What are carriers actually excluding for supply chain incidents in 2026?
The headline exclusion to watch is any language that carves out incidents "caused by or arising from" third-party software compromise where the insured did not maintain "reasonable controls" on dependencies, vendors, or build systems. The phrase "reasonable controls" is not idle; it is the door through which carriers decline claims, and its interpretation is now shaped by several years of post-SolarWinds, post-xz litigation and underwriting practice.
In 2026 you will also find named-event exclusions (specific carve-outs for particular upstream projects or vendors after widely publicized incidents) and "systemic event" clauses that exclude correlated losses affecting many insureds at once. Both deserve close reading before you sign.
How do carriers decide what counts as "reasonable controls"?
Carriers and their outside counsel increasingly anchor on published frameworks. In practice the shortlist that influences claims decisions is: NIST SSDF practices, SLSA levels, and the CISA Secure by Design commitments. You will rarely see these named explicitly in the policy, but the underwriting questionnaire will track them closely and the claims adjuster will compare your actual practices to them during a loss event.
The practical test they apply:
- Did you have an inventory of third-party software in production at the time of the incident?
- Could you demonstrate vulnerability management for that software, including patch cadence?
- Did you have vendor due diligence in place for material suppliers?
- Did you have build provenance or integrity controls proportionate to your size?
Gaps in any of these become leverage during claims adjudication. The gap does not automatically void coverage, but it does shift bargaining power sharply toward the carrier.
What should you look for in the policy language?
Read four sections carefully and get a coverage attorney to read them with you. Broker summaries are necessary but insufficient.
- Definitions. "Computer system," "insured," "third-party service provider," and "security failure" are the terms most often rewritten between renewals. A narrow definition of "computer system" can exclude artifacts built in contractor environments. A broad definition of "security failure" can pull in more coverage; a narrow one can exclude supply chain specifically.
- Exclusions. Look for "infrastructure exclusion," "widespread event," "war and hostile action," and any exclusion referencing "supply chain," "software supplier," or "upstream." Each has been the subject of litigation and each changes the risk profile.
- Conditions. Notification windows, cooperation requirements, and preservation obligations often tighten year over year. A 72-hour notification window is becoming standard; shorter windows are appearing for high-severity events.
- Sub-limits. Supply chain sub-limits have emerged in many policies. The headline limit may be $25M, but the supply chain sub-limit might be $5M. Know both numbers.
What evidence will the carrier ask for during a claim?
Based on recent loss reviews, carriers request the following during supply chain claim adjudication. Start building the evidence now; you will not produce it cleanly under incident pressure.
- Contemporaneous SBOMs. Not SBOMs generated after the incident, which can be backdated or synthesized; SBOMs produced during the normal course of business, with clear generation timestamps.
- Patch records. Evidence of vulnerability management activity for the compromised dependency before the incident, including triage decisions and any risk acceptances.
- Vendor due diligence records. For the vendor or upstream project involved, any security review, questionnaire, or attestation you received.
- Incident response logs. Complete timeline from detection through containment, including who made which decision and when.
Organizations that can produce these artifacts quickly are treated differently from those who cannot. Claims adjusters are human; a prepared insured receives better treatment than an unprepared one.
What should you negotiate at renewal?
Renewal is the only practical leverage point for most buyers. The carrier's relative strength is highest at binding, lowest at renewal when you have alternatives. Prioritize the following negotiations.
- Broader definition of "security failure" to ensure supply chain incidents are covered rather than carved into a separate limit.
- Lift or expand the supply chain sub-limit. Present evidence of your controls; carriers will move on sub-limits for buyers who demonstrate maturity.
- Pre-approved incident response panel that includes supply chain specialists. The default panel may not include firms with deep dependency forensics capability. Negotiate this before an incident.
- Notification windows that reflect reality. If your detection stack cannot credibly identify a supply chain incident within 72 hours, say so and negotiate 96 or 120 hours with documented reasoning. An unrealistic window becomes a reason for denial.
Expect pushback on all of these. Carriers are tightening, not loosening, in 2026. But specific, evidence-backed negotiation positions land better than generic objections.
How should security evidence flow to the broker and carrier?
The pattern that works: a structured controls attestation package that is updated quarterly and shared at renewal. It should cover the framework alignment the carrier cares about, with evidence behind each claim.
Do not send everything. Send a 15-page executive summary with a defined detail pack available on request. This reflects well on program maturity and reduces the risk of inconsistent narratives between your security team and your procurement team.
Coordinate with your broker before sharing. Brokers have strong opinions about how to position controls in underwriter conversations, and their experience usually translates into better terms.
What are the common mistakes buyers make?
Three mistakes show up repeatedly.
- Treating the cyber policy as generic coverage. Supply chain is increasingly a distinct risk class. A policy optimized for ransomware may be weak on supply chain. Match the policy to the risk profile.
- Over-claiming control maturity on the application. This is perilous. Applications are signed and become part of the contract record. If an incident reveals that your actual controls did not match your application, coverage is at risk. Be conservative and honest.
- Waiting until renewal to engage security. Underwriting questions should be answered by security with procurement's oversight, not by procurement with security cc'd. The sooner you loop in security, the fewer surprises at renewal.
What if you are uninsured or self-insuring?
Self-insurance is increasingly common for large organizations that find premium levels uneconomic. If you are in this position, the controls work above still matters, for two reasons. First, your executive team and board will ask for the same evidence a carrier would ask for. Second, some regulators are beginning to expect the same documentation even absent an insurance relationship.
The practical implication: treat your internal controls documentation as if a carrier were reviewing it, even if no carrier is. The discipline pays off.
How Safeguard.sh Helps
Safeguard.sh produces the contemporaneous SBOMs, patch records, and vendor due diligence artifacts that carriers request during claims adjudication, time-stamped and stored in a way that survives cross-examination. Customers use the platform to assemble their renewal controls packages in days rather than weeks and to present evidence that reliably moves sub-limits and exclusions in their favor. If you are preparing for renewal or reviewing your supply chain-specific coverage, reach out for a walkthrough of the evidence package we produce.