The cyber insurance market has a structural problem, and it is not a coverage gap in the traditional sense. It is a documentation and execution gap, and it is costing policyholders at claim time.
Steven Schwartz, co-founder and general partner at FireTower Risk Solutions, frames the issue directly: carriers priced cyber policies around losses they could model, specifically extortion, business interruption and privacy notifications. The losses that actually hurt companies fell outside that model. The result is a fragmented landscape where cyber insurance, directors and officers (D&O) coverage and specialty protections each address different slices of risk, but do not function as a coordinated system.
That fragmentation matters most when a claim is filed.
Consider a vendor breach. No single policy is designed to respond first. Cyber insurance may cover first-party losses. D&O may respond when shareholders or regulators pursue directors. But the two policies operate on different timelines, involve separate legal teams and carry expanding exclusions. The interaction between them, as Schwartz notes, gets messy.
For insurance professionals, this is a placement and advisory issue. Clients purchasing cyber coverage in isolation, without reviewing how it interacts with their D&O, E&O or other liability policies, are exposed to gaps they may not discover until a claim is denied or disputed.
The exposure of individual executives adds another layer. The criminal conviction of former Uber CISO Joe Sullivan and the SEC's case against SolarWinds' Tim Brown have changed how security leaders evaluate their personal risk. Many CISOs are now asking whether D&O policies will actually cover them, and the answer is often unclear. Schwartz identifies this as a specific gap within the fragmentation: regulatory matters that are too small for cyber insurance but too niche for D&O.
This is the most important operational insight for insurance professionals advising clients on cyber risk.
Schwartz is direct: coverage disputes are never about the event itself. They are about whether the insured can prove how they responded to it.
That shifts the underwriting and risk management conversation. The question is no longer only whether a client has adequate limits. The question is whether the client can document, in detail, what happened during an incident, who made decisions, what information was available at the time and how the response was communicated across the organization.
Andy Lunsford, CEO of BreachRx, reinforces this point. Even organizations with well-developed incident response plans frequently fail to follow them under real-world conditions. Teams default to verbal updates, fragmented chat threads and ad hoc calls. Renee Guttmann, former CISO at Royal Caribbean, Coca-Cola and Time Warner, identifies the most common undocumented details: who identified the issue, who declared the incident, who was involved and when. These are precisely the questions regulators ask and the hardest to reconstruct after the fact.
Policy review must include response alignment. Clients should be testing their policy language against their incident response plans. Schwartz recommends boards ask: when was the last time we tested our policy language against our incident response plan, and what is the delta? Insurance professionals can bring this question into renewal conversations and risk assessments.
Placement strategy should account for fragmentation. Clients with layered programs need clarity on which policy responds first in specific scenarios, particularly vendor breaches and regulatory actions involving individual executives.
Documentation is a coverage condition. Clients who cannot demonstrate how they responded to an incident are at risk of disputed claims, regardless of the limits they purchased. Risk management guidance should include incident documentation practices, not just coverage recommendations.
Personal liability is a growth area. The CISO liability conversation is expanding. Some security leaders are reconsidering whether to take on the title at all given recent prosecutions. Products that address individual executive exposure, including the BreachRx platform which provides up to $3 million in coverage for executives managing incidents on the platform, reflect where the market is moving.
The underlying shift is straightforward. Cyber risk transfer is no longer defined by what a policy says. It is defined by what an organization can prove it did when tested. For insurance professionals, that changes the advisory role from placement to preparedness.
Based on the Forbes article, Fragmented Cyber Risk Transfer Is Changing Board Oversight