A new federal directive gives agencies three days to fix the most serious software vulnerabilities. The rule is likely to reshape how cyber insurers assess patching discipline across the wider market.
The US Cybersecurity and Infrastructure Security Agency (CISA) set the deadline on Wednesday, Reuters reported.
The directive obligates civilian federal agencies to fix, disable, or remove vulnerable software within three calendar days, depending on the severity of the threat. The compressed timeline is due in part to hackers’ use of artificial intelligence, according to the report.
Federal directives do not bind private companies. But cyber underwriters often treat government benchmarks as a reference point. Patching speed already features heavily in cyber insurance applications, and a three-day standard gives carriers a sharper measure of an applicant’s controls.
“Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse,” Chris Butera, CISA Acting Executive Assistant Director for Cybersecurity, told Reuters. He described the directive as “an initial step to counter the increased capabilities of those emerging AI models.”
These emerging models are already a concern in insurance circles. Cyber leaders have warned that Anthropic’s Mythos model can scan code and surface exploitable flaws far faster than older methods.
This undercuts the old assumption that most weaknesses would stay obscure. Existing remediation cycles were built for an era of slow discovery, which is the gap the directive aims to close.
The directive does not apply the three-day clock to everything. It leaves up to two weeks for many vulnerabilities and as long as two months for the least serious flaws. The rule weights internet-facing and automatable weaknesses far more heavily than contained ones.
Claims data shows why the weighting matters. One report found nearly three in four ransomware attacks began with a VPN in 2025. A single device type was tied to almost half of all ransomware claims, while average claim severity rose 16% to $508,000. A single exposed, automatable flaw can drive losses across many insureds at once.
The takeaway for brokers is that baseline controls are no longer enough. Underwriters have moved beyond traditional security checks toward governance and disclosure. A policyholder that can show rapid remediation of critical flaws is a stronger and more insurable risk.
