up:: Doing the Work MOC

Cyber Insurance

Cyber insurance is a contract in which an insurer agrees to indemnify an organization for defined losses from a cyber event, such as ransomware, a data breach, business interruption, extortion, funds-transfer fraud, or regulatory defense, in exchange for a premium. It’s the risk-transfer layer of a security program, the place where residual risk goes to be financed once controls have done what they can. It’s also the one governance instrument in this whole subject that’s a market rather than a codified framework, so its rules come from carrier underwriting practice, broker convention, reinsurance capacity, and a handful of court rulings, not from a NIST publication or an ISO clause.

The short version:

  • Cyber insurance finances the losses left over after your controls have done their job. It transfers residual risk for a premium; it doesn’t reduce the underlying risk.
  • The underwriting application has become a de facto security audit. Since the 2021 to 2022 market hardening, carriers ask detailed control questions (multi-factor authentication, endpoint detection, tested backups, encryption), and your written answers become binding attestations.
  • A material misrepresentation on that application can void the policy retroactively, which a carrier did over an overstated MFA answer in Travelers v. ICS.
  • Exclusions carry enormous weight. War and state-backed-attack exclusions decided the biggest coverage fight of the decade (the Merck NotPetya case), and a “failure to maintain minimum security standards” exclusion ties your coverage to the controls you claimed.
  • The forward question this Guide raises: applications ask whether data is “encrypted,” they don’t yet ask which algorithms or whether the estate is crypto-agile. As post-quantum migration becomes a board topic, that’s the most likely door for quantum to enter underwriting.

Think of a cyber policy the way you’d think of a life insurance application. The premium isn’t the interesting part. The interesting part is the medical questionnaire, because everything you write on it is a representation the insurer relies on, and if you claimed you were a nonsmoker when you weren’t, the payout can evaporate at exactly the moment your family needs it. A cyber application works the same way, except the questionnaire asks about your security controls, and the “nonsmoker” line is increasingly “yes, our sensitive data is encrypted.”

What is cyber insurance, and who needs it?

Cyber insurance is voluntary and market-driven rather than statutory. No US federal law requires a private organization to carry it. It becomes effectively binding three ways: through contract, when a customer, lender, or business partner demands the organization carry a stated cyber limit; through sector expectation, common in healthcare, financial services, and among public entities; and through board fiduciary pressure, which tends to arrive right after an incident.

The organizations that buy it hold regulated data, run revenue-critical systems, or face contractual flow-downs from the companies they serve. It’s concentrated among mid-market and enterprise firms, and it’s increasingly a line item in vendor contracts and M&A diligence, where a buyer wants proof the target’s residual cyber risk is financed. There’s no “version” of cyber insurance the way there’s a FIPS 203; the market’s state is a moving thing. After the sharp price hardening of 2021 to 2022, prices softened through 2024 and 2025 even as underwriting rigor on baseline controls held firm. US direct written premium contracted to roughly $9.14 billion in 2024, its first ever annual reduction, down about 7% from 2023.

Source: NAIC, “Report on the Cybersecurity Insurance Market” (2025 report, 2024 data), NAIC 2025 cyber report.

How is a cyber insurance policy built?

A standalone cyber policy is assembled from coverage grants (what it insures) and structural levers (how much and under what conditions it pays). The exact menu varies by carrier, but the categories below are market-standard, reconstructed from prevailing practice rather than any single carrier’s proprietary wording.

The grants split into first-party (the insured’s own losses) and third-party (liability to others):

  1. Incident response and breach costs (first-party): forensics, legal breach coaching, notification, credit monitoring, and public relations.
  2. Business interruption and extra expense (first-party): lost income and added cost from a covered outage, subject to a waiting period.
  3. Contingent or dependent business interruption (first-party): loss from an outage at a third party the insured relies on, like a cloud or SaaS provider. Usually sub-limited.
  4. Cyber extortion and ransomware (first-party): ransom payment, negotiation, and associated costs, increasingly co-insured and sub-limited.
  5. Digital asset restoration (first-party): the cost to restore or recreate data and systems.
  6. Funds-transfer fraud and social engineering (first-party): typically sub-limited.
  7. Network security and privacy liability (third-party): defense and damages when someone else’s data is breached or a security failure harms others.
  8. Regulatory defense and penalties (third-party): costs and, where fines are insurable by law, penalties from a regulator such as a state attorney general or an EU data-protection authority under GDPR.

