Insurance

The relevance of security patches for maintaining cyber insurance coverage

Nora Emig
published on
13.05.2026
-
min. estimated reading time
Share on
Table of Contents

The professionalization of cybercrime requires companies to continuously secure their IT infrastructure. Vulnerability and security patch management are central factors in this effort. For insurance brokers, a sound understanding of these technical processes and their contractual implications is essential to provide risk-appropriate advice to clients, minimize liability risks when placing cyber policies, and ensure coverage in the event of a claim.

The difference between security patches and functional updates

Security patches are specific, time-critical software code corrections designed to close identified security gaps. These vulnerabilities are recorded in the standardized Common Vulnerabilities and Exposures (CVE) system and rated according to their criticality. A security patch thus addresses a concrete vulnerability that may already be exploited by attackers. The urgency can be determined using the Common Vulnerability Scoring System (CVSS). If a vulnerability has a rating higher than 7, the patch must be installed promptly to minimize the risk of a breach.

In contrast, standard functional updates serve to maintain the system. They contain functional enhancements, performance optimizations, or user interface adjustments. Unlike security patches, these updates are not time-critical. They can be installed during scheduled, cyclical maintenance windows without jeopardizing the company's immediate IT security.

The risk of inaccurate information in insurance contracts

When taking out a cyber insurance policy, insurers require the completion of a risk questionnaire. The information provided serves as the basis for calculating the risk and the premium. In the event of a claim, insurers review these pre-contractual disclosures. If the actual circumstances deviate from the answers in the questionnaire and this discrepancy was the cause of the cyber incident, the policyholder may face a loss of insurance coverage.

Verification instead of estimation

A common mistake in the application process is answering risk questions based on estimates. If a responsible person, such as a member of management or a department head, confirms that security patches are being implemented without having verified the actual status, this knowledge is attributed to the company. Knowingly providing false answers on an application can be legally classified as fraudulent misrepresentation.

Legal consequences in the event of a claim

Incomplete information in the risk questionnaire leads to legal consequences in the event of a claim. Depending on the degree of fault, the range extends from retroactive contestation or withdrawal from the insurance contract to termination or contract adjustment. In the worst-case scenario, insurance coverage is voided entirely, leaving the company to bear the loss itself. The risk questionnaire should therefore be completed exclusively on the basis of verified information from the relevant departments.

Legal requirements and management liability

With the national implementation of the European NIS-2 Directive in the BSI Act (BSIG), cybersecurity has become a legal obligation for corporate management. Section 30 of the BSIG establishes binding minimum technical requirements as the current "state of the art." In addition to comprehensive multi-factor authentication (MFA) and backups, this includes documented patch management.

According to Section 38 of the BSIG, the management of affected companies (those with 50 or more employees or 10 million euros in revenue in regulated sectors) can be held personally and unlimitedly liable with their private assets under certain conditions if these obligations are culpably violated.

Duty of disclosure for insurance brokers

The "Sachwalter" ruling by the Federal Court of Justice obliges insurance brokers to continuously monitor the insured risk of their existing clients and to provide information regarding relevant changes. The introduction of the new BSIG represents such a change in the risk profile. Beyond the classic risk questions in a cyber application, patch management has gained independent legal relevance due to NIS-2 regulations. If a broker fails to proactively inform their clients about these new legal requirements and the associated liability risks for management, they violate their primary contractual obligations and risk claims for damages.

Modern insurance providers: Continuous risk scans instead of static queries

Static, annual risk questionnaires can no longer adequately reflect a company's dynamic IT risk. Digital risks change continuously, which is why modern cyber insurers are establishing a combination of insurance coverage and proactive IT security.

Instead of relying solely on point-in-time information in a risk questionnaire, modern policies include automated risk scans of the external IT infrastructure. For example, providers assess risks using vulnerability scans. This approach optimizes risk management on several levels:

  • Early identification: Technical vulnerabilities and open entry points are detected automatically before attackers can exploit them.
  • Minimizing liability: Continuous external validation reduces the risk of overlooking outdated systems, which refutes allegations of misrepresentation in the event of a claim.
  • Efficiency in the application process: By using modern technology such as the Deep Scan from Baobab Risk Solutions, the application process is significantly reduced. For companies with a turnover of up to €100 million, just 4 questions in the application are often sufficient, as the scan replaces up to 40% of standard risk questions.

Conclusion and recommendations for brokerage practice

The issue of security patches is an essential legal and liability matter for companies and their insurance brokers. Four core strategies can be derived for daily advisory practice:

  1. Establish IT verification: Risk questionnaires should always be approved by the client's IT department or external IT service provider. Brokers should ensure that a qualified person validates and documents the technical information in the insurance application.
  2. Document knowledge gaps transparently: If the exact status of security patches for certain legacy systems is unclear at the time of application, the question must not be answered with a blanket "yes." The broker should guide the client to explicitly note this gap in the application and disclose it to the insurer (e.g., by adding: "Review in progress, legacy systems partially isolated"). This precludes any accusation of misrepresentation.
  3. Prioritize prevention-based cyber policies: To limit their own liability, brokers should prioritize cyber insurance policies that integrate proactive security services, such as regular risk scans, directly into the plan. These policies increase the client's resilience and document compliance with the broker's duty of care under NIS-2.
The blog post was written by