Cyber Insurance: The Right Policy Starts Before the Claim

Cyber insurance is a specialised insurance product that covers financial losses arising from cybersecurity incidents, including ransomware attacks, data breaches, business interruption caused by system failures, and third-party liability for personal data breaches under the GDPR. In Spain, cyber policies are underwritten under general insurance law (Ley 50/1980 del Contrato de Seguro) and DGSFP oversight, with no dedicated regulatory framework for cyber risk coverage. The EU's DORA Regulation (2022/2554) requires financial entities to incorporate cyber risk transfer — including insurance — as part of their ICT risk management framework, increasing demand for robust cyber coverage across the financial sector.

Our digital risk advisory team combines technical cybersecurity knowledge with expertise in insurance markets and claims management. This allows us to advise organisations throughout the full cyber risk lifecycle: from risk quantification for underwriters to claims defence when an incident occurs.

The Policy Gap That Remains Hidden Until the Claim

Cyber insurance has moved from a niche product to a standard requirement for any organisation dependent on digital systems. But the market has evolved so rapidly that most companies have not kept pace: policies written three or four years ago under very different underwriting conditions, exclusions introduced in successive renewals without sufficient analysis, or sublimits on critical items (ransomware, business interruption) that do not correspond to real exposure.

The moment these gaps are discovered should not be during a claim. Our critical policy review is the first service we provide, and it consistently reveals significant discrepancies between what the client believes is covered and what is actually covered. The most frequent exclusions we encounter: nation-state attack clauses (war exclusions that have expanded to cover sophisticated cyber operations), failures of cloud provider systems not covered under the insured’s policy, or incidents caused by the insured’s own employees (many policies exclude internal negligence in ways that would apply to the most common attack vector — phishing).

The Rising Underwriting Bar

Insurers have substantially raised the minimum technical requirements for cyber policy underwriting. Multi-factor authentication, optional five years ago, is now a subscription condition for virtually all market underwriters. The same applies to EDR endpoint detection and response solutions, tested offsite backups, and a documented incident response plan. We coordinate with the cybersecurity audit service to enable companies to demonstrate these controls in a documented, rigorous form that satisfies underwriter scrutiny.

The underwriting questionnaire has itself become a technical document requiring careful preparation. Misrepresentation on a cyber insurance questionnaire — whether through inaccuracy or omission — is grounds for claim denial and, in some cases, policy avoidance. We prepare questionnaire responses that are accurate, comprehensive, and presented in the context that positions the organisation’s risk profile most favourably.

Claims: Where Expertise Matters Most

Claims management is where our advisory delivers the most critical value. Insurers have specialist teams focused on limiting indemnification; the insured organisation needs independent expertise that understands the policy in detail, interprets the technical incident narrative accurately, and defends the insured’s interests throughout the process.

Coordination with the incident response team ensures that incident documentation simultaneously satisfies regulatory requirements (AEPD, NIS2 supervisor) and the insurer’s evidentiary requirements. These are not always the same: what satisfies a data protection authority may not be what satisfies an insurer’s adjuster, and vice versa. Managing both from the outset avoids the situation of having incomplete documentation for one audience or the other.

The Pre-Renewal Roadmap

The pre-renewal security roadmap translates the insurer’s risk perception into a prioritised action plan. The controls that most impact premium and coverage capacity are not always the most expensive: implementing MFA across all critical access points, establishing a tested offsite backup process, and documenting the incident response plan can have a measurable impact on renewal terms at relatively low cost. We identify the specific improvements most relevant to the company’s current policy, its insurer’s underwriting criteria, and its realistic budget — producing an ROI-positive security investment plan driven by insurance economics.

What a Well-Designed Cyber Policy Should Cover in 2026

Cyber insurance coverage has evolved significantly. An adequate cyber programme for a medium-sized company in Spain should include the following core components:

Incident response costs: forensic investigation, crisis management team, regulatory notifications to the AEPD and NIS2 supervisors, and communication with affected data subjects.

Business interruption: compensation during the recovery period following a ransomware attack or a breach that renders systems inoperable. This is one of the most valuable coverages and also one of the most contested in claims: the definition of the recovery period, the applicable deductible structure, and the scope of covered losses must be reviewed carefully.

Ransomware and extortion: coverage for ransom payments (where appropriate) and negotiation costs with threat actors. Many policies have sublimits on ransomware that bear no relationship to actual ransomware demand sizes in 2025-2026.

Third-party liability: claims from clients, partners, or third parties affected by the breach.

Legal defence costs and regulatory proceedings: defence costs before the AEPD and NIS2 supervisory authorities. Coverage of administrative sanctions is legally restricted in Spain (administrative sanctions are generally non-insurable), but defence costs are insurable and often represent the more significant exposure in practice.