The structural levers are the dials that decide how much the carrier actually pays:

LeverWhat it doesWhy it matters for a slow-fuse cryptographic loss
LimitThe maximum the carrier pays, often with per-coverage sub-limitsCaps the total recovery regardless of the loss
Retention / deductibleThe insured’s first-dollar exposure per claimYou self-fund below this line
CoinsuranceA share of certain losses (often ransomware) the insured keeps above the retentionShifts more of the loss back to the insured
Waiting periodThe hours of outage before business-interruption coverage attachesA discovery-and-period model that a delayed harm sits awkwardly against
Sub-limitsLower caps on specific grants (ransomware, social engineering, dependent BI)The real coverage on a named peril is often far below the headline limit
Retroactive dateBreaches must have first occurred after this date to be coveredThe structural feature most exposed to a harm that crystallizes years after the trigger

Source: coverage grants and structural levers reconstructed from prevailing market practice; confirm the exact grants, sub-limits, and wording against a specific policy. Market context, Marsh, US cyber insurance market updates.

How do carriers underwrite and price cyber risk?

Carriers price cyber risk primarily off a self-reported application, and since the 2021 to 2022 hardening that application functions as a security-controls audit. The insured completes a proposal form plus, for most risks, a supplemental ransomware questionnaire, and the answers drive whether the risk is written at all, at what limit, at what retention, and at what price. Marsh reports that essentially all cyber applications now ask about multi-factor authentication, which shows how fast a single control went from optional to load-bearing.

Underwriting layers a few other mechanisms on top of the questionnaire:

  1. Outside-in scanning. Many carriers supplement the application with external attack-surface scanning, their own or a vendor’s, at bind and during the term, and some price or non-renew off ongoing scan data. It’s more objective than self-attestation, and it’s also blind to internal cryptographic posture, which no external scan can fully see.
  2. Broker-led placement. For mid-market and larger risks, a retail broker packages the submission, markets it to carriers, and negotiates limits, retentions, sub-limits, and wording. Wholesale brokers and the surplus-lines and Lloyd’s market handle harder or larger risks.
  3. Program structures. Large limits are built as a primary layer plus excess towers; the largest or hardest-to-place risks use quota-share layers, captives, or self-insurance; small accounts often get cyber as an endorsement inside a broader business policy.
  4. Reinsurance and catastrophe modeling. Behind the scenes, carriers cede aggregation risk to reinsurers and model systemic-event scenarios, such as a cloud outage or a widespread cryptographic failure. This is the level where a correlated, market-wide event would be repriced or excluded first, above the level any single insured sees.

The volatility of the market is worth internalizing, because a transfer strategy calibrated to last year’s terms goes stale fast. During the hardening, US cyber premium grew roughly 73% in 2021 and more than 50% in 2022, then the market softened into the 2024 contraction noted above. Terms can move within a single renewal cycle.

Sources: Marsh, US cyber insurance market updates; NAIC 2025 cyber report.

What controls do carriers ask about?

Carriers ask about a recurring set of baseline controls, and the list below reflects prevailing questionnaire content, market practice rather than a published standard. Because your answers become binding attestations, each one is really a representation you should be able to prove.

