Risk mature organizations recognize that cyber insurance is the foundation of a comprehensive cyber resilience strategy, not just a checkbox on the risk management list. With data compromises reaching a record 3,322 incidents in 2025 — a 79% jump over five years1 — understanding what policies cover has become essential to protecting your business in a rapidly escalating threat environment.

The good news is that the cyber market has softened over the past three years, and carriers have eased underwriting requirements and increased capacity. This creates valuable opportunity for organizations to secure more favourable terms while proactively expanding cyber coverage and strengthening controls around exposures such as social engineering and third-party vendor cyber risk, as well as building robust response capabilities.

Common coverage blind spots

  1. One of the most common cyber insurance coverage gaps is third-party vendor incidents, where a service provider's breach disrupts your operations. Cyber policies may restrict dependent business interruption coverage to IT-related third parties or those with shared computer systems, rather than extending broadly to all supply chain vendors.

    An example of this might be discovering your cloud-based payroll provider had a ransom attack, shutting down payroll processing for three weeks. Because your cyber policy only covers "IT service providers with shared computer systems," excluding this SaaS vendor, your organization will likely absorb the full loss despite having what you believed was comprehensive cyber coverage.
  1. Social engineering and funds transfer fraud represent another critical coverage gap. While most cyber policies include sublimits around $250,000, actual losses frequently exceed this threshold.

    Examples often involve urgent transfer requests from a senior executive, with convincing emails, AI-generated voice cloning and even video manipulation referred to as “deepfakes” to pull off the scam.
  1. Business interruption coverage related to cyber incidents can also contain unexpected exclusions. While policies are typically triggered by network breaches and system failures, exclusions commonly apply to infrastructure-related outages such as internet or electrical disruptions.

    Consider the scenario of an e-commerce retailer who lost power and internet connectivity because of a malicious cyber incident during a busy holiday shopping weekend. Unable to process orders, the organization's loss of revenue from that weekend alone could cause the business to close. And despite having cyber insurance, the policy explicitly excluded infrastructure-related outages.

The incident response imperative

The policy limit is just the beginning. Immediate access to forensics firms and breach coaches — costly resources most businesses couldn't quickly secure on their own — is where cyber coverage proves its real value. Carriers negotiate preferred pricing and service level agreements with specialized vendors, ensuring faster response times and predictable costs. However, this access only matters if you know how to activate it.

Too many organizations create response plans that sit untested with outdated contact information and no clear ownership, rendering the “plan” more of a framework than a playbook. When a security team detects suspicious late-night activity and refers to an old incident response plan, outdated emergency contacts cause delays in getting the proper response under way and allow more time for the breach to affect more people.

Effective planning must include:

  • Documented procedures with current contacts for your broker, carrier and pre-approved vendors
  • Clear notification protocols for insurance and regulatory requirements
  • Regular cyber incident response testing through tabletop exercises
  • Assigned ownership for network maintenance and repairs

Organizations should also consider where they store their incident response plan — if it lives only on your company’s network, it won't be accessible when that network is breached and encrypted.

The HUB EDGE

A strong cyber resilience strategy requires proactive preparation and deep coverage understanding. Key actions organizations should take:

Audit third-party coverage — Review whether dependent business interruption coverage extends to all critical vendors or only IT-related third parties.

Assess social engineering limits — Compare sublimits against realistic loss scenarios and strengthen internal payment controls to reduce exposure.

Document notification requirements — Create a comprehensive checklist that includes your carrier, broker, pre-approved vendors and all regulatory bodies. Store this where it remains accessible during an incident.

Build and test response plans — Develop incident response plans with current contact information and run regular tabletop exercises.

Leverage carrier resources — Many carriers now offer complimentary tabletop exercises, incident response plan reviews and discounts on cybersecurity tools.

Working with experienced advisors who understand both coverage and operational preparedness helps organizations move beyond checkbox compliance to build genuine cyber resilience. HUB's cyber specialists combine technical expertise with risk management guidance to help clients identify coverage gaps, strengthen internal controls and develop response capabilities when they're needed most.

1 Identity Theft Resource Center, “Identity Theft Resource Center — 2025 Annual Data Breach Report by ITRC,” Feb. 3, 2026.