A vulnerability is a weakness in systems, applications, processes, or configurations that could be exploited to compromise security. For cyber insurance purposes, known vulnerabilities must be patched within reasonable timeframes based on their severity, or insurers may deny coverage for resulting incidents, citing failure to maintain adequate security. Zero-day vulnerabilities (unknown to vendors without available patches) generally don't affect coverage as they're beyond reasonable control. Proper vulnerability management—including regular scanning, prioritised patching, and compensating controls—demonstrates the reasonable security measures insurers require. Critically, failure to address known vulnerabilities may void coverage even for unrelated incidents, as it suggests broader security negligence.

A vulnerability is a weakness in systems, applications, processes, or configurations that could be exploited to compromise security. For cyber insurance purposes, known vulnerabilities must be patched within reasonable timeframes based on their severity, or insurers may deny coverage for resulting incidents, citing failure to maintain adequate security. Zero-day vulnerabilities (unknown to vendors without available patches) generally don't affect coverage as they're beyond reasonable control. Proper vulnerability management—including regular scanning, prioritised patching, and compensating controls—demonstrates the reasonable security measures insurers require. Critically, failure to address known vulnerabilities may void coverage even for unrelated incidents, as it suggests broader security negligence.