Organizations evaluating cyber insurance policies currently face a complex market. According to Paul Furtado, distinguished vice president analyst at Gartner, policy pricing has stabilized and become more affordable. However, carriers are simultaneously expanding coverage exclusions, which may leave some policyholders unexpectedly exposed if they do not closely evaluate their terms.
Speaking at the Gartner Security & Risk Management Summit in National Harbor, Maryland, Furtado detailed several shifts in the cyber insurance situation. Some changes reward mature security programs, with carriers offering premium discounts to organizations that demonstrate measurable security controls. Market models have adjusted over time, leading to decreased costs across the industry.
However, other structural changes require careful navigation to ensure continuous protection.
Expanding coverage exclusions
The most significant shift in the cyber insurance market is the growing list of coverage exclusions. Carriers increasingly deny payouts based on factors such as employee actions, outdated software, failure to maintain security controls, and risks introduced during mergers and acquisitions.
For example, policies may categorize certain social engineering tactics under "employee actions." Furtado provided a scenario where an unauthorized party convinces a finance employee to transfer a million dollars. If the individual did not gain unauthorized access to the network, take control of the system, or impersonate an internal user, carriers often classify the event as a failure of internal controls rather than a covered cybercrime, resulting in a denied claim.
This specific exclusion carries substantial implications given the prevalence of social engineering. Bryson Byrd, cybersecurity adviser at Huntress, shared that ClickFix-style tactics, where a malicious actor tricks a user into running harmful commands to fix a simulated error message—accounted for 52% of the malware loader activity the vendor observed in 2025. Because these tactics rely on users voluntarily taking actions they believe are safe, they function similarly to phishing and often fall squarely under employee action exclusions.
Given these nuances, organizations should review their policies closely and initiate specific conversations with their carriers or underwriters. Confirming exactly how coverage applies before an incident occurs is a critical step in security planning.
Definitions around state-backed incidents and mass cyber events are also shifting. Following definitions published by Lloyd's of London regarding "cyber war" clauses, most carriers have adopted language that may exclude certain state-backed security events. Furthermore, clauses addressing mass cyber events, such as a widespread outage at a major cloud provider—can reduce policy payouts by as much as 50%.
Furtado advised organizations to ask direct questions of their carrier, broker, or underwriter. If the coverage for a state-backed incident is conditional, teams must establish exactly what those specific conditions are.
Sub-limits and tail coverage
While overall premiums have decreased, the mechanics of securing high-value policies have changed. Previously, a single entity like Lloyd's of London might single-handedly cover a $100 million policy. Today, organizations seeking that level of coverage typically need to present their security posture to a panel of insurance companies, which then distribute the risk among themselves.
Policies also frequently include sub-limits that cap spending for specific response services. For instance, a $10 million policy does not guarantee $10 million in available funds for a chosen digital forensics and incident response (DFIR) provider like Mandiant, or for retaining an insurance-appointed incident coordinator. Organizations must check the fine print to understand the specific financial caps applied to individual recovery services.
Timing and policy transitions introduce another variable. Furtado highlighted the necessity of "tail" coverage when switching insurance providers. If an organization discovers an unauthorized access event in June that actually occurred in May, a new policy starting June 1 will not cover it, and the previous policy will have already expired. Tail coverage provides an overlap period, ensuring continuous protection during the transition.
Finally, despite ongoing industry discussions regarding unsafe or unintended AI agent behavior, Furtado noted that artificial intelligence has not yet caused a substantial shift in insurance policies or coverage. The insurance market continues to monitor AI developments closely, but structural policy changes related to AI remain on the horizon.
About the original author
Rob Wright is a senior news director at Dark Reading with over 25 years of experience in technology journalism. His background includes editorial roles at TechTarget's SearchSecurity, CRN, Tom's Hardware Guide, and VARBusiness Magazine. A University of Richmond graduate and three-time Virginia Press Association award winner, Wright covers security operations, cloud security, Internet infrastructure, malvertising, and the certificate authority industry. In 2026, he received a National Silver Azbee award for a series on vibe coding.