Unpatched, Uncovered: How Cyber Insurance is Raising the Stakes on Security Readiness

Cyber insurance has evolved rapidly. Once marketed as a straightforward safety net for data breaches, ransomware, and system outages, it is now a highly conditional product shaped by how well policyholders maintain their security posture. Carriers are no longer just pricing risk, they require evidence of good cyber hygiene and limiting payouts when controls are absent.

This shift leaves policyholders facing a new reality: security failures may not only increase the chance of a breach but may also limit, delay, or even void insurance coverage. Insurers, for their part, must protect themselves from paying out on preventable incidents. The result is a growing tension between the insured and the insurer. The lesson is clear: organizations must treat access control, patch management, and authentication not only as IT best practices but as financial safeguards for coverage itself.

With Microsoft’s Windows 10 end of support rapidly approaching, insured IT professionals and carriers must prepare for significant changes. After this date, Windows 10 devices will no longer receive security patches or technical support, leaving systems increasingly vulnerable to cyber threats. 

Organizations need to evaluate whether to upgrade to Windows 11, enroll in Microsoft’s Extended Security Updates (ESU) program, or transition to alternative platforms. Carriers and insureds should also assess the potential risks, costs, and downtime associated with unsupported systems to ensure business continuity and protect against increased exposure.

The Patching Problem and CVE Accountability

A growing area of focus is whether insurers should pay claims when breaches exploit known but unpatched vulnerabilities. Reports indicate carriers are considering sliding-scale payouts or fixed deadlines: the older the vulnerability, the lower the coverage.

The precedent stems partly from NotPetya. After the 2017 attack crippled global operations, insurers invoked “war exclusions” to deny claims — largely unsuccessfully. But the episode accelerated a trend: more stringent policy wording, especially around known vulnerabilities.

Chubb’s “Neglected Software Exploit” Endorsement: How It Works

One of the clearest examples of this new approach is Chubb’s “Neglected Software Exploit Endorsement.” The endorsement is designed to reduce coverage when policyholders fail to patch known vulnerabilities in a timely manner.

 

• 45-Day Grace Period: Policyholders are granted a full 45 days from the date a vulnerability is published in NIST’s National Vulnerability Database. During this time, Chubb maintains full coverage, recognizing that patch deployment requires testing and operational coordination. (Chubb Cyber Insurance Products (https://www.chubb.com/us-en/business-insurance/products/cyber-insurance/cyber-insurance-products.html))

 

 Incremental Risk Shift: After day 45, risk gradually shifts back to the insured:

 

• 46–90 days: Coverage begins to decline, often reduced by half.
• 91–180 days: Coverage may fall further, to as low as one-quarter of the original limit.
• Beyond 180 days: Policyholder assumes most of the risk, with coverage significantly limited. (Chubb Cyber Insurance Products (https://www.chubb.com/us-en/business-insurance/products/cyber-insurance/cyber-insurance-products.html))

 

This structure provides clarity. It avoids absolute exclusions while holding insureds accountable for timely patching. For policyholders, it creates a financial incentive to prioritize patching. For insurers and SIUs, it provides a fair framework to distinguish between reasonable delays and negligent neglect.

 

EOL Systems, Unpatched Updates, and Lack of MFA: Common Failures

Insurers and Special Investigation Units (SIUs) repeatedly see the same three weaknesses driving claims.

 

1. End-of-Life Systems

A manufacturer continues using Windows Server 2012 after Microsoft ended support in October 2023. When attackers exploit a legacy RDP flaw, production halts. Insurers point to unsupported software exclusions, and SIUs question whether executives knowingly ignored the risk.

2. Unpatched Security Updates

A law firm postpones applying a critical Microsoft Exchange patch. Two months later, attackers deploy web shells and steal confidential data. Regulators had issued advisories urging immediate action. Coverage disputes follow, with insurers reducing payouts due to delayed remediation.

3. Lack of Multi-Factor Authentication (MFA)

A credit union allows remote access with only usernames and passwords. A phishing email captures an employee’s credentials, enabling fraudulent transfers of millions of dollars. Many policies already require MFA for remote or privileged accounts. In this scenario, coverage is often denied outright.

