darkreading.com
Robert Lemos, Contributing Writer
August 22, 2025
Some insurers look to limit payouts to companies that don't remediate serious vulnerabilities in a timely manner. Unsurprisingly, most companies don't like those restrictions.
Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations' defenses.
Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability's half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.
The limits could start showing up in companies' policies, however, if demand for cyber insurance continues to grow, creating a seller's market, says John Coletti, head of cyber underwriting at Coalition
"While we will not name names, there are specific examples of this occurring within the industry," he says. "A company should be highly skeptical of buying a policy with a CVE exclusion."
Cyber-insurance firms are struggling to find different ways to limit their vulnerability to large breaches and campaigns that hit a large number of policyholders. Following NotPetya, when companies used business insurance to cover disruptions to operations, efforts to deny payouts based on warlike-act exclusion clauses largely failed but led to enhanced wording in subsequent policies. Increasingly, cyber-insurance firms used data from policyholders or gleaned from cybersecurity assessments, or information from their own managed security services offerings to better determine risk.
Blame the Victim?
Yet requiring all companies to manage major vulnerabilities is a tall order. Currently, the software industry is on track to disclose more than 46,000 vulnerabilities in 2025, up from nearly 40,000 in 2024, according to the National Vulnerability Database (NVD). Of those, likely 30% would be considered of high or critical severity, typically defined as a Common Vulnerability Scoring System (CVSS) score of 8.0 or higher.
