Cyber Insurance: The Right Policy Starts Before the Claim

Cyber insurance is a specialised insurance product that covers financial losses arising from cybersecurity incidents, including ransomware attacks, data breaches, business interruption caused by system failures, and third-party liability for personal data breaches under the GDPR. In Spain, cyber policies are underwritten under general insurance law (Ley 50/1980 del Contrato de Seguro) and DGSFP oversight, with no dedicated regulatory framework for cyber risk coverage. The EU's DORA Regulation (2022/2554) requires financial entities to incorporate cyber risk transfer — including insurance — as part of their ICT risk management framework, increasing demand for robust cyber coverage across the financial sector.

Our digital risk advisory team combines technical cybersecurity knowledge with expertise in insurance markets and claims management. This allows us to advise organisations throughout the full cyber risk lifecycle: from risk quantification for underwriters to claims defence when an incident occurs.

The Policy Gap That Remains Hidden Until the Claim

Cyber insurance has moved from a niche product to a standard requirement for any organisation dependent on digital systems. But the market has evolved so rapidly that most companies have not kept pace: policies written three or four years ago under very different underwriting conditions, exclusions introduced in successive renewals without sufficient analysis, or sublimits on critical items (ransomware, business interruption) that do not correspond to real exposure.

The moment these gaps are discovered should not be during a claim. Our critical policy review is the first service we provide, and it consistently reveals significant discrepancies between what the client believes is covered and what is actually covered. The most frequent exclusions we encounter: nation-state attack clauses (war exclusions that have expanded to cover sophisticated cyber operations), failures of cloud provider systems not covered under the insured’s policy, or incidents caused by the insured’s own employees (many policies exclude internal negligence in ways that would apply to the most common attack vector — phishing).

The Rising Underwriting Bar

Insurers have substantially raised the minimum technical requirements for cyber policy underwriting. Multi-factor authentication, optional five years ago, is now a subscription condition for virtually all market underwriters. The same applies to EDR endpoint detection and response solutions, tested offsite backups, and a documented incident response plan. We coordinate with the cybersecurity audit service to enable companies to demonstrate these controls in a documented, rigorous form that satisfies underwriter scrutiny.

The underwriting questionnaire has itself become a technical document requiring careful preparation. Misrepresentation on a cyber insurance questionnaire — whether through inaccuracy or omission — is grounds for claim denial and, in some cases, policy avoidance. We prepare questionnaire responses that are accurate, comprehensive, and presented in the context that positions the organisation’s risk profile most favourably.

Claims: Where Expertise Matters Most

Claims management is where our advisory delivers the most critical value. Insurers have specialist teams focused on limiting indemnification; the insured organisation needs independent expertise that understands the policy in detail, interprets the technical incident narrative accurately, and defends the insured’s interests throughout the process.

Coordination with the incident response team ensures that incident documentation simultaneously satisfies regulatory requirements (AEPD, NIS2 supervisor) and the insurer’s evidentiary requirements. These are not always the same: what satisfies a data protection authority may not be what satisfies an insurer’s adjuster, and vice versa. Managing both from the outset avoids the situation of having incomplete documentation for one audience or the other.

The Pre-Renewal Roadmap

The pre-renewal security roadmap translates the insurer’s risk perception into a prioritised action plan. The controls that most impact premium and coverage capacity are not always the most expensive: implementing MFA across all critical access points, establishing a tested offsite backup process, and documenting the incident response plan can have a measurable impact on renewal terms at relatively low cost. We identify the specific improvements most relevant to the company’s current policy, its insurer’s underwriting criteria, and its realistic budget — producing an ROI-positive security investment plan driven by insurance economics.

What a Well-Designed Cyber Policy Should Cover in 2026

Cyber insurance coverage has evolved significantly. An adequate cyber programme for a medium-sized company in Spain should include the following core components:

Incident response costs: forensic investigation, crisis management team, regulatory notifications to the AEPD and NIS2 supervisors, and communication with affected data subjects.

Business interruption: compensation during the recovery period following a ransomware attack or a breach that renders systems inoperable. This is one of the most valuable coverages and also one of the most contested in claims: the definition of the recovery period, the applicable deductible structure, and the scope of covered losses must be reviewed carefully.

Ransomware and extortion: coverage for ransom payments (where appropriate) and negotiation costs with threat actors. Many policies have sublimits on ransomware that bear no relationship to actual ransomware demand sizes in 2025-2026.

Third-party liability: claims from clients, partners, or third parties affected by the breach.

Legal defence costs and regulatory proceedings: defence costs before the AEPD and NIS2 supervisory authorities. Coverage of administrative sanctions is legally restricted in Spain (administrative sanctions are generally non-insurable), but defence costs are insurable and often represent the more significant exposure in practice.

CEO fraud and fund transfer fraud: losses from fraudulent transfers induced by social engineering — a frequent and costly category of loss that many organisations do not associate with cyber insurance but is typically covered under modern cyber policies.

For companies with obligations under DORA (financial entities), the policy should also cover operational risks from third-party ICT providers, which are one of the principal sources of incidents in the financial sector.

Companies That Cannot Afford to Be Under-Insured

Cyber insurance is particularly critical for organisations that meet any of the following profiles:

• Organisations that process health data, financial data, or children’s data at significant scale
• Organisations with critical IT system dependency for business continuity (logistics, manufacturing with OT systems, SaaS providers)
• Professional services firms, clinics, and advisory firms that hold sensitive client information
• Organisations with 50 or more employees subject to NIS2, with incident notification obligations on very tight timelines
• Organisations providing services to public administration and subject to the National Security Framework (ENS)

For these profiles, an uninsured or under-insured cyber incident can be existentially threatening. The difference between a well-designed policy and a generic product can be the difference between recovery and insolvency. Our coverage review and optimisation service, coordinated with our virtual CISO, ensures that the policy reflects the organisation’s actual exposure.