The Premium Dropped. So Did Your Coverage.
Good news arrived at the Gartner Security and Risk Management Summit, and like most good news in this industry it came wrapped around a knife. Cyber insurance is getting cheaper. Carriers spent years bleeding on claims they mispriced, and they have finally tuned their models. Rates are softening across the board, and there are even discounts for organisations that can prove a real security posture. If you renew this year, the number on the quote will probably make you smile.
Then you read the policy, and the smile goes away.
The exclusion list is eating the policy from the inside
The single most important shift in this market is not the price. It is the steadily growing list of things your policy will not pay out on. Per Gartner's read, the exclusions now routinely include:
- Employee actions, which in some policies sweeps in social engineering
- Outdated or unpatched software
- Failure to maintain stated security controls
- Incidents tangled up in mergers and acquisitions
Look at the first one again, because it is the landmine. The carrier logic goes like this. If an attacker talks your finance team into wiring a million, and never breaks into a single system, never takes control, never impersonates a machine, then the carrier's position is that no cybercrime occurred. It was a failure of your internal controls. Your problem, not theirs.
Why that one exclusion matters more than the rest
Because social engineering is not a corner case. It is the main event. ClickFix-style attacks, where a victim is convinced to run malicious commands to fix a fake error, made up 52% of what Huntress observed across 2025. That is the majority of real incidents living in the exact category your policy may now decline. You can run a clean tabletop, file the claim, and discover that the most common attack on the planet is the one your insurer files under "not our problem."
That is not a cybercrime. That is a failure of your internal controls.
That sentence, said out loud by an analyst describing how carriers think, should be printed and taped to the wall of every risk meeting.
The fine print nobody reads until it is too late
It gets more textured below the headline exclusions. War clauses have hardened. Lloyd's published cyber-war definitions that most carriers adopted, and they can carve out certain nation-state activity entirely. Mass cyber events, the kind where a major cloud provider falls over and takes half the internet with it, can see payouts cut by as much as half. There are sub-limits hiding inside the big number too. A 10 million policy does not mean 10 million you can hand to a top-tier DFIR firm. There are caps on how much goes to a breach coach, caps on incident response spend, caps you will only find if you go looking.
And then there is the timing trap. Tail coverage. If you switch carriers on the first of the month, then discover last month you were already breached, the new policy will not cover an attack that predates it, and the old one expired the day before. Without tail coverage you fall straight through the gap at the worst possible moment.
What to actually do
This is not a "buy more coverage" post. It is a "know what you bought" post. Sit down with the underwriter, not just the broker, and ask the ugly direct questions. If I get hit by a nation-state actor, am I covered. If the answer is "it depends," then go through what it depends on, line by line, until there are no surprises left. Map your most likely incident scenarios against what the policy will and will not pay on. Most teams I talk to have never done that exercise. They priced the premium and never read the exclusions.
Curiously, AI has not reshaped this market yet. Carriers are watching the rogue-agent horror stories closely, but the policies have not moved much. Enjoy that lull. It will not last, and when it ends, the new exclusions will not arrive with a warning email either.
