Your cyber insurance policy does not pay out for reputational damage caused by a botched press response.
The carriers caught on. The premiums caught up.
Marsh, Aon, and Lockton — the three largest cyber insurance brokers — have all reported tightening underwriting criteria over the past three renewal cycles. The new criteria include questions that traditional cyber underwriters did not ask. Crisis communications readiness. Spokesperson training. Tabletop drill frequency. External communications counsel retainer. The communications function is now an underwriting variable.
The premium math has caught up too. Companies with documented communications readiness pay materially lower premiums than peer companies without it.
What changed in underwriting
Three things drove the shift.
One. Loss data. Carriers have ten years of breach loss data now. The pattern is clear. Companies with structured incident response — including communications — recover faster and generate smaller total claims than companies without it. IBM's Cost of a Data Breach Report documents the differential. Underwriters are pricing on it.
Two. The SEC rule. The Item 1.05 disclosure requirement compressed the communications window to four business days. The carriers recognized that communications execution under that compression is a material risk factor — and that companies without a runbook generate larger losses.
Three. Reputational damage exclusions. Most cyber policies have always carried reputational damage exclusions or sublimits. The carriers tightened the language and the enforcement. Botched communications no longer get rolled into recoverable losses by default.
What underwriters now ask
The questionnaire varies by carrier and broker, but the underlying questions overlap.
Incident response retainer. Is there a named external IR firm on retainer with a 24-hour response SLA? See: Mandiant vs. CrowdStrike.
Communications retainer. Is there a named external communications firm on retainer with a 24-hour response SLA?
Tabletop drill frequency. How often does the joint committee run tabletop exercises? Annually is now the floor. Quarterly is the upper end. Some carriers will not write at preferred rates without quarterly drills.
Communications playbook on file. Does the company have a documented crisis communications playbook? When was it last updated? Has it been tested under simulated conditions?
Spokesperson media training. Have the CEO and CISO completed formal media training within the past 24 months? With which provider? Including SEC disclosure simulation? See: Why CISOs Are Now Spokespeople.
Board-level approval workflow. Is there a defined process for materiality determination and disclosure approval? Documented? Tested?
Customer notification capability. Is there a tested notification process for customer-data exposure scenarios? Including the technical infrastructure to send time-stamped, tracked notifications at scale?
The denial mechanic
Reputational damage exclusions historically operated as fine-print provisions that rarely surfaced. They now surface routinely.
The carrier's argument is straightforward. If the loss was driven by the breach itself — stolen data, operational disruption, regulatory fines — it is covered. If the loss was driven by the company's response to the breach — botched press handling, executive missteps, sequential corrections that extended the news cycle — it is not.
The distinction is litigated case by case. But the trend is unmistakable. Carriers are pushing harder to attribute claim losses to response failures rather than incident severity, and they have the loss data to support the argument.
What underwriters reward
The companies that get preferred rates share a profile.
Documented IR-comms integration. Named external firms in both functions, with a documented joint runbook covering the 96-hour disclosure window.
Drill cadence at the upper end. Quarterly tabletops with real time pressure, realistic facts, and a documented after-action review.
Spokesperson readiness. Current media training, with SEC-specific simulation, for both the CEO and the CISO. Some carriers now look for media training for the General Counsel and CFO as well.
Board governance. Documented board-level cybersecurity committee with formal oversight of disclosure preparation. Quarterly briefings to the full board on cyber risk including communications readiness. See: The Boardroom Briefing No CISO Survives Without.
Technical communications infrastructure. Dark sites, customer notification systems, employee communication systems, and partner notification protocols all tested at scale.
The premium math
Lockton's 2025 cyber market report documented a 12–22% premium differential between companies with documented communications readiness and matched-risk peers without it.
Marsh's quarterly cyber insights have made similar observations. The differential widened during the 2023 hard market and has held through the soft market that followed.
For a Fortune 500 company with a multi-million-dollar cyber premium, the differential is material. The investment in communications readiness pays back in premium reduction alone — separate from any savings in actual incident response.
What to do this quarter
Three actions.
One. Audit the communications readiness profile. Score the company against the underwriter questionnaire. Identify the gaps. Most companies will have gaps on spokesperson training and drill frequency.
Two. Build or update the playbook. Documented, tested, current. Most companies have a playbook from 2019 that has not been updated for the SEC rule.
Three. Communicate the readiness to the broker. At the next renewal cycle, the readiness profile should be presented as part of the submission. The differential is not automatic — it requires demonstrating the readiness in underwriting.
Underwriters now read your communications playbook. If you do not have one, your premium says so.
