What an insurer actually does and does not cover
The limits of a cyber policy, and why resilience stands apart from insurance
A cyber insurance policy is an instrument for the financial transfer of specific consequences of a cyber incident, and nothing more than that. It does not replace resilience, it does not replace internal control, and it does not remove the risk. What it does is absorb a defined set of costs that would otherwise hit your results in a single financial year. What it does not do affects you as CFO precisely where a policy is least visible: in the long tail after the incident, in the conversations with clients and regulators, and in the value you never recover once it has gone.
This piece is not an argument against insuring. A well-structured policy has a place in the risk strategy of any organisation that is digitally dependent, and the Dutch Association of Insurers (Verbond van Verzekeraars) has repeatedly clarified in recent years how the Dutch cyber policy takes shape and what it typically covers. The piece is an attempt to put the policy in its own place within the governance of your organisation: as a financial safety net for a defined layer, not as a substitute for the responsibility that the board itself carries for the risk management framework.
What does a typical cyber policy cover?
The content of a policy differs by insurer, by size and by sector, but the pattern in the Dutch market has settled reasonably firmly over the past few years. A common cyber policy broadly covers four categories of loss.
Direct first-party loss. The costs your organisation itself incurs to get operations running again after an incident. Forensic investigation, system recovery, reinstallation, engaging an incident response team, and possibly a specialist negotiator in a ransomware scenario. This is the most tangible layer, and the layer where the insurer delivers the most value when the policy can be activated quickly.
Business interruption loss. The lost profit over the period during which operations are wholly or partly at a standstill as a direct result of the incident. There is always an excess here (a waiting period in days) and a maximum indemnity period. What falls outside it is the structural loss of revenue that follows client attrition or reputational damage, and that distinction is fundamental; more on that in the next section.
Third-party liability. The costs and any damages when a third party takes action against your organisation after a data breach or another breach: clients, suppliers, or in some cases a group that combines in a class action. Cover often extends to legal defence and to regularly awarded damages, with policy limits you have to know in advance.
Legal assistance and regulatory costs. The costs of lawyers, communications advisers and privacy specialists you engage to meet notification duties, to correspond with regulators, and to set out a defensible line shortly after the incident. Fines imposed by a regulator are generally excluded on public-policy grounds (ordre public), but the surrounding procedural costs are often covered.
On top of these four, most policies include additional services: a 24-hour reporting line, access to a network of pre-contracted specialists, and sometimes a prevention scan before the policy takes effect. These are useful provisions, but they are not elements that structurally raise your resilience. They make the incident quicker to handle once it is there.
What does it not cover, and why is that not a detail?
Beneath the steady growth of the cyber insurance market sits a less steady development in the exclusions. Insurers have tightened their policies on a number of points in recent years, so as not to accept risks they cannot weigh. The Dutch Association of Insurers has taken a public position on part of that development, in particular around the application of war exclusions to state-sponsored attacks. For you as CFO, this is not the legal subtlety it appears to be. It directly determines how large the share of the risk is that remains with your organisation after the policy.
Four categories of exclusion stand out.
The first is the war and state-actor exclusion. Policies exclude loss resulting from acts of war as standard, and since the tightening in 2022 and 2023 that exclusion is increasingly applied to cyberattacks attributed to state actors as well. The attribution does not have to be legally watertight; a substantiated attribution is enough in many policies to limit or wholly deny cover. That directly affects the scenarios your organisation has most to fear, because the most disruptive attacks on critical infrastructure and larger enterprises not infrequently come from that direction.
The second is reputational damage. The costs of a crisis communications agency are often still reimbursed, but the value effect of broken trust is by definition not insurable. What clients think of you after they have read that their data was exposed is in no policy. The Dutch National Cyber Security Centre (NCSC) has repeatedly found in its cyber threat assessments that restoring public trust after an incident takes years and that the operational and commercial consequences often play out well beyond the financial year of the incident.