4. Consumer Software for Business Purposes

An accounting firm uses the free version of a popular file-sharing service to transmit tax returns and financial statements to clients. The free tier lacks critical protections such as enhanced security, encryption, audit logging, and centralized access controls. When a compromised account leads to unauthorized access, client Social Security numbers and banking details are exfiltrated. 

Access Controls as the Minimum Standard

Across the industry, certain access controls are now viewed as the “floor”, the basic level of security any organization must maintain to be considered reasonably protected. 

These include:

• Least Privilege: Limit user rights and separate admin accounts.
• MFA: Enforce for remote access and all sensitive accounts.
• Role-Based Access Control: Assign access consistently by job role.
• Centralized Identity and Access Management: Use unified login directories.
• Network Segmentation: Keep critical systems isolated.
• Access Reviews: Audit permissions quarterly; revoke immediately for departures.
• Logging and Monitoring: Centralize logs and set alerts for suspicious activity.
• Secure Remote Access: Use VPN or Zero Trust; disable exposed RDP.
• Device and Session Controls: Auto-lock idle sessions, restrict unmanaged devices.
• Documentation and Policy: Maintain written policies and annual training.

 

For insurers, these controls reduce the likelihood and severity of losses. For policyholders, they provide evidence of diligence. Failing to meet them risks both a breach and a denied claim.

 

The SIU and Legal Perspective

For SIUs, access control failures raise red flags during claim investigations. If MFA was absent or unsupported systems were knowingly in use, investigators may view the claim as a preventable loss rather than an insurable accident.

 

Courts and regulators are also shaping this landscape. Lawsuits often alleged negligence when patches are delayed despite public advisories. Regulatory agencies such as the FTC and SEC have brought enforcement actions against companies operating without reasonable safeguards. 

 

For policyholders, this means the cost of weak controls extends beyond denied coverage — it can invite litigation, fines, and reputational harm.

 

A Balanced Approach: Policyholder Action and Insurer Limits

The challenge is striking a balance. Insurers must limit exposure to predictable risks, but policyholders cannot always move as quickly as insurers expect. Updating complex systems, maintaining legacy applications, or coordinating third-party vendors can all delay patching.

 

What both sides can agree on is the need for transparency. Policyholders should accurately represent their controls on insurance applications. Insurers should provide clear guidance on required safeguards and realistic timelines. Disputes arise most often when expectations are not clearly communicated.

 

Practical Steps for Policyholders

1. Treat baseline controls as mandatory, not optional.
2. Document everything: patch latency metrics, MFA enforcement logs, and access reviews.
3. Read policies carefully: look for exclusions tied to CVEs, grace periods, or MFA.
4. Coordinate between IT and legal teams to ensure insurance questionnaires reflect reality.
5. Consider Continuous Threat Exposure Management to keep patching proactively.

Practical Steps for Insurers

1. Define expectations clearly in policy language.
2. Provide structured grace periods rather than absolute exclusions.
3. Tailor questionnaires to realistic controls rather than blanket checkboxes.
4. Balance underwriting rigor with acknowledgment of operational challenges.
5. Train SIUs to distinguish between negligence and reasonable delay.

Conclusion

Cyber insurance is shifting from a broad backstop into a mechanism for enforcing minimum security discipline. For policyholders, the call to action is urgent: invest in access controls, patch management, and MFA not only to reduce breaches but to preserve coverage. For insurers, the challenge is drawing fair lines between preventable negligence and unavoidable exposure.

The common ground is clear. Both sides benefit when basic security controls are in place. Organizations reduce their risk of devastating breaches, and insurers reduce their claim payouts. Where the balance tips too far — either in harsh claim denials or in lax controls — both sides lose.

Security hygiene is no longer just about IT. It is about insurability, credibility, and financial survival.

Partner with Envista Forensics for Cyber Risk and Insurance Investigations

At Envista Forensics, our experts help insurers, legal teams, and organizations navigate the complex intersection of cybersecurity and insurance. From digital forensics to cybersecurity incident response, our team of experts provides the technical clarity needed to investigate breaches, assess controls, and support claims.

Contact Envista Forensics today to learn how we can help you manage risk, preserve coverage, and strengthen your security posture.