Most boards believe a cyber policy is there to catch them when systems fail.
But insurers are drawing a new line, and it’s not where you think.
When a digital breach escalates into real-world chaos, shut down operations, targeted executives, patient harm, insurance carriers are asking one question:
“Can you prove your board prepared for this?”
If there's no documentation of hybrid risk planning, escalation protocols, or board-level oversight, carriers are walking away. Coverage denied. Losses uncovered. Directors exposed.
And it's already happening.
What this looks like in real life:
MGM’s ransomware attack in 2023 wasn’t just a cybersecurity incident.
Casinos went dark. Guests were locked out of rooms. Slot machines froze. $100 million in losses, not from code, but from physical paralysis.
The cause? ALPHV/BlackCat group ransomware.
MGM had cyber insurance. But many others didn’t get paid.
I was brought into a similar breach where an executive team was doxxed. What followed: stalking, home intrusions, physical threats. And a $15M uncovered loss...all because there were no documented protocols for a cyber-to-physical escalation.
The insurers didn’t care about intentions. They cared about evidence.
This is the pattern I keep seeing:
A cyber incident hits.
It escalates, employees threatened, operations halted, real-world harm.
The insurer asks for documentation: board minutes, protocols, test logs.
The company can't produce it.
Coverage is denied under exclusions for “failure to maintain safeguards” or “inadequate preparation.”
Four categories where hybrid risk is becoming uninsurable without proof:
1. Operational shutdowns due to ransomware In 2023, DP World Australia was breached, shutting down ports handling 40% of freight. Supply chains broke. Physical chaos followed. Carriers now demand hybrid escalation plans to approve claims.
2. Executive threats after a breach LockBit and Conti don’t just encrypt servers, they threaten people. According to Semperis, 40% of 2025 ransomware cases involved physical threats to leadership or family. No logged protection protocols? No coverage.
3. Critical infrastructure and smart systems Johnson Controls’ breach brought smart buildings to a halt. Physical environments were compromised through digital pathways. Insurers denied claims citing lack of OT-IT integration testing and board-level oversight.
4. Patient harm through disrupted systems Change Healthcare’s breach knocked out billing and prescriptions across the U.S. That led to delayed treatments and potential medical outcomes. Insurers are already flagging these incidents as “non-compliant” if drills and safeguards weren’t tested and documented.
Here’s what insurance carriers are asking in 2025:
“Where is the board-approved hybrid response plan?”
“When was it last tested?”
“Do you have threat monitoring logs tied to executive exposure post-breach?”
“Can you produce records of OT systems being tested alongside IT controls?”
“Were these risks reviewed in board minutes?”
If you don’t have documentation, your policy likely has an exclusion that applies.
Where we are now in the underwriting cycle:
Q1 2025: Carriers updated underwriting questionnaires to include hybrid threats
Q2–Q3 2025: Premiums increased 30–40% for companies without evidence of preparedness
Q4 2025: First wave of non-renewals for companies that didn’t meet new hybrid documentation thresholds
2026: This becomes standard, a baseline expectation for coverage
What “prepared” looks like to an underwriter:
Quarterly board reviews that include cyber-physical convergence
Documented escalation protocols for executive threats, facility shutdowns, OT disruptions
Hybrid incident response plans tested within the past 12 months
Logs showing executive protection decisions tied to threat intel
Third-party assessments of hybrid risk, presented to the board
Version-controlled security and recovery playbooks
This isn’t just about security.
This is about fiduciary duty.
Directors who fail to review and mitigate these risks can now face personal liability under D&O if claims are denied.
The cost of being proactive vs. reactive:
Proactive readiness
Annual hybrid threat assessment: $50–100K
Documentation systems + internal governance: $100–200K
Playbook development and testing: $50–100K
Total: $250–400K for defensible, insurable coverage
Reactive scramble post-incident
Emergency executive protection: $2–5K/day/person
Legal + forensics: $2–10M+
Operational loss: $5–50M+
Denied claim: full exposure
D&O coverage challenge: possible personal liability for directors
You don’t want to be in that meeting.
What boards, CFOs, and GCs should be asking now:
“Can we prove we’ve tested for a ransomware event that affects physical operations?”
“Have we documented protocols for when executives are doxxed or threatened?”
“Do our board minutes reflect oversight of this convergence?”
“If our insurer asked us to show hybrid readiness today, what could we produce?”
If those answers don’t come quickly and confidently then you already have a gap.
Not just a risk gap. An insurance gap.
What proactive organizations are doing now:
Running hybrid gap analyses
Educating the board on fiduciary exposure
Logging all cyber-physical playbooks and decisions
Testing systems that cross between IT, OT, and Executive Protection (and their families)
Presenting annual findings to carriers during renewal
Negotiating better terms backed by documentation
It’s no longer about “do we have protection?” It’s about: “Can we prove we’re prepared?”
Because when the breach comes...and it will.
Intentions don’t matter.
Documentation does.
Let me know if you need help building a hybrid risk framework that insurers trust and your board can stand behind.