Emerging cyber risks challenge brokers

Cyber risk is no longer limited to ransomware attacks, yet many clients and brokers still anchored their thinking there. For wholesale broker Christopher Votta (pictured), of Wholesure Solutions, underappreciated exposures often lay in operational disruptions and indirect losses – areas that standard cyber policies rarely address.

“I think most clients are still anchored on ransomware breaches,” Votta said. “The real underappreciated exposures, I think, are indirect and operational vendor cloud outages, technology failures without a confirmed data loss, event‑driven regulatory investigation, systematic software vulnerabilities, and, of course, AI, which is one of the hottest topics.”

He added that carriers were increasingly adapting, either through endorsements, affirmative coverage, or broadened policy wording.

“These exposures fall outside the traditional cyber narrative, but they are increasingly root causes of business interruption and compliance events,” Votta said. “I help communicate that with our agent and broker agency partners by shifting the conversation from policy mechanics to practical scenarios: how a single technology failure can disrupt operations, vendors, customers, and regulators.”

Bridging gaps in policy language

Cyber policies vary widely in definitions, exclusions, and coverage triggers, making negotiations a critical function for brokers.

“These policies use so many different terms that mean the same exact thing,” Votta said. “Sometimes the AI we use to compare coverage struggles to differentiate between cyber-crime types. Brokers also don’t always have a solid hold on seeing certain supplemented coverages.”

He highlighted the restrictive security warranty of language and the evolution of underwriter expectations. While minimum security requirements are now verified during quoting, newer provisions focus on authenticating funds for cyber-crime.

“We have one carrier that gives a $1 million aggregate for cyber-crime coverage but supplements it with a lower limit for anything not authenticated,” Votta said. “Other carriers have non‑authentication or callback provisions. They won’t cover it if, during the claims process, the request wasn’t properly authorized.”

For brokers, the role is to flag these distinctions upfront and help clients and agencies understand definitions, vendor coverages, and interruption triggers that could affect a claim. “We’re not cybersecurity experts, but we need a basis of knowledge to understand the root cause of the issue and what the insured could do going forward,” he said.

Controlling the narrative on hard-to-place accounts

Votta said most cyber accounts were not inherently hard to place, given market capacity. However, higher-risk accounts require careful narrative management.

“You’re seeing a ‘burning building’ approach similar to property underwriting: the burning building has already burnt down. Now we’re insuring a brand-new property,” he said. “They’ve had their ransomware event, implemented EDR, XDR, MDR, multi-factor authentication, whatever it may be. The risk has become more attractive to us.”

For accounts with gaps in controls, brokers could present alternative risk mitigations or third-party validations, such as pen tests, forensic reports, or external scans. “The application may not make them look great, but a cyber scan could make the risk more appealing and result in a quote they wouldn’t otherwise get,” Votta said.

Aligning cyber with other E&S lines

Effective cyber placement often requires coordination with professional and management liability policies to avoid gaps or overlaps.

“When we looked at a risk as a whole, professional service risks obviously had an E&O exposure,” Votta said. “We structured programs to align each policy to its natural intent while clearly defining boundaries. Cyber handled data breaches, network failures, system outages, and social engineering. D&O covered governance exposures. Professional liability handled third-party financial loss tied to services provided.”

He noted some carriers offer modular forms covering cyber, D&O, and E&O, but these are rare on the wholesale side. “We placed cyber separately, but D&O and E&O could be combined depending on the business class,” Votta said. “Exclusionary wording ensured policies didn’t stack except where overlaps were intended, such as E&O carve-backs in D&O claims.”

Technology service providers, he added, often combined exposures. “SaaS, MSPs, MSSPs—claims tied to tech services almost always result in a cyber claim, so cyber is usually packed onto those forms anyway,” he said.