Cyber Insurance Providers Raise Concerns Over Claim Exclusions
A growing number of cyber insurance providers are voicing their concerns regarding competitors that impose strict exclusions on claims tied to unpatched vulnerabilities. Coalition, a prominent cyber insurance firm, recently highlighted this issue in a LinkedIn post, revealing an increase in such exclusions, although they are not yet commonplace across the industry. Some insurers withhold payments for claims related to vulnerabilities that remain unaddressed for a pre-determined number of days. Others adopt a sliding scale approach, where payouts decrease the longer the vulnerabilities are left unpatched.
Understanding the Exclusions: Vulnerabilities and Claims
Coalition noted that a well-known U.S. insurer has a policy in place that denies coverage for losses arising from Common Vulnerabilities and Exposures (CVEs) boasting a Common Vulnerability Scoring System (CVSS) score greater than 8.0 if a patch has not been implemented within three weeks. Tiago Henriques, Chief Underwriting Officer at Coalition, addressed these practices by stating, “This logic might make sense if patching were simple and straightforward. But in reality, vulnerability management is complicated and convoluted, even for businesses with sophisticated security teams.”
The Landscape of Cyber Vulnerabilities
Examining the data associated with the CVSS 8.0 patching exclusions, Coalition revealed a staggering statistic: as of July 2025, there will be more than 61,000 vulnerabilities that fall under this exclusion. Notably, only a fraction—around 1%—of these vulnerabilities are catalogued in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) database. With over 40,000 new vulnerabilities appearing each year, Henriques pointed out that companies face an unwinnable dilemma. They must either commit valuable resources to investigate thousands of unlikely vulnerabilities or invest in a cyber insurance policy that carries the risk of claim denial following a breach of an unpatched system.
Examples of Exclusion Policies in Action
While Coalition has chosen not to specify the insurers implementing these patch exclusions, they referenced Chubb as an example of a competitor with an approach that may disadvantage businesses lacking timely patch management. Chubb’s “Neglected Software Exploit Endorsement” considers policyholders’ compliance with security updates. According to Chubb, this endorsement grants a grace period of 45 days to patch published CVEs from the National Vulnerability Database. After this period, the risk is shared between the insurer and the policyholder. If the vulnerability remains unaddressed at the 45, 90, 180, or 365-day mark, the burden of risk progressively shifts to the policyholder.
A Proposal for Better Practices
In response to these challenges, Coalition advocates for a more balanced, risk-based approach to cyber insurance that includes technical support for policyholders. Their new Active Cyber Policy offers rewards for companies demonstrating good security practices. Coalition Security— the insurer’s dedicated security division—prioritizes threats similar to those exploited by ransomware attackers and informs policyholders about critical vulnerabilities. In 2024, Coalition reported issuing an average of 5.5 alerts each month, representing a mere 0.15% of all published vulnerabilities. Impressively, 90% of its policyholders received no alerts throughout the year, underscoring the targeted nature of their communications.
Coalition emphasizes, “If you receive a Coalition security alert, pay attention because it’s important,” reflecting a commitment to directing attention to the most urgent and high-impact threats that carry significant financial risks.