CEO fraud and fund transfer fraud: losses from fraudulent transfers induced by social engineering — a frequent and costly category of loss that many organisations do not associate with cyber insurance but is typically covered under modern cyber policies.

For companies with obligations under DORA (financial entities), the policy should also cover operational risks from third-party ICT providers, which are one of the principal sources of incidents in the financial sector.

Regulatory Framework: Insurance Law and Digital Regulation

Cyber insurance in Spain is governed by the Ley 50/1980 del Contrato de Seguro, which establishes the general framework for commercial insurance contracts. Unlike other EU markets, Spain has not introduced specific cyber insurance regulation, meaning that policy terms, coverage definitions, and exclusion clauses are subject to general insurance contract principles — and to the interpretation of the Tribunal Supremo in coverage disputes.

Key regulatory intersections that affect cyber insurance design:

GDPR (Regulation 2016/679) and LOPDGDD (Law 3/2018): data breach notification obligations to the AEPD within 72 hours create an immediate cost component (forensic investigation, legal advice, authority notification) that must be covered by the cyber policy. GDPR fines — which reach EUR 20 million or 4% of global turnover for the most serious violations — are generally not insurable as a matter of Spanish public policy (administrative sanctions are personal and non-transferable), but legal defence costs before the AEPD are insurable and can be substantial.

NIS2 Directive (EU 2022/2555): NIS2 incident notification obligations — 24-hour early warning and 72-hour formal report — create an urgent response cost that must be pre-financed by the insurer. Many NIS2-obligated organisations use their cyber insurance as the funding mechanism for immediate incident response, which requires that the insurer’s claims activation process be fast enough to fund a 48-hour response. Policy review must include assessment of the claims activation timeline.

DORA (Regulation 2022/2554): financial entities subject to DORA must incorporate ICT risk transfer (including insurance) as a component of their ICT risk management framework. DORA also requires financial entities to monitor the financial stability and viability of their ICT risk insurance providers. Cyber insurance for financial entities is becoming a regulated element of ICT risk governance.

Sectors Most Affected

Financial services (banks, FinTech, insurance): the most demanded cyber policies, driven by DORA requirements, high data volumes, and the financial sector’s status as a prime target for cybercriminals. Average claims in the financial sector involve business interruption from system unavailability and fraudulent transfers from BEC (Business Email Compromise) attacks.

Healthcare: hospitals, clinics, and health technology companies hold highly sensitive personal data under particularly strict processing conditions (health data is a special category under GDPR Art. 9). Ransomware attacks on healthcare infrastructure have increased dramatically since 2022. Cyber insurance for healthcare organisations must cover both the data breach component and the operational disruption component of a ransomware incident.

Manufacturing and OT environments: industrial organisations with operational technology (OT) systems — production line controls, SCADA systems, connected sensors — face a specific cyber risk profile: ransomware that propagates from IT networks to OT systems can halt production entirely. Standard cyber policies written for IT environments may have exclusions for OT losses. Manufacturing companies must review whether their policies specifically address OT coverage.

Professional services (law firms, advisory firms, accountants): hold highly sensitive client data under professional secrecy obligations and are increasingly targeted precisely because they hold client information. Professional indemnity insurance does not cover cyber risks; a separate cyber policy is essential.

Company Size Segmentation

SMEs (fewer than 250 employees): the fastest-growing segment of the cyber insurance market. SMEs have historically been under-insured, believing they were too small to be targeted. The reality is that SMEs are the primary target of opportunistic ransomware campaigns precisely because their defences are weaker and their response capacity more limited. Entry-level cyber policies for SMEs are now available at accessible price points, though coverage depth varies significantly between products.

Medium companies (250-1,000 employees): the segment where the gap between perceived coverage and actual coverage is widest. A policy written three years ago at a much lower premium may have exclusions for the most common current attack vectors that the insured has not reviewed. Annual policy review is essential.

Large companies and corporate groups: require coordinated cyber insurance programmes across multiple entities and jurisdictions, with group-level aggregate limits and per-entity sublimits. Group cyber programmes must be designed with the specific cyber risk profile of each entity in mind — a manufacturing subsidiary has different coverage needs from a technology services subsidiary.

Common Mistakes We Fix

1. Relying on the general liability policy to cover cyber incidents. General liability policies (responsabilidad civil general) rarely cover cyber incidents adequately and frequently exclude them entirely. Companies that assume their general liability policy will respond to a ransomware attack or data breach discover the exclusion at the worst possible moment.

2. Not reading the war exclusion in detail. Cyber insurance war exclusions have expanded significantly following the NotPetya attack (2017), which insurers attributed to a nation-state and used to deny coverage. Modern cyber policies contain war exclusions that may exclude sophisticated attacks attributed to state-sponsored actors — a significant proportion of the most damaging incidents. The specific wording of the war exclusion must be reviewed and, where possible, negotiated.

