With all the risks involved in following through on payouts, cyber liability insurance companies are padding their policies with coverage exceptions.

Limited coverage – Most insurance policies are limited to cover cyber-attacks and unauthorized activity but do not cover errors or omissions. When deciding whether to pay out a claim, an insurance company could simply point out a failure to report a change in the IT environment.

Time limitations – Most claims are limited to paying out losses incurred during the network interruption due to the cybersecurity event, and not for the entire period that the operations have been interrupted.

Third-party woes – Claims involving contractors and outsource service providers are routinely denied because of accountability and permissions management of critical and sensitive service accounts. When deciding whether to pay out a claim, an insurance company could simply point out a failure to report a change in the IT environment.