DORA vs Cyber Insurance
The Panel Is Not Your Plan
A conversation last week stayed with me. An industry colleague, advising a credit union client, asked a question that sounded reasonable on the surface: “my client has cyber insurance, and the insurer maintains a panel of incident response experts — doesn’t that cover their DORA requirement for an incident response capability?”
"any actual or alleged use, deployment, or development of Artificial Intelligence."

It is a fair question. It is also, respectfully, the wrong one — and the gap between the question and the regulation is exactly where a board can find itself exposed. Worse, the insurance market has spent the last twelve months making that gap considerably more dangerous than it was when most boards last looked at it. So let me set out, plainly, why an insurer’s panel is not a DORA incident response capability, what has just changed in the cover sitting behind that panel, and why both belong on your board agenda before an incident, not during one.
Two different problems, wearing the same coat
Insurance and operational resilience are often discussed in the same breath, which is precisely how they get confused. They solve two entirely different problems.
Insurance is financial
risk transfer. When something goes wrong, a policy may reimburse some of
the cost — forensic fees, legal costs, business interruption, regulatory
defence. It pays out, conditionally, after the event.
DORA is about operational
resilience capability. It asks a different question entirely: can your firm
detect, respond to, contain, and recover from an ICT-related incident in a way
you have designed, tested, and can demonstrate? Not whether someone will
eventually pay the bill, but whether you can keep functioning when the systems
your members depend on are under pressure.
A cheque arriving three months later does not keep a credit union’s payment services running on the morning of an outage. Those are different things, and DORA cares about the second one.
What DORA actually requires
Under Article
11, a financial entity must put in place, maintain, and periodically test its
own ICT business continuity and response and recovery plans — plans that ensure
the continuity of critical or important functions and that respond to and
resolve incidents quickly, appropriately, and effectively. The entity must
designate a crisis management function, conduct business impact analysis, and
test these arrangements at least annually.
Read that carefully. The obligation is on the entity to own a tested, governed capability — not to hold a contact number for strangers who can be dispatched after a loss is notified and a coverage position confirmed.
DORA is
explicit on the point that matters most here: outsourcing the task does not
outsource the responsibility. Where critical or important functions are
contracted to third parties, the entity must still maintain and periodically
test continuity arrangements covering those functions — and accountability for
verification remains with the financial entity. You can delegate the work. You
cannot delegate the liability.

Why an insurer’s panel is not that capability
Set the panel
against what DORA requires, and the gaps are not subtle:
• The panel does not know your systems. DORA assumes a response built on prior knowledge of your architecture, dependencies, recovery time objectives, and business impact analysis. A panel firm meeting your environment for the first time during a live incident is starting from zero — at the worst possible moment.
• The panel is not under your governance. It answers to the insurer, and its engagement is gated by coverage. It is not your designated crisis management function, it does not sit inside your continuity plans, and it is not yours to direct.
• The panel is not tested. DORA requires you to test your arrangements at least annually. An untested external resource you have never exercised against your own scenarios is, by definition, an unproven one.
• The panel activates conditionally and after the fact. Your coverage may be confirmed in days. DORA’s reporting clock for a major incident runs in hours. A response capability that switches on only once an insurer accepts a notification is not a response capability at all in DORA’s terms.
None of this means the panel is worthless. It can be a genuinely useful surge resource sitting alongside a real in-house capability. But it is the cavalry you call after the battle has begun — not the standing defence DORA requires you to have built, governed, and tested in advance.
And now the cover behind the panel is changing — fast
Here is the part that turns a governance point into an urgent one. Even if you were content to lean on the policy, the policy itself is being rewritten underneath you. Three things are happening at once, and all of them landed within the last year.
First, “silent” AI cover is being withdrawn. For years, AI-related losses were quietly absorbed under cyber, D&O and E&O policies simply because nothing excluded them. That era is ending. Major carriers — Chubb, Travelers and Berkshire Hathaway among them — have secured state-regulator approval to strip AI-related damages out of general liability, D&O and E&O lines, and industry reporting indicates regulators have waved through the large majority of those filings, some taking effect mid-policy-cycle. The exposure you believe is covered today may not be covered at your next renewal — or, in some cases, before it.
Second, the new exclusions are extraordinarily broad. In January 2026 the Insurance Services Office — whose standard forms underpin the overwhelming majority of property and casualty policies — introduced new generative-AI exclusion endorsements for commercial general liability, and carriers adopted them within weeks. At least one major carrier’s D&O, E&O and fiduciary exclusion reaches “any actual or alleged use, deployment, or development of Artificial Intelligence.” Read that wording against an organisation that uses AI anywhere — a chatbot, a fraud model, a screening tool, a drafting assistant — and the practical scope is enormous.
Third, affirmative AI cover is emerging as a separate, priced product — and it prices your governance. New standalone AI policies are being written, with Lloyd’s-backed limits now reaching $25 million and reinsurers such as Munich Re entering the market through HSB. Critically, these products do not sit inside your existing cover and they are not granted on trust. They require a documented, evidenced AI risk assessment as a precondition. The same governance evidence DORA expects you to hold is becoming the thing your insurer underwrites against.
The common thread is unmistakable: across both regulation and insurance, the question has shifted from “do you have a clause” to “can you prove the thing the clause describes.”
And the personal dimension is sharpening too. Enforcement attention is increasingly moving past the algorithm to the people who described it — executives named individually over AI claims they could not substantiate, the kind of “AI-washing” statements that appear in a filing, a sales deck or an application. For a board, that is the moment the abstract becomes personal.
The two risks compound — and that is the real danger
Put the regulatory point and the market point together, and you see why this matters now rather than at some comfortable future renewal. Lean on the insurer’s panel to satisfy DORA, and you risk ending up with neither leg of your protection standing:
• a resilience capability the regulator does not accept, because a conditional, untested, externally-governed panel is not the tested in-house capability Article 11 requires; sitting behind
• a policy that may no longer pay, because the AI-related exposure you assumed was covered has been excluded by an endorsement most teams never read.
That is not a theoretical worst case. It is the direct, foreseeable consequence of treating an insurance policy as a substitute for an operational capability — at exactly the moment the policy is being narrowed and the regulator is demanding proof.
The question to put to your board
So I would reframe my colleague’s question into the one a credit union board should actually be asking itself:
If a major ICT incident hit us this week, could we prove — with tested plans, a designated crisis function, and evidence on file — that we responded to it ourselves? And if we then turned to our policy, are we certain an AI exclusion has not quietly removed the very cover we are relying on?
If the honest answer to either part is no, you do not yet have what DORA requires, and you may not have the financial backstop you think you have either. Both have their place. But only one of them is the capability the regulation demands — and in a market that is now actively pricing, narrowing and, in places, withdrawing AI cover, the only durable protection is the same on both sides of the line: a governed, tested, evidenced resilience capability you can actually prove.
Paul C Dwyer is CEO of Cyber Risk International and President of the ICTTF International Cyber Threat Task Force. Cyber Risk International’s CyberPrism platform supports financial entities in building, governing, and evidencing the resilience capabilities required under DORA — the same evidence increasingly demanded at insurance renewal.
HEAD OFFICE
-
ICTTF Ltd
ICTTF House
First Floor Unit 15
N17 Business Park
Tuam, Co Galway
H54 H1K2 -
info@icttf.org
support@icttf.org -
+353 (0)1 905 3263

