Business cover · Cyber
What Cyber Insurance Covers — and the Exclusions That Catch Businesses Out
Knowing what a cyber policy pays for is half the picture. The half that costs businesses money is what it won't pay for — usually discovered too late.
The most expensive surprise in cyber insurance isn't the premium — it's the exclusion you find on the day you claim.
Exclusions are not fine print; they are the policy. Here's what cyber cover pays for, and the gaps that decide claims.
The short version
- Cover splits into first-party (your own losses) and third-party (claims against you).
- Common exclusions: war and state-sponsored attacks, prior known incidents, weak security hygiene, deliberate insider acts, physical damage and IP.
- The trap that catches small firms most: fraud where someone was tricked into sending money.
- Read the wording before you need it, not after.
First-party and third-party cover
First-party cover pays for your own losses after an incident; third-party cover pays for claims others bring against you. A strong small-business policy carries both.
| First-party (your own losses) | Third-party (claims against you) |
|---|---|
| Incident response & forensics | Data-breach liability to customers / employees |
| Data restoration & system recovery | Regulatory defence costs |
| Business interruption | Media / IP liability |
| Cyber extortion / ransomware (where lawful) | — |
| Breach notification & crisis PR | — |
The common exclusions
Most disputes come down to an exclusion, so know them before you sign.
- Acts of war, invasion or terrorism — increasingly hard to apply cleanly as state-sponsored attacks blur the line.
- Any incident already known before the policy started.
- Losses traced to poor security hygiene — unpatched systems, missing controls.
- Deliberate, dishonest or criminal acts by your own people.
- Physical damage to hardware, and intellectual-property infringement (a different policy).
The trap: social-engineering and funds-transfer fraud
Standard cover responds to hacking; it often treats it very differently when an employee is tricked into sending money.
If your finance team is fooled by a convincing fake email into wiring a payment, some policies won't pay — the system wasn't technically “breached.” Others cover it, but under a separate, much lower sub-limit. Since phishing and fraudulent transfers are among the most common losses Indian businesses suffer, this gap deserves its own attention — see cyber-crime and fraud cover.
How to read a policy wording
Don't read the brochure; read the wording — exclusions first, then sub-limits, then the conditions you must meet to stay covered.
If something you clearly need sits under a sub-limit or an add-on, that's not a dealbreaker — it's a question to put to your broker. The criteria to apply are in how to choose cyber insurance.
Frequently asked questions
Does cyber insurance cover ransomware?
Usually yes — response, data restoration and business interruption, and sometimes the ransom itself where lawful. Check the sub-limit.
Does it cover money lost to phishing or a fake invoice?
Not always. Social-engineering and funds-transfer fraud are often excluded from standard cover or sub-limited. See cyber-crime and fraud cover.
Are data-breach fines and regulatory costs covered?
Defence costs often are; some penalties may be covered where legally permissible. Wording varies — confirm it.
Can a claim be denied for weak security?
Yes. If you didn't maintain the controls you declared, or systems were unpatched, an insurer may reduce or deny a claim.
Does it cover incidents at a third-party vendor?
Some policies do; many don't by default. If you rely on vendors, ask specifically about supply-chain cover.
What happens when you talk to us
A 20-minute video call with a Growth Advisor — no obligation, and no quote pushed. It opens with a five-minute video from our founder on how the benefits stack works and why Ethika exists; the rest is your questions. You'll leave with an honest read on your current cover and claims experience, and a straight answer on whether we can genuinely help — even if you never become a client.
20 minutes with a Growth Advisor. No obligation.
A note on this page. Everything here is general information, not insurance, legal, financial or tax advice, and nothing is an offer. For advice about your situation, talk to us.