3. Underestimating business interruption duration. The business interruption period covered by most policies is shorter than the actual recovery time from a major ransomware incident. Full system restoration, including rebuilding encrypted data from backups, re-establishing supply chain communications, and managing customer and regulatory relationships, can take 30-90 days. Many policies have 7-14 day deductibles and coverage periods that are too short.

4. Not testing the insurer’s incident response process before an incident. The quality of the insurer’s incident response panel — forensic investigators, legal advisers, PR crisis management — varies significantly between insurers. An insurer with a weak incident response panel can cause more damage than the incident itself through poor communications or inadequate forensic management.

5. Buying coverage based on price rather than scope. The cheapest cyber policy is frequently the one with the most exclusions. A 20% premium reduction achieved through coverage narrowing can translate into a 100% coverage denial in the most likely claim scenario. Total cost of risk — premium plus uncovered losses — is the correct metric, not annual premium in isolation.

Geographic Coverage

We advise on cyber insurance across Spain, coordinating with specialist cyber insurance brokers in Madrid, Barcelona, Málaga, and Bilbao. For corporate groups with operations in multiple EU Member States, we advise on group cyber insurance programmes that address the specific regulatory requirements of each jurisdiction — GDPR notification obligations, NIS2 requirements, and DORA financial entity requirements — under a coordinated coverage structure.

Worked Example: Ransomware Claim Management for a Professional Services Firm

A Madrid-based advisory firm (75 employees, EUR 9 million revenue) suffered a ransomware attack that encrypted its entire file server, including client files and financial records. The firm held a cyber insurance policy with a EUR 500,000 limit but had never reviewed the coverage in detail.

BMC’s involvement began within 2 hours of the incident being detected:

• Emergency policy review: identified that the policy covered forensic investigation costs (covered), business interruption (covered, 7-day deductible), GDPR notification costs (covered), and ransom negotiation (covered up to EUR 200,000). Data restoration from backup (not from ransom payment) was covered without a sublimit.
• The ransom demand was EUR 150,000 in cryptocurrency. We advised against payment (backups were intact) and engaged the insurer’s forensic panel to manage the investigation and restoration.
• AEPD notification filed within 72 hours: the attack had potentially exposed client personal data stored on the file server. The notification accurately described the nature of the incident, the data potentially affected, and the mitigation measures being implemented.
• Business interruption claim: the firm was unable to access client files for 11 days (the restoration period exceeded the 7-day deductible by 4 days). The insurer covered EUR 87,000 in business interruption losses for the 4 recoverable days.
• Post-incident: the insurer required a pre-renewal security improvement plan. We prepared the plan (MFA on all remote access, offsite backup testing, phishing simulation programme) and negotiated a 15% premium reduction at renewal in exchange for the committed improvements.

How We Work

Our cyber insurance advisory practice operates across the full insurance lifecycle:

Policy review (one-time): a comprehensive review of the existing cyber policy against the organisation’s real cyber risk profile, identifying coverage gaps, exclusion risks, and sublimit mismatches. Delivered within 2-3 weeks. Fixed fee.

Pre-renewal optimisation: 8-12 weeks before renewal, we conduct a pre-renewal security roadmap assessment, prepare the underwriting questionnaire documentation, and coordinate with the broker to present the risk in the most favourable light. The objective is to maximise coverage capacity whilst managing premium cost.

Claims management (incident-triggered): when an incident occurs, we activate immediately to review policy coverage, coordinate with the insurer’s incident response panel, manage regulatory notifications (AEPD, NIS2) in parallel with the insurance claim, and represent the insured’s interests throughout the claim process.

Programme design (new coverage): for organisations without an existing cyber policy, we design the coverage programme from scratch — scope, limits, sublimits, deductible structure, insurer selection — in coordination with specialist cyber insurance brokers.

Companies That Cannot Afford to Be Under-Insured

Cyber insurance is particularly critical for organisations that meet any of the following profiles:

• Organisations that process health data, financial data, or children’s data at significant scale
• Organisations with critical IT system dependency for business continuity (logistics, manufacturing with OT systems, SaaS providers)
• Professional services firms, clinics, and advisory firms that hold sensitive client information
• Organisations with 50 or more employees subject to NIS2, with incident notification obligations on very tight timelines
• Organisations providing services to public administration and subject to the National Security Framework (ENS)

For these profiles, an uninsured or under-insured cyber incident can be existentially threatening. The difference between a well-designed policy and a generic product can be the difference between recovery and insolvency. Our coverage review and optimisation service, coordinated with our virtual CISO, ensures that the policy reflects the organisation’s actual exposure.