Control areaWhat the application typically asksWhy the carrier cares
Multi-factor authenticationMFA on remote access, privileged accounts, and emailThe single highest-impact control against account takeover; now near-universal on applications
Endpoint detection and responseEDR or XDR deployed and monitored across endpointsDetects and contains intrusions before they become claims
BackupsTested, segregated, or immutable backupsDetermines whether a ransomware event is a recovery or a payout
Patch and vulnerability managementTime-to-patch on critical vulnerabilitiesCorrelates with how exploitable the estate is
Email securityFiltering and anti-phishing controlsEmail is the dominant intrusion vector
Privileged access managementControl and monitoring of admin credentialsLimits blast radius once an attacker is inside
Incident responseA documented, tested IR planFaster response lowers loss magnitude
EncryptionWhether sensitive data is encrypted at rest and in transitThe representation most relevant to the quantum question below

The encryption line is the one to watch. Today it’s a yes-or-no question. It doesn’t ask which algorithms, which key sizes, which protocol versions, or whether the estate can swap algorithms without re-architecting. A truthful, provable answer to a more detailed version of that question is exactly what a CBOM produces.

Source: near-universal MFA questioning and the shift of the application into a controls audit, Marsh, US cyber insurance market updates; the broader control list is market practice, confirm against a specific application.

What can void a cyber insurance policy?

Two mechanisms can turn a policy you thought you had into a policy that pays nothing: a misrepresentation on the application, and an exclusion that removes the loss you actually suffered.

Misrepresentation and rescission. The application is a set of representations the carrier relies on to price and bind the risk. If a representation was materially inaccurate at binding, the carrier can rescind the policy, unwinding it as if it never existed. In Travelers Property Casualty Co. of America v. International Control Services, a carrier moved to rescind a policy after the insured attested to using multi-factor authentication that turned out to be present in only one location, and the policy was rescinded by stipulated judgment in August 2022. That case is the clearest warning in the market that an attestation you can’t substantiate is an uncosted rescission risk, independent of any specific threat.

Source: Travelers Property Casualty Co. of America v. International Control Services, Inc. (C.D. Ill., filed July 2022; rescinded by stipulated judgment 26 August 2022), Insurance Journal report; analysis, Lockton on Travelers v. ICS.

Exclusions. Even a valid policy carries carve-outs. The ones that carry the most weight here:

  1. War and hostile or warlike action. The traditional exclusion, written for kinetic conflict, produced the marquee coverage fight of the decade. In the Merck NotPetya litigation, a New Jersey appellate court held in May 2023 that a property policy’s hostile-or-warlike-action exclusion did not apply to the 2017 NotPetya attack, and the dispute, over Merck’s NotPetya losses widely reported near $1.4 billion, settled in January 2024 before the state Supreme Court heard it.
  2. State-backed cyber-attack exclusions. In response to exactly that ambiguity, Lloyd’s Market Bulletin Y5381 required all standalone cyber-attack policies written in the Lloyd’s market to include a state-backed cyber-attack exclusion at inception or renewal from 31 March 2023. Compliance is met by adopting one of the Lloyd’s Market Association model clauses (the LMA5564 to LMA5567 families); the LMA5567 family, which doesn’t blanket-exclude all nation-state activity, became the most widely used. Attribution under these clauses leans primarily, though not exclusively, on the government of the state where the affected system sits.
  3. Failure to maintain minimum security standards. A warranty-style exclusion that ties coverage to the controls the insured attested to. This is the mechanism that connects the underwriting questionnaire to the claim, and it’s where an inaccurate cryptographic representation would bite.

Sources: Merck & Co., Inc. v. ACE American Insurance Co. (N.J. Super. Ct. App. Div., approved for publication 1 May 2023), opinion, settlement reported January 2024, Insurance Journal; Lloyd’s of London, Market Bulletin Y5381, “Cyber-attack exclusions” (16 August 2022), Y5381; LMA cyber war and state-backed model clauses, LMA cyber war clauses.

Will quantum-vulnerable cryptography affect cyber insurance premiums and coverage?

Almost none of this is current carrier practice yet, and the direction of travel is analyzable. The honest framing keeps two things separate: what’s true today, and where the market plausibly goes. Below, each item is labeled as current market fact or as forward analysis so the line is never blurred.

