Cyber insurance has matured. Coverage is broader, underwriting discipline has strengthened and capacity has returned following the hard market. Yet according to Akhil Chopra (pictured), area senior vice president at Gallagher US, many programs are still built around breach headlines rather than how losses actually unfold.
“Align triggers to real world loss scenarios, not just policy definitions,” he said.
For Chopra, that distinction defines whether a policy performs when it matters.
One of the most persistent blind spots is business interruption without permanent data destruction. Ransomware events and cloud outages can halt operations even when information is recoverable. In those scenarios, the trigger language and waiting periods in a cyber policy often determine whether coverage responds.
Waiting periods, he argues, should reflect operational reality - how long systems are likely to be offline and how revenue is actually generated.
As reliance on SaaS platforms and managed service providers deepens, contingent business interruption becomes equally critical. Vendor outages can ripple through entire organizations, yet dependent exposure is often treated as secondary in program design.
“Let’s talk about the supply chain,” Chopra said. “We overlook vendors, and where do the majority of these incidents start? With vendors.”
That requires brokers to model loss pathways more explicitly. Clients need to understand not just breach scenarios, but cascading operational disruption.
“You need to walk clients through the full range of potential doomsday scenarios,” he said. “That includes business interruption, dependent business interruption, privacy claims, ransomware events, and cyber extortion, so they clearly understand how each exposure could impact their organization.”
Another recurring weakness lies in the divide between cyber and crime coverage. Social engineering and funds transfer fraud claims frequently expose disconnects between forms, sublimits and exclusions. Without deliberate coordination, insureds can discover gaps only after a loss occurs.
Blending cyber and crime policies, Chopra notes, is often necessary to close those gaps.
Regulatory exposure is similarly misunderstood. While clients tend to focus on potential fines, defense and remediation costs can exceed penalties. Clear documentation of internal controls can materially reduce claims friction when regulators become involved.
Technology failures add another layer of complexity. Coding errors, flawed updates and system misconfigurations can generate significant disruption even without a malicious actor. Reputational harm and customer attrition may follow, compounding financial impact. Layered programs must be structured carefully to manage sublimits and exclusions that can limit recovery.
Underwriting itself is evolving. Artificial intelligence is increasingly being embedded into submission workflows, but Chopra is careful to ground expectations in fundamentals.
“AI performance is fundamentally constrained by the quality, structure, and completeness of the underlying data,” he said said. “At its core, the technology is only as effective as the inputs it’s trained and evaluated on.”
He expects AI to materially streamline the submission workflow by automating data ingestion, normalization and preliminary risk assessment, reducing the back-and-forth that typically occurs between brokers and carriers.
“Carriers are increasingly deploying AI as an initial underwriting layer, using models as a first pass to validate, enrich, and triage submissions before engaging the broker for refinement,” he said.
The result is not relaxed underwriting, but heightened precision. Cleaner data, clearer narratives and better-structured programs will move more efficiently through underwriting review. Poorly articulated submissions will face greater friction.
Clear communication, Chopra argues, is therefore as important as technical structuring. Brokers must translate policy mechanics into business impact rather than defaulting to terminology.
“We have to stop speaking all this insurance lingo,” he said.
Cyber insurance is widely available in the US market. But as vendor dependency deepens, business interruption scenarios grow more complex and underwriting tools become more sophisticated, the differentiator will not be capacity alone. It will be whether coverage is structured around how losses actually occur, and whether brokers can articulate that structure clearly before a claim tests it.
