Limitations of cyber insurance: Why some companies can't be insured - or can they?

The digital transformation is far from complete. New technologies and increasing networking are constantly driving change, but are also opening up more and more points of attack for cyber criminals. The increase in cybercrime remains a growing problem against which there is no absolute protection.

Many companies are therefore turning to cyber insurance to protect themselves against the financial consequences of a cyberattack. However, it is becoming increasingly difficult to find suitable cyber insurance. Insurers have developed strict criteria that must be met in order to take out a policy. In the case of so-called "red flags", there is a risk of being categorised as "uninsurable". The exclusion criteria range from complex IT infrastructures and inadequate security precautions to blanket industry exclusions.

The challenge of risk dialogue

A central element in the security assessment process is the risk dialogue. Companies often have to answer yes or no questions about their security situation without the opportunity to provide further explanations. This can be a major hurdle in itself. Rejections are often made without detailed justification or with generalised references to security gaps that need to be closed. This is a challenge for many companies, especially if their IT and OT systems have grown over the years and cannot be adapted to new security requirements at short notice.

Why companies are considered uninsurable

Insurers classify companies as uninsurable for various reasons. One common reason is that they belong to a supposedly high-risk sector such as healthcare, the chemical industry or e-commerce. These industries are more difficult to insure due to their complex and international IT structures and high attack risks. Another reason for exclusion can be the lack of basic security measures such as multi-factor authentication or non-adherence to compliance standards such as ISO 27001. Even companies that have recently been victims of a cyber attack often have difficulties obtaining insurance, as insurers suspect security deficiencies.

Opportunities to improve insurability

Despite these hurdles, there are ways to improve a company's insurability. A thorough analysis of your own IT infrastructure and the targeted improvement of cyber resilience can help to fulfil the requirements of insurers. A strategic approach that includes both technical and organisational measures is crucial. Transparent communication and close cooperation with a specialised broker can also help to better understand insurers' requirements and act accordingly.

Insurability is achievable

Classification as uninsurable is not a final judgement. Rather, it should be seen as an impetus to rethink and optimise your own security measures. The challenges that arise when looking for cyber insurance can be overcome with a clear strategy and targeted measures. Companies that face up to these challenges can not only increase their insurance opportunities, but also strengthen their general security and resilience to the growing threats of the digital world in the long term.

Limits of cyber insurance: Why some companies can't be insured - or can they?