The third is client attrition and loss of revenue after the incident. Business interruption cover compensates the standstill in the first weeks or months, not the structural outflow of clients that follows lost trust, not the tenders you fail to win two years later because your incident is still in the collective memory, and not the higher acquisition costs you have to incur to rebuild the same position. This is the long tail, and it runs on well after the policy has been settled.
The fourth is contractual consequences. Fines and discounts that counterparties charge you under service level agreements often fall wholly or partly outside cover. The same applies to the loss of licences, certifications or authorisations on which your business depends. And for an organisation under supervision by De Nederlandsche Bank (DNB), the regulator can impose measures after a serious incident that are in no policy, from binding instructions to a temporary restriction of business operations.
A fifth layer is implicitly present in every policy and deserves its own attention: negligence established after the fact. Policies work with a duty-of-care clause. When an insurer establishes after the incident that common baseline controls were absent, that patches had been deferred for months, that multi-factor authentication had structurally not been rolled out, that back-ups turned out to be unusable, this can lead to a limitation or refusal of the payout. The policy is not a licence to let the basics slide; it is a supplement to reasonable control.
How large is the share that falls outside the policy?
There is no Dutch figure that fixes, by sector, what percentage of total incident costs typically falls outside cover. What can be established is the structure. Direct loss and recovery costs are relatively insurable because they are tangible and can be estimated within a definable period. Reputational damage and client attrition are structurally not, and the contractual and regulatory consequences are not either. In the incidents that have become public in the Dutch market, you see that the eventual total impact is almost always a multiple of the first estimate, and that most of it sits in the long tail.
For you as CFO, the relevant question is therefore not how much your policy covers, but how much it does not cover and what you do about that now. The difference between what is insurable and what is not insurable is the actual residual item that lands on your balance sheet and that only becomes smaller through resilience.
Insurance and resilience are complements, not substitutes
Here is the governance mistake that too many boards still make. A policy is approached as a form of security: we are insured, so we have covered that. But insurance and resilience work on different dimensions. Insurance lowers the variance of your financial outcome under an incident. Resilience lowers the probability that the incident takes place, and the scale of the loss if it takes place anyway. These are complements, not substitutes. One does not replace the other.
More than that, they presuppose each other. An insurer accepts a risk whose basics are in order. Since the market tightened, insurers invariably ask for evidence of baseline controls, for a rehearsed incident response plan, and increasingly for demonstrable board involvement in the risk management framework. Anyone who cannot show the basics does not get a reasonable policy, or only gets one at a premium that undermines the business rationale of the instrument. Insurance and resilience move up along the same line, not along separate tracks.
The practical conclusion is that the policy and the resilience plan belong on one table. Not with two different functions, not in two different meetings. Whoever sets the policy terms alongside the resilience plan sees at once where the policy stops and where the organisation itself stands for the outcome. That is a short conversation from which most organisations get a surprising amount.
What you as CFO commit to over the coming weeks
Three actions can be committed to now, without having to stand up a large programme.
One, have a current summary made of your policy: which four categories are covered, with which limits, which excess and which waiting period, and which exclusions apply to the policy. Note alongside it what the policy implicitly requires in terms of baseline controls, because those clauses determine whether the policy actually pays out in an incident.
Two, alongside that summary, have a second list made of what falls structurally outside cover: the long tail, the reputational and client-loss effects, the contractual consequences, and the scenarios under a state-actor exclusion. That is not an exercise for the insurer; it is the actual residual item that lands on your balance sheet.
Three, set those two documents alongside the resilience plan of your CISO. For each line from the second list you ask the same question: which control lowers the chance that this hits us, and which control lowers the scale if it hits us anyway. What remains is the board's actual risk acceptance, formulated in the same unit as the rest of the strategy.
These three steps give you two things that are often missing now. They give the board a defensible picture of what the organisation has covered and what it carries. And they give you as CFO a substantiation for when a regulator, an auditor or a shareholder later asks how the board weighed the cyber risk. What the policy does not cover, and why resilience stands apart from insurance, is a conversation that has to be had well once and after that reviewed at most annually.