  1. The attestation gap (forward analysis, grounded in current fact). Current fact: applications ask whether sensitive data is encrypted, and they generally don’t ask which algorithms, key sizes, or protocol versions, nor whether the estate is crypto-agile. Forward analysis: as post-quantum migration becomes a board topic, that single “encrypted?” line is likely to decompose into questions a client can only answer from a cryptographic inventory. The most probable near-term entry point for quantum into underwriting isn’t a new exclusion; it’s a new control question on the application.
  2. HNDL as an uncontemplated loss (forward analysis). HNDL is a loss whose trigger, the exfiltration, may fall inside a policy period, while its harm, the eventual decryption and disclosure, crystallizes years later, potentially after the retroactive date, the policy period, and even the carrier relationship have all moved on. Cyber wordings are built around a discoverable event within a defined period, so a delayed cryptographic harm sits awkwardly against nearly every structural lever above (the retroactive date, the waiting period, the discovery-based trigger). The exposure is plausibly real now and unpriced now.
  3. The “silent quantum” pattern (forward analysis). Before the Lloyd’s mandate, carriers carried unintended cyber exposure inside non-cyber policies, “silent cyber,” until they were forced to affirm it or exclude it. Quantum-vulnerable cryptography is a candidate to be the next silent exposure: not yet named in most wordings, therefore neither clearly covered nor clearly excluded. The likely market response mirrors the cyber-war path, a model exclusion or a control warranty that then propagates, and watching Lloyd’s and the LMA is the leading indicator. [OPERATOR VERIFY: whether any LMA or carrier wording has yet named cryptographic obsolescence or quantum decryption; as of this note’s date no such published clause has been identified.]
  4. Crypto-agility as a candidate rate factor (forward analysis). MFA moved from absent, to an application question, to a bind-or-decline control, to a rate factor, inside roughly two renewal cycles during the hardening. Cryptographic inventory and crypto-agility are candidates to follow the same arc once a catalyzing loss or regulatory pressure, such as federal PQC-migration deadlines, makes carriers treat quantum-vulnerable estates as an aggregation risk.
  5. Vendor and supply-chain cryptography (forward analysis). Contingent business-interruption and third-party grants inherit the cryptographic posture of the insured’s critical vendors, the same vendor-controlled surfaces catalogued elsewhere in the Guide. A quantum-vulnerable dependency is an aggregation concern for the carrier as much as for the insured.
  6. The attribution twist (current fact plus analysis). Current fact: state-backed exclusions turn on attribution to a government. Forward analysis: a practical quantum decryption capability is most plausibly a state or state-adjacent capability, which means a future harvest-and-decrypt loss could be argued into the state-backed exclusion, layering a coverage fight on top of the breach itself.

None of this says a carrier is underwriting for quantum today. It says the shape of the market makes it a question worth examining while capacity is soft, ahead of the point where the terms harden around it.

How can a security program get ahead of it?

The through-line of everything above is substantiation. The controls a carrier asks about are only as good as your ability to prove them at claim time, and the one control representation heading toward more detail is encryption. Three principles follow from that, taught here as knowledge, not as a program plan:

  1. Know what you can prove. An encryption attestation with no underlying inventory is an unprovable representation, which is the exact shape of a rescission exposure. A CBOM, showing algorithms, key sizes, protocol versions, and key-management posture across the estate, is what turns “yes, we encrypt” into a defensible answer.
  2. Match the policy to the data’s shelf life. A retroactive date years in the past, combined with confidential data that stays sensitive for a decade or more, is the structural setup for an HNDL loss the current wording may not clearly answer. Reading the retroactive date and the war and state-backed exclusions against the longest-lived data set is a board-level question, one for a broker and coverage counsel.
  3. Watch the leading indicators. The first sign that quantum has reached underwriting will be a new control question on the application or a new model clause from Lloyd’s and the LMA. An organization that already holds its cryptographic inventory answers that question from strength at renewal, rather than negotiating from behind.

