By Ryan Windt | Head of Growth Marketing | Updated May 2026
A prior breach does not disqualify you from getting cyber insurance. But it does change the conversation with underwriters materially, and businesses that go into the application process without understanding how prior incidents are evaluated often end up surprised by what they receive, or do not receive.
This post explains how underwriters think about prior breaches, what they ask, what outcomes are realistic depending on your situation, and what you can do to put your application in the strongest possible position.
How Underwriters View a Prior Breach
Underwriters are not looking for businesses with perfect histories. They know breaches happen, and a prior incident does not automatically close the door on coverage. What underwriters are actually trying to determine when they see a prior breach in your application is this: is this business more likely to have another claim because of what happened, or less likely because of how they responded?
Those two outcomes are not equally likely. A business that experienced a breach, conducted a thorough forensic investigation, identified the root cause, remediated the underlying vulnerability, upgraded its controls, and documented everything is a meaningfully different risk than a business that experienced a breach, paid a ransom, restored from backup, and made no material changes to its environment.
Underwriters have seen both. They price accordingly.
The prior breach itself is rarely the deciding factor. The response to it almost always is.
What Underwriters Ask About Prior Incidents
When you disclose a prior breach on a cyber insurance application, expect detailed follow-up questions. The specific questions vary by carrier but typically cover:
What happened. The nature of the incident: ransomware, data breach, business email compromise, social engineering fraud, or another type of event. Underwriters want to understand the attack vector, how the attacker gained access, and what systems or data were affected.
When it happened. Recency matters. An incident from five years ago that was fully remediated carries less weight than one from eighteen months ago that is still being litigated. Most underwriters look most closely at incidents within the last three to five years.
What the financial impact was. Whether a formal claim was filed, what was paid, and what the total loss was including costs not covered by insurance. This information typically surfaces through industry databases that carriers use during underwriting regardless of what you disclose, so accuracy matters.
What remediation steps were taken. This is the most important part of the conversation. Underwriters want a specific, documented answer: what vulnerabilities were identified, what controls were added or improved, and what evidence exists that the remediation actually happened. Vague answers like “we improved our security” are treated skeptically. Specific answers backed by documentation are treated as meaningful positives.
Whether litigation or regulatory action is ongoing. Open claims, pending lawsuits, and active regulatory investigations are material factors. Coverage for incidents that predate your policy is excluded, but an open proceeding can affect the terms you receive on a new policy.
What Outcomes Are Realistic
The range of outcomes after a prior breach is wider than most businesses expect. It is not simply a binary of covered or declined.
Standard coverage with no restrictions. This is achievable for businesses with a prior incident that is sufficiently old, fully remediated, and well-documented. Underwriters who see a prior breach followed by a genuine security transformation (a business that is measurably more secure today than it was at the time of the incident) can still write standard terms.
Coverage with an exclusion for the prior incident type. If you experienced a ransomware attack, a carrier might offer coverage but exclude ransomware specifically for one policy period, effectively treating your remediated ransomware posture as unproven until you demonstrate a clean year. This is a common outcome for recent incidents and is often removable at renewal.
Coverage with elevated deductibles or sublimits. Carriers may offer standard limits but with a higher deductible than a business without a prior claim would receive, or with sublimits on specific coverage lines related to the prior incident type.
Coverage with a waiting period. Some carriers impose a short waiting period before business interruption coverage activates, particularly if the prior incident involved operational downtime.
Declined by certain carriers, covered by others. The cyber insurance market is not monolithic. A carrier that declines your application based on a prior incident may simply not have appetite for your risk profile. A different carrier with broader appetite or specific experience in your industry may write the same risk on acceptable terms. Working with a broker who has access to multiple carriers is important precisely for this reason.
Declined broadly. If the prior incident was recent, is still unresolved, involved a fundamental control failure that has not been addressed, or is accompanied by other significant risk factors, some businesses will find coverage unavailable or available only at terms that are not economically viable. This outcome is less common than buyers fear but does happen, particularly for businesses that have experienced multiple incidents or have not made material security improvements.
The Retroactive Date Problem
One of the most consequential coverage issues for businesses that have experienced a prior breach is the retroactive date.
Cyber insurance is typically written on a claims-made basis, meaning coverage applies to claims made during the policy period for incidents that occurred after the retroactive date. The retroactive date is usually the date your first cyber policy went into effect. Incidents that occurred before that date are excluded regardless of when the claim is filed.
For a business buying cyber insurance for the first time after a breach, or for a business that had a coverage lapse, the retroactive date means that any claims arising from the prior incident are not covered. A class action lawsuit filed this year for a breach that occurred before your retroactive date is outside your coverage even if you have an active policy.
This is one of the most important reasons to buy cyber insurance before an incident occurs rather than after. And it is one of the most important things to discuss with your broker when comparing policy terms: what is the retroactive date, does it match your prior coverage history, and are there any gaps that could leave prior-period incidents unaddressed?
For a full explanation of how the retroactive date works, see our post on the retroactive date in cyber insurance.
What Carriers Discover on Their Own
Do not assume that what you do not disclose will not surface. Carriers use several tools during underwriting that can identify prior incidents independently of what you report on the application.
Industry loss databases. Carriers share claims data through industry databases. If you filed a claim with a prior insurer, that information is typically accessible to new carriers during underwriting.
External attack surface scans. Many carriers run automated scans of your external-facing systems before quoting. These scans can identify vulnerabilities, exposed services, and in some cases indicators of prior compromise that are still visible.
