Think Your Business Is Fully Protected in the Digital World?

by James Jorgensen

Cyber insurance is now essential for businesses, yet many policies only partially cover emerging threats like AI-driven fraud, social engineering and vendor vulnerabilities.

At the same time, insurers are narrowing how cyber risk is defined, creating sharper lines around what a policy covers and where responsibility still falls on the business.

With risk now spanning systems, people and third-party relationships, businesses should ask: Which exposures are covered, which are not and what additional protection may be needed?

Social Engineering Losses Treated as Authorized Transactions

Among the most misunderstood cyber exposures are attacks that manipulate people rather than systems. As AI-driven tactics become more sophisticated, these schemes are evolving in ways that feel legitimate and difficult to identify:

  • Voice cloning: AI-generated audio designed to mimic executives, vendors or employees during calls or voicemail messages.
  • Spear phishing: Highly targeted emails built from publicly available or stolen information to appear credible and personalized.
  • Business email compromise: Fraudulent requests sent from spoofed or compromised accounts posing as trusted leaders, vendors or partners.
  • Vendor impersonation fraud: Fake payment or account update requests tied to legitimate third-party business relationships.

Because these incidents involve authorized transactions rather than breached systems, losses may fall outside standard coverage. While some policies include social engineering endorsements, broader protection can come through crime insurance or funds transfer fraud coverage.

Third-Party Vendor Failures That Sit Outside Your Policy

Cloud platforms, managed service providers and external vendors are now deeply embedded into business operations, meaning disruptions within one organization can quickly impact another. Yet cyber policies do not always extend cleanly into those third-party dependencies, creating gaps many businesses assume are already covered.

Addressing this exposure requires dependent business interruption or contingent coverage endorsements, along with clearly defined vendor contracts.

Nation-State Activity That Triggers War-Related Exclusions

Most cyber policies include war exclusions, but those lines are becoming harder to define as cyberattacks increasingly blur criminal and state-sponsored activity. For example, if a major software provider is hit by an attack later linked to a government-backed group, resulting business disruptions may be treated differently from a coverage standpoint.

Some policies include carve-backs or more specific language around cyber terrorism and state-linked events, but definitions vary. Reviewing how these scenarios are addressed in advance helps reduce the risk of uncertainty if an incident falls into this gray area.

Regulatory Fines & Penalties That Vary by Jurisdiction

Many cyber incidents trigger investigations tied to data privacy and security requirements, particularly in industries handling sensitive customer information. Those reviews can lead to fines, penalties or mandated corrective actions.

Coverage for these costs varies widely by policy and jurisdiction, as some laws limit whether fines can be insured at all. Privacy liability and regulatory coverage can help address investigations and certain penalties where legally permitted.

Reputation Damage That Extends Beyond the Policy Window

Cyber policies are typically designed to support the immediate response to an incident, including notifications, credit monitoring and short-term communications. The longer-term fallout, however, extends far beyond that initial recovery window.

Customer confidence can decline, operations may remain disrupted and business relationships can weaken over time. These impacts often fall outside standard cyber coverage. Business interruption, reputation risk and brand protection extensions can help address some of those longer-term consequences.

When It Comes to Cyber, Capability Matters

James JorgensenJames Jorgensen is a principal and executive vice president of business insurance at Marsh McLennan Agency Arizona. With more than 20 years of experience in risk management and insurance, he leads the firm’s business insurance strategy in the region, advising organizations on complex risk, coverage design and long-term resilience.

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events