Cyber insurance sub-limits: what your policy actually doesn't cover

The denial myth

Cyber insurance buyers worry about claim denials. Carrier data says they should worry about sub-limits. The disappointing recoveries aren't denied claims — they're claims paid in full, but the sub-limit caps the recovery far below the loss.

Here are the sub-limits that bite the hardest in 2026 mid-market cyber policies:

The five sub-limits to check before binding

1. Ransomware extortion: capped at 25-50% of policy limit

A $5M cyber policy with a 25% ransomware sub-limit pays a maximum of $1.25M on the extortion event — even if the actual ransom + IR + legal + notification adds to $4M. The remaining $2.75M is uncovered. This is the single biggest gap mid-market firms walk into.

2. Regulatory fines + defense: $1M-$5M typical caps

HIPAA fines alone can hit $1.5M per violation per year. NYDFS Part 500 penalties scale with revenue. SEC, FTC, state AG actions all add up. A $5M cyber policy with a $1M regulatory cap means a single regulatory action can exhaust the entire bucket and leave the breach response layer underfunded.

3. Contingent business interruption: 10-25% of BI sub-limit

Your SaaS vendor goes down (Crowdstrike global outage, anyone?). Your cloud provider has a multi-day region-wide event. Your billing platform gets ransomware'd and you can't process payments for two weeks. Most policies cover this only at a fraction of your direct BI limit.

4. Social engineering / funds transfer fraud: $250K-$500K typical

BEC + wire fraud lives in its own coverage bucket with a much smaller cap than the headline policy limit. Wire fraud in mid-market frequently runs $1M-$5M per event — you'll have a $250K policy paying it and the rest is your problem.

5. Vendor + third-party fraud: often excluded entirely

If a vendor's compromised system is the entry point for your loss, coverage gets murky. Some policies cover, most sub-limit, a few exclude outright.

What moves premium

Beyond the sub-limit conversation, here's what carriers actually score when underwriting in 2026 (Coalition, Beazley, Chubb, Resilience, AT-Bay all use variants of these):

• MFA on all admin / privileged accounts. Now table-stakes; missing it caps coverage entirely.
• 24/7 MDR / SOC monitoring. Required above ~$5M coverage for healthcare and FinServ. Increasing pressure for it everywhere.
• Immutable backup + tested restore. Air-gapped / immutable + quarterly restore tests. Carriers ask for the runbook.
• Pre-arranged IR retainer. Either with the carrier's panel firm or a panel-accepted alternative. We're accepted by Coalition, Beazley, Chubb, Resilience, AT-Bay, AIG, Travelers, Munich Re, Hartford.
• Email security beyond M365 / Workspace defaults. Abnormal, Material, Sublime, Tessian. AI-aware phishing protection.
• Vendor risk management program documented + reviewed quarterly.

What to ask before renewal

1. What's the ransomware extortion sub-limit as a percentage of policy limit?
2. What's the regulatory fines + defense sub-limit, and does it apply per-event or aggregate?
3. What's the social engineering / funds transfer fraud sub-limit? Per event or aggregate?
4. Is contingent BI included? At what percent of BI limit?
5. Is third-party / vendor breach covered? Sub-limited? Excluded?
6. Which IR firms are on the panel? Are alternatives accepted?
7. What controls would move next year's premium down 10-15%?

How we help

We aren't a licensed insurance producer. We're the technical and operational layer that sits alongside your broker. We sit on the underwriting call, translate your security posture into the format carriers score against, run the controls that drive premium movement, and document the evidence quarterly so renewals don't trigger a scramble.

Stand-alone Cyber-Insurance Liaison: $3K-$10K/month. Underwriting-call participation ad-hoc: $5K fixed-fee per call. Bundled inside the Modernization Partnership at no separate line item.