IUA report flags cyber coverage gap in W&I insurance

New research warns that cyber cover often lapses after deal close, leaving W&I as the sole recourse for breaches

IUA report flags cyber coverage gap in W&I insurance

Cyber

By Mark Rosanes

Warranty and indemnity insurers may be over-reliant on cyber insurance, a new report from the International Underwriting Association (IUA) warns. The report also flags potential coverage gaps in deal-related cyber exposures.

The report, "Cyber Risks and Warranty and Indemnity Insurance Underwriting: Do you understand your cyber exposure?", published by the IUA's Transactional Liability Committee outlines policy wording principles and practice recommendations for assessing and managing cyber risk.

Cyber cover often lapses after deal closes

Warranty and indemnity (W&I) insurance covers breaches in representations and warranties made during the sale of a business. Cyber insurance is intended to serve a complementary purpose.

Cyber findings increasingly shape deal negotiations and valuations directly. Verizon cut its acquisition price for Yahoo by US$350 million after data breaches emerged during the deal process. Marriott later faced regulatory penalties after acquiring Starwood Hotels, where attackers had already compromised customer records before completion.

Many cyber policies automatically terminate cover when a transaction closes, with claims-reporting windows of just weeks or months. Cyber incidents often remain undetected for longer than that.

As a result, a W&I policy may become the primary or sole recourse for cyber-related warranty breaches, the report found.

Claims data shows a widening gap

Claims data supports the report's concern. Aon's 2026 Global M&A and Transaction Solutions Claims Study recorded W&I notifications in EMEA climbing from 70 in 2024 to 119 in 2025. Financial statement breaches were the largest driver of losses.

Faye Hepburn, underwriting and claims executive at the IUA, said cyber risk has become "a material underwriting consideration in warranty and indemnity insurance." She said the report's central finding is that "the mere existence of a cyber insurance policy tells underwriters little about whether that coverage will respond after the closing of a transaction."

Hepburn said the coverage gap can be compounded by market practice, as risk analysis rarely extends to penetration testing or technical validation. She added that underwriters need to move beyond passive reliance on standard cyber policies toward active interrogation of the cover in place.

A separate analysis suggests deal size is not a reliable proxy for this kind of risk. Tokio Marine HCC found that 80% of its most severe transactional risk losses arose from deals with an enterprise value below US$250 million.

Report calls for closer scrutiny of cover

Angus Marshall, global head of transaction liability at CFC and chair of the IUA's Transactional Liability Committee, said cyber risk is "not a peripheral issue" in transactions but is "central to value, diligence and deal execution."

Marshall said cyber exposures need to be properly understood, articulated and addressed as W&I insurance continues to play a role in facilitating transactions.

The committee sits within a wider set of new IUA groups focused on emerging risks. The association also published a joint cyber business interruption report with Baker Tilly last year, part of the same push into cross-class exposures.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!