Let's be blunt: your cyber insurance premium is falling. That's not a win. It's a trap.
I watched Paul Furtado from Gartner say it at National Harbor last week — his voice flat, eyes tired — "Prices are going down, and we see this across the market." Carriers have finally got their models right. And what they've modeled isn't risk reduction. It's risk avoidance. The math is simple: if you're not doing the basics, you're not worth covering. So they lowered the price… and then quietly removed the coverage you thought you had.
This isn't a market correction. It's a silent heist.
You're paying less because you're getting less. And the worst part? You won't know until it's too late.
Why Premiums Are Dropping (And Why That's Scary)
The drop isn't magic. It's math.
Carriers used to guess. Now they know. They've got years of claims data, threat intelligence feeds, and third-party risk scores. They can see your patch cadence, your MFA adoption rate, your cloud configuration drift — all of it — before you even submit your renewal.
If you've got a decent posture? You get a discount. Maybe 15%. Maybe 25%. Sounds great, right?
Wrong.
Because that discount isn't a reward. It's a filter.
The carriers aren't rewarding security. They're punishing negligence. And if you're not on their approved list — if your SOC2 is outdated, your vendors have unpatched RDP ports, your employees still click phishing links — you're not getting a discount. You're getting a rejection.
The market's now bifurcated: a small group of well-run enterprises get cheap, broad coverage. Everyone else? They're either priced out… or stuck with a policy that looks like a brochure and acts like a liability waiver.
This isn't insurance. It's a loyalty program for the competent.
The Exclusion Creep: When Your Policy Stops Protecting You
Let's talk about the real story: what's being taken away.
The biggest shift isn't war clauses. It's not even cloud outages.
It's social engineering.
Paul Furtado said it straight: "If I social engineer someone in your finance department to send me a million dollars, and I did not hack into your system… That's not a cybercrime — that's a failure of your internal controls."
And that's now the standard exclusion.
Huntress saw 52% of all attacks in 2025 were ClickFix-style — fake invoices, fake wire requests, fake CEO emails. And now, most policies won't cover them.
Why? Because the insurer says: "You should've trained your people better. You should've had dual approvals. You should've had a policy that says 'no wire transfer over $50K without two signatures.'"
And guess what? You probably didn't.
It's the same with outdated software. If you're running Windows Server 2012 in production? Your policy likely excludes any breach that exploits a CVE from 2019 or earlier. If you haven't patched your VPN in six months? You're on your own.
M&A? Forget it. If you acquired a company and didn't audit their cyber posture before closing, any breach tied to their legacy systems? Excluded.
These aren't edge cases. These are your daily risks.
And your policy? It's quietly turning them into your problem.
War Clauses: The Silent Kill Switch
Now, the war clause.
You've heard the hype. Nation-state attacks. Cyber warfare. Russia. China. Iran.
Here's the truth: you're not being targeted by a nation-state. You're being collateral damage.
Lloyd's Bulletin Y5381 changed everything in March 2023. Overnight, every standalone cyber policy had to adopt one of five LMA clause types. Most carriers picked Type 1 or Type 2.
Type 1? Excludes all state-backed cyber attacks — war or not.
Type 2? Excludes war attacks and any attack that causes "significant impairment" — even if it's not officially war.
Here's where it gets ugly.
The word "significant" isn't defined. "Widespread" isn't defined. "State-backed"? That's up to the insurer to decide.
And here's the kicker: the B version of these clauses doesn't even require a government to say it was a state attack. The insurer can just… decide.
Remember MOVEit in 2023? Snowflake in 2024? Criminals exploited those platforms. Thousands of companies got breached. No nation-state fired a shot.
But what if the attacker used a tool that was later linked to a Russian group? What if the exploit was hosted on a server in a sanctioned country?
Your insurer can now say: "This was a state-backed cyber operation. Excluded."
And you? You have no recourse.
The Merck and Mondelez cases? Those were about old property policies with vague war clauses. Courts ruled against the insurers because the language was too broad. That's why carriers rewrote the clauses. Now they're precise. And they're designed to survive in court.
This isn't about war. It's about risk transfer — and you're the one transferring it.
Sub-Limits: Your $10M Policy Isn't $10M
You bought a $10 million policy. You think that means $10 million to cover your breach.
It doesn't.
It means $10 million total — split between breach coach, forensic investigators, legal counsel, notification costs, PR, and regulatory fines.
And if your vendor — say, Mandiant — gets called in? They're capped at $1.5 million. If your legal team needs $2 million to fight a class action? That's your problem.
And if a major cloud provider goes down — AWS, Azure, Google Cloud — your payout could be slashed by 50%.
Why? Because the policy has a "mass cyber event" clause. One outage. One shared infrastructure failure. And suddenly, everyone's payout is cut.
You're not buying protection. You're buying a lottery ticket with stacked odds.
Tail Coverage: The Hidden Gap
You switch carriers. You think you're being smart.
You're not.
Your old policy ends on December 31. Your new one starts January 1.
But what if a breach happened in November? The old policy covers it. Right?
Wrong.
Unless you bought tail coverage — and most companies don't — your old policy expires and takes your coverage with it.
You've got a breach that happened under your old policy. You file a claim. The new insurer says: "Not our problem." The old insurer says: "Policy expired. Not our problem."
You're stuck. And you've got a $20 million liability and no coverage.
Tail coverage isn't optional. It's the only thing standing between you and bankruptcy after a merger, a vendor breach, or a silent compromise.
And most brokers won't mention it.
AI? Not Yet. But They're Watching.
"Has AI changed the market?" I asked Furtado.
"Not yet," he said. "But we're watching."
That's not reassuring. That's a warning.
AI hasn't caused a spike in claims — not yet. But it's going to.
AI-powered phishing. AI-generated deepfakes for CEO fraud. AI-driven vulnerability discovery. AI that automates ransomware deployment.
Carriers know this. They're not excluding AI today because they're afraid of the claims. They're excluding it because they know the flood is coming.
They're waiting for the first $500 million AI breach. Then they'll add the clause. And you'll be the one paying for it.
What You Need to Do Before Renewal
This isn't a technical problem. It's a governance problem.
You need to stop treating cyber insurance like a line item. Treat it like your liability.
Here's what you ask your broker — and if they don't know the answer, fire them.
- What exact clause version is on my policy? Type 1, 2, 3, or 5? A or B variant?
- How is "state-backed" defined? Is attribution required from a government, or can the insurer decide?
- What's the definition of "widespread" or "significant impairment"? Is there a threshold?
- Are there carvebacks for bystander organizations? What if we're hit by a systemic vendor exploit like MOVEit?
- What are the sub-limits for breach coach, legal, and forensic costs?
- Do we have tail coverage? If not, why not?
- What security controls are required to qualify for the discount?
And if your broker says, "We'll just renew the same policy" — walk out.
This isn't about saving money. It's about surviving.
Your policy isn't protecting you anymore.
It's just pretending to.