News and public records searches. Data breach notification databases, state attorney general filings, court records, and news coverage of incidents are all searchable. Publicly reported breaches are routinely identified during underwriting.
Dark web monitoring. Some carriers check whether your business’s credentials or data are circulating on dark web markets as part of the underwriting process.
An incident that surfaces through one of these channels after not being disclosed on the application creates a far more serious problem than the incident itself would have. Undisclosed prior incidents discovered during or after underwriting can result in policy rescission, claim denial, or coverage disputes that are far more damaging than the premium impact of honest disclosure.
How to Put Your Application in the Strongest Position
The businesses that achieve the best outcomes after a prior breach are the ones that come to the application prepared, accurate, and able to demonstrate a genuine security improvement.
Conduct a thorough post-incident review and document it. If you have not already produced a formal root cause analysis and remediation plan following your breach, do so before applying for coverage. Underwriters want to see that you understand what happened and have addressed it specifically, not generally.
Address the root cause, not just the symptoms. If your breach resulted from an unpatched vulnerability, deploy a patch management program. If it resulted from a phishing email, implement email security controls and phishing simulation training. If it resulted from weak credential management, deploy MFA and review your access control policies. Generic security improvements that do not address the specific vector of your prior incident are not as credible to underwriters as targeted remediation.
Document your current controls accurately and specifically. When you apply, be prepared to provide evidence of the controls you have in place, not just attestations. MFA enforcement reports, EDR deployment coverage, backup test results, and incident response plan documentation all support your application. For a complete list of what underwriters want to see documented, see our cyber insurance requirements checklist.
Disclose fully and frame the narrative. Disclose the prior incident completely and accurately. Then provide the context: what happened, when, what was affected, how you responded, and what your security posture looks like today compared to the time of the incident. Underwriters who can see the full picture and evaluate the trajectory of your security program are in a much better position to write favorable terms than those who have to work from incomplete information.
Work with a broker who has access to multiple carriers. Not every carrier has the same appetite for prior-breach risks. Some specialize in businesses that have experienced incidents and have rebuilt their security posture. Others do not write prior-breach risks at all. A broker who can identify the right markets for your specific situation and present your application compellingly will produce better outcomes than going direct to a single carrier.
Time your application strategically. If your incident was recent and your remediation is still in progress, it may be worth waiting until remediation is complete and documented before applying. A complete remediation story is considerably more compelling than an in-progress one. The exception is if you have no current coverage and cannot afford to be uninsured during the remediation period, in which case accepting a more restricted policy now and working toward better terms at renewal is the right approach.
What Coverage Will and Will Not Address
Even with a new cyber policy in place, there are important boundaries to understand about what the coverage will and will not do for a business with a prior incident.
What the new policy covers. New incidents occurring after the retroactive date of the new policy are covered subject to the terms, conditions, and exclusions in the policy. If your prior breach has been fully resolved and no claims or regulatory proceedings are pending, a new policy provides coverage for future incidents on the same basis as any other insured.
What the new policy does not cover. Claims arising from the prior incident, including lawsuits filed after the new policy takes effect but based on the prior breach, are excluded. Regulatory proceedings that were initiated before the new policy began are excluded. Any costs that flow from the prior incident, regardless of when they arise, are outside the coverage of a new policy.
Incident type exclusions. If your new policy includes an exclusion for the specific type of incident you experienced, claims arising from that incident type are excluded for the period that exclusion is in force. This is a negotiation point at renewal, not a permanent condition.
Frequently Asked Questions
Can I get cyber insurance immediately after a breach?
Yes, in most cases coverage is available after a breach, though the terms will reflect your recent incident. You may receive coverage with exclusions related to the prior incident type, elevated deductibles, or sublimits on specific coverage lines. The key is to be fully transparent about the incident and to demonstrate what remediation steps have been taken.
Will my premiums be significantly higher because of a prior breach?
Usually yes, at least in the near term. A prior claim is a rating factor that increases premium. The magnitude of the increase depends on the severity of the incident, the recency, the type of incident, and the remediation steps taken. Businesses that demonstrate strong post-incident security improvements can often return to competitive pricing within one to two renewal cycles.
Do I have to disclose a breach that did not result in a formal insurance claim?
Yes. Cyber insurance applications ask about prior incidents, not just prior claims. A breach that you handled without filing an insurance claim is still a prior incident that must be disclosed. Failure to disclose a known prior incident is misrepresentation and can result in policy rescission at claim time. For more on how application accuracy affects coverage, see our post on cyber insurance application errors that lead to claim denial.
What if my breach was caused by a vendor, not a failure in my own systems?
Vendor-caused incidents are still prior incidents for underwriting purposes. The underwriter will want to understand the nature of the vendor failure, what data or systems were affected, what your notification and response obligations were, and what vendor risk management practices you have in place today. Demonstrating that you have strengthened your vendor oversight program following a vendor-side incident is a relevant and useful part of your application narrative.
How long does a prior breach affect my insurability?
There is no fixed timeline, but most underwriters give significantly less weight to incidents that are more than three to five years old and that were followed by documented remediation. A breach from four years ago with a clean claims history and demonstrably improved controls since is a much smaller underwriting factor than a breach from eighteen months ago with minimal remediation. Consistent clean performance over time is the most reliable path back to standard terms.
Prior breach history is one of the most misunderstood underwriting factors, and businesses that handled a past incident well often have more options than they expect. If you want to understand where you stand and what the market will offer, contact SeedPod Cyber.
Related Resources