The famous showman P.T. Barnum is often credited with the phrase, "There's a sucker born every minute." Were he observing the modern digital landscape, he might instead remark, "There's a new cybersecurity vulnerability published every 12 minutes." This statement would be closer to the truth than many realize.

In the realm of cyber-risk insurance, carriers and brokers employ varying strategies. Some adopt a collaborative, supportive role, assisting policyholders in strengthening their defenses. Others take a stricter stance, imposing financial penalties on companies that delay patching known security flaws. Ultimately, the burden of navigating this risk and securing adequate coverage falls heavily on the companies themselves.

The volume of documented vulnerabilities confirms the scale of the challenge. MITRE's Common Vulnerabilities and Exposures (CVE) list, the official registry for software flaws, had catalogued roughly 33,000 entries by mid-September of this year. This figure nearly doubles the 18,400 CVEs published in all of 2020. Projections suggest a year-end total of approximately 47,000—and this only accounts for flaws that are publicly recorded. Countless other vulnerabilities remain unregistered or are stuck in a backlog, indicating a rapidly expanding attack surface that organizations must manage.

The insurance industry is addressing this escalating risk through a mix of methods. According to industry insiders, some providers help policyholders by proactively scanning their networks for weaknesses. In contrast, other carriers, such as Chubb, have been known to enforce a "period of neglect" clause. As described by an anonymous source, this provision can increase a policyholder's coinsurance share and reduce their coverage limits based on the number of days a known exploit goes unaddressed. These terms, while sometimes negotiated out of final policies, highlight a more assertive approach to risk management. Chubb did not respond to requests for confirmation.

Cyber-risk concerns are intensifying. Aidan Flynn, head of cyber underwriting management at Beazley, notes that for the first time since 2021, cyber-risk has climbed to the top of executive threat lists. Beazley's latest report found that 29% of global executives now view it as their greatest threat, up from 26% in 2024. Paradoxically, as awareness grows, so does executive confidence; the perceived level of organizational resilience has risen from 75% to 83% in the same period. Flynn cautions that this confidence may be misplaced, given the "increasingly fast-moving and unpredictable" nature of the threat landscape.

A Broader View of Risk Management

While CVEs are a critical focus, experts emphasize that insurers evaluate risk more holistically. David Anderson of Woodruff Sawyer explains that underwriters look at a company's entire cyber-risk management strategy, not just its list of unpatched flaws. He argues that fixating on a single CVE is counterproductive, as a determined attacker will find an alternative entry point if one particular vulnerability is secured.

The primary challenge for security teams is often prioritization. Insurers frequently ask about patching cadence, expecting critical vulnerabilities to be resolved within a week. However, as Alexandra Bretschneider of Johnson Kendall Johnson points out, determining what is "critical" is complex. A mundane application that interacts with a core system can be the weak link, as demonstrated by the 2017 Equifax breach, which stemmed from an unpatched Adobe application.

Finally, a thorough understanding of the insurance contract itself is paramount. Attorney Kenneth Rashbaum stresses that policyholders must meticulously read their entire policy to comprehend their obligations and the scope of their coverage. "You only get the coverage specified in the contract," he states. He further warns that traditional policy exclusions for acts of war or force majeure may not be suited to modern cyberattacks. It is the policyholder's responsibility, as the drafter of the agreement, to ensure the language reflects the current threat environment, as they cannot expect the insurer to make these changes.