid-sized companies, and some HIPAA violations carry penalties up to $2 million per incident. -U.S. Department of Health and Human Services

Make sure your policy explicitly addresses regulatory fines in the jurisdictions where you operate.

3. What Security Controls Does the Insurer Require?

Insurers are no longer writing blank checks. Most now require specific controls as conditions of coverage:

  • Multi-factor authentication (MFA) on all remote access
  • Endpoint detection and response (EDR)
  • Regular patching cycles
  • Offline or immutable backups
  • Employee security awareness training

If you can't demonstrate these controls during underwriting, or during a claim investigation, your coverage could be voided entirely.

4. What Is the Claims Process, and How Fast Does It Move?

During a breach, speed matters. You need to understand:

  • Who do you call first? Most policies require you to contact the insurer before engaging outside counsel or forensics firms.
  • Does the insurer choose your incident response team? Many policies mandate using approved vendors, which can limit your options.
  • What's the typical payout timeline? Some claims take months to settle. Understand whether you'll need to front costs.

Common Pitfall

Engaging your own forensics firm or legal counsel before notifying your insurer can void your coverage. Know the notification requirements before an incident happens, not during one.

5. How Are Coverage Limits Structured?

A $5 million policy doesn't mean you get $5 million for every type of loss. Coverage limits are often split across sub-categories:

  • Business interruption
  • Data recovery and forensics
  • Legal and regulatory costs
  • Notification and credit monitoring
  • Ransom payments (if covered at all)

Each sub-limit can be significantly lower than the headline number. Ask for a breakdown of every sub-limit and make sure they align with your actual risk exposure.

6. Does the Policy Cover Business Interruption Losses?

Ransomware attacks routinely shut businesses down for days or weeks. Business interruption coverage reimburses lost revenue and extra expenses during downtime, but the details matter:

  • Waiting periods, Most policies have a waiting period (often 8 to 12 hours) before business interruption coverage kicks in.
  • Coverage duration, There's usually a cap on how many days of lost revenue the policy will cover.
  • Proof requirements, You'll need to document your losses meticulously. If you don't have clean financial records, proving your claim gets difficult.

7. What Happens at Renewal?

Cyber insurance is not a set-it-and-forget-it purchase. At renewal, insurers reassess your risk posture. If you've had a claim, failed to implement required controls, or if the threat landscape has shifted, expect:

  • Premium increases of 20-50% or more
  • New control requirements as conditions of renewal
  • Reduced coverage limits or added exclusions
  • In some cases, non-renewal

Build a relationship with your broker and treat each renewal as an opportunity to reassess your coverage against your evolving risk profile.

Key Takeaways

  • Read the exclusions, The most expensive policy is the one that doesn't pay when you need it
  • Verify control requirements, Insurers will check, especially during claims investigations
  • Understand sub-limits, Your headline coverage number may not reflect your actual protection
  • Know the claims process cold, Practice it before you need it
  • Plan for renewal, Your security posture directly affects your premiums and coverage options

Cyber insurance is a critical piece of your risk management strategy, but only if it's the right policy with the right coverage. Don't outsource this decision to your broker alone, own it.

For a deeper look at how cyber insurance fits into a comprehensive security strategy, check out Cybersecurity for CEOs. And if you want to talk through your coverage strategy, reach out directly or connect with me on LinkedIn.

"The best time to read your cyber insurance policy is before you need to file a claim. The second best time is right now."

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.