Business cover · Cyber

What Cyber Insurance Covers — and the Exclusions That Catch Businesses Out

Knowing what a cyber policy pays for is half the picture. The half that costs businesses money is what it won't pay for — usually discovered too late.

The most expensive surprise in cyber insurance isn't the premium — it's the exclusion you find on the day you claim.

Exclusions are not fine print; they are the policy. Here's what cyber cover pays for, and the gaps that decide claims.

The short version

  • Cover splits into first-party (your own losses) and third-party (claims against you).
  • Common exclusions: war and state-sponsored attacks, prior known incidents, weak security hygiene, deliberate insider acts, physical damage and IP.
  • The trap that catches small firms most: fraud where someone was tricked into sending money.
  • Read the wording before you need it, not after.

First-party and third-party cover

First-party cover pays for your own losses after an incident; third-party cover pays for claims others bring against you. A strong small-business policy carries both.

The two halves of a cyber policy — category-level, insurer-agnostic
First-party (your own losses)Third-party (claims against you)
Incident response & forensicsData-breach liability to customers / employees
Data restoration & system recoveryRegulatory defence costs
Business interruptionMedia / IP liability
Cyber extortion / ransomware (where lawful)
Breach notification & crisis PR

The common exclusions

Most disputes come down to an exclusion, so know them before you sign.

  • Acts of war, invasion or terrorism — increasingly hard to apply cleanly as state-sponsored attacks blur the line.
  • Any incident already known before the policy started.
  • Losses traced to poor security hygiene — unpatched systems, missing controls.
  • Deliberate, dishonest or criminal acts by your own people.
  • Physical damage to hardware, and intellectual-property infringement (a different policy).

The trap: social-engineering and funds-transfer fraud

Standard cover responds to hacking; it often treats it very differently when an employee is tricked into sending money.

If your finance team is fooled by a convincing fake email into wiring a payment, some policies won't pay — the system wasn't technically “breached.” Others cover it, but under a separate, much lower sub-limit. Since phishing and fraudulent transfers are among the most common losses Indian businesses suffer, this gap deserves its own attention — see cyber-crime and fraud cover.

How to read a policy wording

Don't read the brochure; read the wording — exclusions first, then sub-limits, then the conditions you must meet to stay covered.

If something you clearly need sits under a sub-limit or an add-on, that's not a dealbreaker — it's a question to put to your broker. The criteria to apply are in how to choose cyber insurance.

Frequently asked questions

Does cyber insurance cover ransomware?

Usually yes — response, data restoration and business interruption, and sometimes the ransom itself where lawful. Check the sub-limit.

Does it cover money lost to phishing or a fake invoice?

Not always. Social-engineering and funds-transfer fraud are often excluded from standard cover or sub-limited. See cyber-crime and fraud cover.

Are data-breach fines and regulatory costs covered?

Defence costs often are; some penalties may be covered where legally permissible. Wording varies — confirm it.

Can a claim be denied for weak security?

Yes. If you didn't maintain the controls you declared, or systems were unpatched, an insurer may reduce or deny a claim.

Does it cover incidents at a third-party vendor?

Some policies do; many don't by default. If you rely on vendors, ask specifically about supply-chain cover.

What happens when you talk to us

A 20-minute video call with a Growth Advisor — no obligation, and no quote pushed. It opens with a five-minute video from our founder on how the benefits stack works and why Ethika exists; the rest is your questions. You'll leave with an honest read on your current cover and claims experience, and a straight answer on whether we can genuinely help — even if you never become a client.

Talk to us

20 minutes with a Growth Advisor. No obligation.

A note on this page. Everything here is general information, not insurance, legal, financial or tax advice, and nothing is an offer. For advice about your situation, talk to us.