A cyber insurance provider is taking issue with competitors that won’t pay claims resulting from unpatched vulnerabilities.
In a recent LinkedIn post, cyber insurer Coalition said that while these exclusions are not “widely deployed,” the company has been seeing more of them recently. Some cyber insurers won’t pay if a claim arises from a vulnerability that’s gone unpatched for a certain number of days, the insurer said. Others use a sliding scale, in which the payout falls the longer the vulnerability has gone unpatched.
One “well-known” U.S. insurer excludes losses arising from CVEs with a CVSS severity score greater than 8.0 if a patch has been available for three weeks and not been applied, Coalition said.
“This logic might make sense if patching were simple and straightforward,” stated Tiago Henriques, Chief Underwriting Officer at Coalition. “But in reality, vulnerability management is complicated and convoluted, even for businesses with sophisticated security teams.”
Cyber Insurers and CVE Exclusions
Coalition looked at the data surrounding the CVSS 8.0 patching exclusion. As of July 2025, more than 61,000 vulnerabilities would fit that exclusion, yet only a little more than 1% of those vulnerabilities are in CISA’s Known Exploited Vulnerabilities (KEV) catalog, the insurer said.
In an era in which there are more than 40,000 new vulnerabilities a year, “CVE exclusions are putting businesses in an impossible situation,” Henriques said. “Either waste precious resources chasing thousands of low-likelihood vulnerabilities or invest in a cyber insurance policy that risks claim denial when an unpatched system is breached.”
Coalition didn’t name insurers with patch exclusions or endorsements, but Chubb, for example, may add a “Neglected Software Exploit Endorsement” for policyholders that are lax in applying security fixes.
“For policyholders that lack strong patch management hygiene, Chubb may address this risk by adding the neglected software exploit endorsement,” Chubb’s website says. “This endorsement provides policyholders with a 45-day grace period to patch software vulnerabilities that are published as Common Vulnerabilities and Exposures (CVEs) within the National Vulnerability Database operated by the U.S. National Institute for Standards and Technology (NIST). After the 45-day grace period expires, there is risk sharing between the policyholder and insurer incrementally shifting to the policyholder, who takes on progressively more of the risk if the vulnerability is not patched at the 45-, 90-, 180-, and 365-day mark.”
A Risk-based Approach to Cyber Insurance Patching Requirements
Coalition endorses a more risk-based approach, with technical assistance from the insurer, and rewards policyholders with good security hygiene under its new Active Cyber Policy.
Coalition Security – the insurer’s security affiliate – focuses on vulnerabilities that are similar to those that have been exploited by ransomware gangs, and sends out alerts “for the most urgent, high-impact threats with significant financial risk,” the company says.
In 2024, Coalition said it issued an average of 5.5 such alerts per month, representing just 0.15% of published vulnerabilities, and 90% of its policyholders didn’t receive a single alert last year.
“In other words, if you receive a Coalition security alert, pay attention because it’s important,” the company says.
