In 2025, a Donegal manufacturing firm suffered a ransomware attack that crippled its operations for three weeks. The business had a cyber insurance policy. The claim was denied because a known vulnerability in their system had gone unpatched for months — an exclusion buried in the small print that neither the owner nor their broker had read carefully. The firm lost €180,000 uninsured. The policy had cost €2,200 per year.
This scenario is not unusual in Ireland. Many businesses invest in cyber insurance under the impression it functions like a comprehensive safety net. The reality is that cyber policies contain specific exclusions that, when triggered, can leave a business exposed at precisely the moment it most needs protection. Understanding these exclusions before a claim is the only way to address them.
The Ten Exclusions That Most Often Affect Irish SMEs
Unpatched systems and known vulnerabilities is the exclusion most frequently cited in denied claims across Ireland. When a cyber incident occurs as a result of a vulnerability for which a patch was publicly available and not applied, insurers argue that the business failed to maintain minimum security standards. The NCSC Ireland consistently advises organisations to implement robust patch management as a core protective measure.[^1] If you have systems running software that is no longer supported by its vendor, or if critical patches are regularly delayed, this exclusion is a direct risk to your coverage.
Acts of war and nation-state attacks are excluded from most standard cyber policies. While this may seem remote for a Donegal SME, the reality is that major attacks like NotPetya — attributed to a nation-state — caused collateral damage to businesses far removed from geopolitical targets. Insurers invoke the war exclusion when attack attribution suggests state involvement. Attribution is technically complex and often disputed. If you operate in a sector that might be targeted as part of a broader geopolitical campaign, this exclusion deserves scrutiny.
Social engineering and phishing losses are handled inconsistently across cyber policies. Many policies differentiate between a technical breach of your systems and a financial loss caused by an employee being deceived into authorising a fraudulent payment. Business email compromise — where an attacker impersonates a supplier to redirect a payment — is one of the most common cyber-enabled crimes affecting Irish businesses. But if the payment was authorised rather than extracted through a technical breach, many cyber policies exclude it. An Garda Síochána's National Cyber Crime Bureau processes significant numbers of BEC reports each year from Irish SMEs who believed their loss was covered by cyber insurance.[^2]
Pre-existing conditions and undisclosed vulnerabilities operate similarly to health insurance. If your business was aware of a security incident or significant vulnerability when applying for coverage and failed to disclose it, a subsequent related claim can be denied. Honesty in insurance applications is a legal obligation, and material misrepresentation can void a policy entirely.
Failure to maintain minimum security standards is a warranty exclusion that catches businesses whose security posture deteriorates after the policy is signed. A policy may require MFA on all critical accounts, current antivirus, regular backups, and documented incident response procedures. If an incident occurs and the forensic investigation reveals that these controls were not in place — even if they were present when the policy was purchased — the insurer has grounds for denial. This exclusion requires ongoing compliance, not a one-time setup.
Physical damage caused by cyber events is typically not covered by cyber insurance. If a cyberattack on your operational systems causes equipment to malfunction and sustains physical damage — a realistic scenario for manufacturing, utilities, or food processing businesses — the physical repair costs fall under property insurance, not cyber. The two policies need to work together without a coverage gap.
Has your broker explained your policy's exclusions — and do you know which security controls are required as warranty conditions? Book a free 20-minute strategy call — we'll review your policy exclusions against your current security controls and identify coverage gaps before an incident occurs.
Reputational damage and future profit loss are almost universally excluded from standard cyber policies. A publicised data breach that causes your clients to leave or reduces your bookings for the following year represents a real business loss, but it is not a measurable insured event under most policy wordings. Some premium policies offer limited crisis PR funding, but the long-term reputational impact is yours to absorb.
Regulatory fines and DPC penalties are excluded from most policies. If the Data Protection Commission investigates your breach and imposes a fine — which can reach 4% of annual global turnover under GDPR — your cyber insurance will typically not pay that fine.[^3] The policy may cover legal costs in responding to the investigation, but not the penalty itself. For hospitality, healthcare, and professional services businesses in Donegal and Sligo with large volumes of personal data, DPC exposure can exceed the cost of the technical incident.
Intellectual property infringement is not covered by standard cyber insurance. If a cyberattack results in theft of your proprietary designs, client lists, or trade secrets — and those are subsequently misused — recovering the associated losses requires specialist IP insurance, not a cyber policy.
Intentional acts by the insured are universally excluded. No policy covers losses caused by deliberate criminal acts committed by the business owner or senior management. Policies may cover losses from rogue employees at operational levels, but deliberate fraud or sabotage by those controlling the business is excluded without exception.
Have you read your cyber insurance policy's exclusion section, or do you only have the coverage summary? The exclusions determine whether a claim pays out — not the marketing material.
What This Means for Your Business
For Irish SMEs, understanding these exclusions requires reviewing the actual policy wording — specifically the conditions and exclusions section, not the coverage schedule or the broker's summary. The words "warranted," "condition precedent," and "provided that" signal obligations that must be met for coverage to apply. Each of those phrases is worth reading carefully.
The layered approach to risk mitigation addresses several gaps that cyber insurance leaves. If your cyber policy excludes BEC fraud, a crime insurance policy can fill that gap. If your policy excludes regulatory fines, your legal defence reserves or a regulatory liability extension can provide some coverage. If your policy excludes physical damage, your property policy needs to be checked for cyber-caused physical loss coverage.
Proactive cybersecurity is not just good practice — it is what makes your policy enforceable. Implementing MFA, maintaining a patching schedule, testing backups, and having a documented incident response plan are the controls that both reduce your risk and keep you compliant with the warranty conditions most policies require.
Three Steps Before Your Next Renewal
Read the exclusions and conditions section of your current policy. Make a list of every exclusion and every warranty. Confirm which exclusions you have no way to mitigate, and discuss those with your broker before renewal. Knowing what you are not covered for allows you to make an informed decision about supplementary coverage.
Check whether your policy covers BEC fraud and social engineering losses. If not, ask your broker about a crime policy extension. Given the frequency of BEC attacks targeting Irish businesses, this gap is significant for any business that makes regular supplier or contractor payments.
Document your compliance with your policy's warranty conditions. Keep a record of your MFA configuration, your patching schedule, your last backup test, and your incident response procedure. This documentation is evidence in a claims dispute, and it demonstrates the ongoing compliance that warranty clauses require.
Related Reading
- Cyber Insurance Claims Denied: Three Irish SME Scenarios
- Cyber Insurance Broker Checklist: What Your Broker Should Ask
- Why Your Cyber Insurance Won't Pay Out
[^1]: NCSC Ireland — Guidance on patch management and security controls for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau guidance on BEC fraud and cyber-enabled crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — GDPR enforcement and penalty guidance: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.