The point isn’t to place coverage, interpret policy language, or recommend limits. Those belong to a licensed broker and coverage counsel. The point is that the cryptographic facts underneath the transfer decision are knowable now, and knowing them early is what keeps a future underwriting question from becoming a renewal problem.

Common misconceptions

  1. “A policy is a substitute for controls.” Coverage finances residual risk; it doesn’t reduce inherent risk. A warranty-style “failure to maintain standards” exclusion can defeat a claim outright if the attested controls weren’t real.
  2. “HNDL is obviously covered, or obviously excluded.” Neither is safe to assume. Coverage turns on the specific wording, the retroactive date, and the war and state-backed exclusions, which is a question for a broker and coverage counsel on the actual policy, not a thing to assert in the abstract.
  3. “Carriers are already underwriting for quantum.” They generally aren’t. Cryptographic-agility and post-quantum readiness are forward analysis, not standard underwriting questions as of this note. Overstating that is both inaccurate and easy for an insurance-literate reader to catch.
  4. “The war exclusion and the state-backed exclusion are the same thing.” They’re distinct, and under Y5381 the state-backed exclusion sits in addition to the war exclusion, not in place of it.
  5. “The market is stable, so last renewal’s terms still apply.” The 73%-plus premium growth of the hardening and the 2024 contraction show how fast terms move. A transfer strategy can go stale inside a single cycle.
  6. “Encryption on the application means the carrier vetted my cryptography.” It means you attested that you encrypt. No external scan sees your internal algorithms or key sizes, so the substantiation burden sits with you, not the carrier.

Questions people ask

Is cyber insurance required by law? No US federal law requires a private organization to carry it. It becomes binding through contract (a customer, lender, or partner demands a stated limit), through sector expectation, and through board pressure after an incident. Regulated sectors layer their own expectations on top.

Can a cyber insurer really refuse to pay after a breach? Yes, two ways. It can rescind the policy if a representation on the application was materially inaccurate at binding, as in Travelers v. ICS over an MFA answer, and it can deny a specific loss under an exclusion, such as the war, state-backed, or failure-to-maintain-controls carve-outs.

Does my cyber policy cover a harvest-now-decrypt-later loss? It depends entirely on the wording, and no one should assume either way. The trigger and the harm can be years apart, which strains the retroactive date and the discovery-based structure most policies use, and a state-attributed decryption could implicate the state-backed exclusion. Review it with your broker and coverage counsel.

Will quantum-vulnerable cryptography raise my premium? Not today. The forward analysis is that cryptographic inventory and crypto-agility are candidates to follow the path MFA took, from unasked, to an application question, to a control that shapes terms, once a catalyzing loss or a regulatory deadline makes carriers treat quantum-vulnerable estates as an aggregation risk.

What does a carrier ask about encryption right now? Generally a yes-or-no question about whether sensitive data is encrypted at rest and in transit. It doesn’t currently ask which algorithms, key sizes, or protocol versions, or whether you can swap algorithms without re-architecting, which is why a more detailed future question would require a cryptographic inventory to answer honestly.

Why does my written application matter so much? Because the answers are representations the carrier relies on to price and bind the risk, and they can become the basis for rescission if they were materially inaccurate. An attestation you can’t prove, including an encryption claim with no inventory behind it, is an uncosted risk you’re carrying today.

What’s the difference between the war exclusion and the state-backed exclusion? The war exclusion is the traditional carve-out for hostile or warlike action, which courts have read narrowly for cyber events (the Merck NotPetya case). The state-backed exclusion is a newer, cyber-specific clause mandated in the Lloyd’s market by Y5381, and it applies in addition to the war exclusion, turning on attribution of the attack to a government.

Who owns the cyber insurance decision internally? The risk manager or CFO usually owns the buying decision, a broker handles placement, and the carrier’s underwriter sets price and terms. The security team owns the substantiation, whether the controls and cryptographic representations on the application are actually true and provable.


Everything here is the map, given freely. When your team needs its cryptographic inventory built and its quantum exposure examined against the representations in its own cyber policy, defensible to a board and a carrier, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.