Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations' defenses.

Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability's half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.

The limits could start showing up in companies' policies, however, if demand for cyber insurance continues to grow, creating a seller's market, says John Coletti, head of cyber underwriting at Coalition

"While we will not name names, there are specific examples of this occurring within the industry," he says. "A company should be highly skeptical of buying a policy with a CVE exclusion."

Cyber-insurance firms are struggling to find different ways to limit their vulnerability to large breaches and campaigns that hit a large number of policyholders. Following NotPetya, when companies used business insurance to cover disruptions to operations, efforts to deny payouts based on warlike-act exclusion clauses largely failed but led to enhanced wording in subsequent policies. Increasingly, cyber-insurance firms used data from policyholders or gleaned from cybersecurity assessments, or information from their own managed security services offerings to better determine risk.

Blame the Victim?

Yet requiring all companies to manage major vulnerabilities is a tall order. Currently, the software industry is on track to disclose more than 46,000 vulnerabilities in 2025, up from nearly 40,000 in 2024, according to the National Vulnerability Database (NVD). Of those, likely 30% would be considered of high or critical severity, typically defined as a Common Vulnerability Scoring System (CVSS) score of 8.0 or higher.

While patching known vulnerabilities is a fundamental part of a company's cybersecurity posture, companies realize — and cyber insurers should realize — that operational constraints, legacy systems, and a changing threat landscape often makes timely patching difficult, says Maria Long, chief underwriting officer for Resilience, an insurer.

"While proactive measures are critical, we believe the role of cyber insurance is to serve as a true financial backstop during a crisis," she says. "It's not to penalize companies for falling victim to something that, in hindsight, may have been technically preventable."

In many ways, the approach of CVE exclusions would be similar to affirmative maintenance obligations in home insurance policies, which requires that homeowners fix known issues, including those related to recalls, in a timely manner, but the analogy does not necessarily fit well with software flaws and security issues, Coalition argued in its post.

"CVE exclusions may look like a mechanism to improve security on paper, but in practice, they undermine the very purpose of cyber insurance," the post stated. "Worse, they risk eroding relationships between cyber insurance providers and policyholders at the very moments when businesses need their coverage and partnership the most."

The New Math of Risk

The cyber-insurance industry is moving away from companies financially betting on the risk of a breach and becoming more of a business partner and an adviser to policyholders, assessing their cybersecurity posture and suggesting solutions. Even with that, companies should understand how specific policy terms — such as exclusions and limits — might affect their financial exposure in a worst-case scenario, says Resilience's Long.

"Particularly for larger enterprises with complex risk profiles, it's critical to work with insurers that offer bespoke coverage tailored to their specific operations and technology stack," she says. "Our philosophy is to closely partner with clients to understand their unique environment and risk posture rather than forcing them into the standard, one-size-fits-all framework."

Companies should speak with their brokers or cyber insurers about whether a CVE exclusion clause is part of their policy and move away from those firms that include the language, says Coalition's Coletti. As long as cyber insurers are competing for business, policyholders will have some power to keep CVE exclusions out of their policies, he says.

"Working with an experienced broker who understands cyber insurance specifically and who can identify these exclusions is critical," Coletti says. "While they are not extensively deployed, the cyber market is dynamic and carrier approaches change quickly."