By Dustin Carlson, President of SRA 831(b) Admin
Cyber insurance is essential for businesses that rely on any form of digital infrastructure, but many of them think they are covered in the event of a claim, when in fact the odds are against them. Policy exclusions and sublimits leave critical gaps, especially as cyber threats grow more complex, ranging from ransomware and supply-chain attacks to third-party vendor outages and prolonged system disruptions that directly impact revenue, operations, and reputation.
When your policy was renewed, was the policy bigger than it was last year? Guess what: it wasn’t because the insurer added new coverage, it’s because they added exclusions. With all of the exclusions in off-the-shelf cyber policies, you need a breach to go nearly perfectly to get an insurer to pay out on a claim.
According to the National Association of Insurance Commissioners (NAIC), today’s adversaries are running cybercrime like a business. Cybercriminals are becoming increasingly efficient, leveraging automation, artificial intelligence (AI), and sophisticated social engineering to scale attacks and maximize impact. In 2024, malware-free intrusions surged dramatically, vishing attacks alone increased by 442%, alongside a rise in identity-based intrusions.
The NAIC also reports that in 2024, claims closed without payment (28,555) were nearly three times higher than those closed with payment (9,941). This trend spans all policy types but is most pronounced in excess policies, where unpaid claims outnumber paid claims by more than 20 to 1.
Case Studies That Expose Modern Cyber Risk
These real-world examples illustrate how common cyber incidents expose coverage gaps that many businesses often do not discover until after a loss has occurred.
Cyber & Data
An Arizona-based healthcare product company with two retail boutiques and a robust e-commerce operation offers a compelling case study in cyber risk. For context, its subscription program, supply chain operations, customer data, and order processing are all supported by a cloud-based platform managed by a third-party vendor.
Watch Our Podcast With Dustin Carlson
When the company first launched its monthly subscription service, the cloud system allowed the business to scale efficiently. However, any vendor outage would immediately disrupt orders, logistics, service operations, and revenue. To mitigate this risk, the owners purchased cyber insurance as part of their property and casualty coverage. Fun fact: cyber insurance is considered P&C coverage by traditional insurers.
While the policy included breach response, notification, legal support, and business interruption coverage, significant gaps remained. Income loss from a third-party outage was excluded unless tied directly to a security breach, and even then, sublimits were insufficient. Data recovery and organization costs were also excluded, leaving the company vulnerable.
Recognizing that a single non-covered event could threaten the company’s financial stability and reputation, the owners sought a broader solution with SRA 831(b) Admin. SRA implemented a strategic 831(b) Plan that allowed the company to leverage available tax efficiencies while managing risks more effectively.
Data Breach
Because the company had proactively adopted an 831(b) Plan, it was able to file a claim under its dedicated data breach coverage. The policy paid out up to its $150,000 limit, significantly reducing the net loss. The breach underscored the importance of embedding tailored 831(b) solutions into core business operations rather than relying solely on standalone cyber policies.
Using 831(b) Plans to Close the Gaps
For the healthcare product company, SRA’s 831(b) Plan enabled the creation of a tax-advantaged financial structure to address income losses from third-party outages, cyber incidents, and other risks typically excluded from traditional insurance, such as brand and reputational damage. Rather than relying on restrictive policy language, the company gained greater financial control over its most critical risks.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
In the construction firm’s case, this approach transformed a potentially destabilizing data breach into a manageable financial event by closing coverage gaps and protecting the company’s financial stability.
What This Means for Business Leaders Today
Cyber risk is fundamentally a business continuity issue, not just a technology concern.
In tabletop disaster-preparedness exercises, a cyber breach is often the elephant in the room. These threats are increasingly difficult to mitigate and represent one of the greatest vulnerabilities most businesses face. Companies that take a deliberate, proactive approach to managing financial and operational risk are far better positioned to withstand disruption, protect their reputations, and sustain long-term growth.
To learn how businesses can strengthen a company’s cyber resilience and mitigate coverage gaps, contact SRA for more information.
Dustin Carlson will appear on an upcoming episode of the Cyber Insurance News and Information Podcast. Visit our YouTube channel and subscribe to be alerted about that episode.
The views and opinions expressed in this guest article are those of the author and do not necessarily reflect the official policy or position of Cyber Insurance News & Information
Related Cyber Insurance Posts
- Healthcare Cybersecurity Shifts Toward Resilience As Breaches Multiply – Fortified Health Security Report
- China Releases Plan for Cyber Insurance Development
- BoA Versus Lloyd’s on Cyber War Exclusions: FT
- Cowbell Launches “MooGPT” for Cyber Insurance
- Cyber Insurance is Our Business & Business is Good