CFO cyber insurance questions

Jan 22, 2026 — 5 minutes

The 4 questions every CFO should ask before purchasing cyber insurance

Choosing cyber insurance is not just about comparing prices or generic coverage options. It is what separates a policy “that sounds good” from one that actually saves your year. These are the four questions every CFO should ask before signing.

1. Does it cover dependent or contingent business interruption?

In other words: if your critical vendor goes down and you stop operating, are you covered?

This is probably the most important question and the one fewest CFOs ask. In a world where operations depend on external services (payment processors, cloud ERPs, e-commerce platforms), an interruption at a third party can completely paralyze your business.

Ask specifically:

  • What sub-limit does this coverage have?
  • What waiting period applies?
  • How do they define “interruption”?

2. How does the policy define “computer system” and what does it include?

It seems like a technicality, but it is the core of the problem. Traditional policies were designed when computer systems sat in the company’s basement. Today, infrastructure is distributed across dozens of providers.

Ask yourself whether the definition clearly includes:

  • Cloud (AWS, Azure, Google Cloud)
  • SaaS (Salesforce, HubSpot, Slack)
  • Outsourced services
  • External platforms

If the definition is limited to “systems owned by the company” or “systems operated by the company,” you have a problem. Because most modern critical infrastructure is not owned by anyone other than the vendor.

3. Does it have outsourcing or third-party system exclusions?

This is the most dangerous fine print. Many policies include exclusions that void coverage in precisely the most likely scenarios. Look for clauses such as:

  • Outsourced service provider exclusion
  • Third-party systems exclusion
  • Cloud provider exclusions
  • External infrastructure failure exclusion

These exclusions may seem reasonable in the abstract, but in practice they mean that if your payment provider, cloud ERP, or communications platform suffers a breach, your policy does not respond.

4. Do you have an inventory of critical vendors and contractual controls?

This is where Axyom sees the biggest gap in mid-sized companies. When we ask, the answers tend to be:

  • “Yes, we use Stripe”
  • “Yes, we use HubSpot”
  • “Yes, we use Microsoft”
  • “Yes, we have an MSP”
  • “Yes, we use an ERP”

But nobody has:

  • An inventory of critical vendors with priority levels (tiering)
  • Minimum security SLAs
  • Incident notification clauses
  • MFA and logging requirements
  • Audit rights
  • Encryption and data retention requirements

Without this inventory, the insurer cannot properly assess risk, and the company cannot demonstrate due diligence in the event of an incident.

So what should a company really do to protect itself?

The answer goes beyond purchasing cyber insurance. The answer is building a comprehensive strategy.

1. Design coverage based on your actual risk

A policy without a third-party focus is like insuring your apartment but not the building you live in. You need coverage that reflects how your business actually operates, including all the external dependencies that are critical to operations.

2. Have a minimum third-party risk management plan

At Axyom, we break it down like this:

  • Identify critical vendors
  • Map dependencies (payments, data, operations)
  • Review minimum contractual clauses
  • Evaluate controls (MFA, backups, logs)
  • Prepare incident response plans involving third parties

3. Complement it with a vCISO (Virtual CISO) service

Because insurance pays, but a vCISO:

  • Reduces the probability of an incident
  • Reduces the impact when one occurs
  • Reduces recovery time
  • Improves your position with the insurer

Conclusion: the risk is no longer “if you get attacked,” but “from where they break you”

In 2026, many of the most expensive incidents do not start on your network. They start in your ecosystem.

The mistake is not trusting vendors. The mistake is failing to design your cybersecurity and cyber insurance strategy with the following in mind:

  • Third parties
  • SaaS
  • Cloud
  • Critical dependencies
  • Digital supply chain

At Axyom, we believe that anticipation is the best form of protection.