Summary

  • Public RIR records show that insurance exists but rarely show the operative coverage. RIPE NCC budgeted EUR 1.7 million for the combined Housing and Insurances line in 2026, after EUR 1.55 million in 2025. ARIN's 2026 budget listed USD 197,000 for insurance. APNIC's by-laws permit insurance for Executive Council members, its Director General and subcommittee members. These disclosures establish expenditure or authority, not which registry decisions, defence costs, exclusions, limits or affected parties a policy covers.
  • Insurance, contractual liability limits and institutional review are separate protections. RIPE NCC's Standard Service Agreement excludes broad categories of damage and states a service-fee liability cap. APNIC's Membership Agreement excludes much liability to the extent permitted by law, contains specified exceptions and provides notice, response and Executive Council appeal steps before or after revocation decisions. Neither contract text proves that an insurer will pay a particular claim.
  • Registry discretion creates operational harm that may arise before a court determines legal liability: loss of account access, delayed transfers, resource deregistration, impaired route authorization, customer concern, financing difficulty and emergency legal expense. Insurance normally pays an insured under agreed terms; it does not automatically preserve the member's service, restore registry data or compensate every downstream operator.
  • A Board should not ask only whether it has directors-and-officers, cyber or professional cover. It should map each consequential discretionary power to preventive controls, notice, evidence standards, independent review, emergency relief, reversal capability, records and a funding plan for both defence and remediation. The coverage inquiry comes after the governance design, not instead of it.
  • Policy exclusions and claims conditions can create divergence precisely when institutional conduct is most contested. Questions can arise over intentional acts, prior knowledge, contract liability, professional services, regulatory matters, sanctions, notification, consent, allocation among covered and uncovered allegations, and defence costs inside the limit. Without the actual policy and jurisdiction-specific advice, no responsible observer can state that a named registry decision is insured or excluded.
  • Members need a bounded insurance adequacy statement rather than publication of every confidential policy term. It should identify policy classes, aggregate limit bands, retentions, whether defence costs erode limits, principal exclusions, territorial reach, run-off arrangements, insurer concentration, claims authority, tested scenarios and gaps that the institution retains. It should never imply that insurance validates the underlying exercise of discretion.

The premium is visible; the promise is not

Insurance appears in RIR public records mainly as a budget category, corporate power or committee duty. That is enough to establish that boards regard risk transfer as part of institutional resilience. It is not enough to infer what an insurer has promised.

The RIPE NCC 2026 Activity Plan and Budget puts Housing and Insurances together at EUR 1.7 million, compared with EUR 1.55 million in the 2025 budget and forecast. The combined line includes costs that cannot be separated from the published table. The 2024 plan said the organization was reassessing business insurance, changing providers where needed and moving business travel coverage to a provider better aligned with its organizational setup. The 2025 plan separately placed EUR 100,000 of insurance among Human Resources expenses. These are useful management disclosures; none identifies a limit for a disputed resource decision.

ARIN's 2026 budget lists USD 197,000 for insurance. Its published Risk and Cybersecurity Committee charter requires annual review of directors-and-officers insurance and cybersecurity insurance. The committee is to advise the Board on adequacy. Again, the record demonstrates oversight architecture, not the answer reached on a claim.

APNIC's by-laws authorize the corporation, to the extent permitted by law, to purchase and maintain insurance for Executive Council members, the Director General and subcommittee members against liability incurred in those capacities. Corporate authority to insure a person is not evidence that every act is covered, that the limit is sufficient or that a member harmed by an act receives payment.

The distinction matters because readers naturally convert the word insurance into reassurance. The real promise sits in the insuring clause, definitions, schedule, endorsements, exclusions, retention, limit, reporting rules and governing law. Until those are examined, the only safe conclusion is that a premium was budgeted or coverage was authorized.

Three protections are repeatedly confused

The first protection is insurance. It is a contract between an insured organization or person and an insurer. Subject to its terms, it may fund legal defence, settlements, judgments, incident response, restoration, notification or other specified loss. It may reimburse after payment or appoint providers directly. It protects the balance sheet and insured people; it does not necessarily create a direct right for the member affected by the registry's action.

The second protection is a liability clause in the registry's agreement with a member or resource holder. It may exclude certain damages, cap recovery, allocate responsibility, require indemnity, select law or define force majeure. Such a clause shapes the dispute between registry and counterparty. It is not an insurance contract. An insurer can dispute coverage even where the registry is legally liable, and a registry can defeat liability while still having incurred substantial defence and institutional harm.

The third protection is administrative and corporate governance: notice, reasons, opportunity to respond, separation of duties, appeal, Board review, emergency suspension rules, restoration and public accountability. These controls seek to prevent a bad decision or correct it early. They protect the member, the registry and the number-resource system before loss becomes a damages claim.

Weak governance often collapses the three into one statement: the institution has insurance and strong legal terms, therefore the risk is managed. That reasoning overlooks non-compensable harm. A route authorization withdrawn in error may affect connectivity before a court can act. A transfer delayed during a financing transaction can lose commercial value that is difficult to prove. A member publicly associated with suspected fraud can suffer reputation loss even if access is restored. Downstream users may have no contract with the RIR.

The correct sequence is prevention, review, rapid correction, loss containment and only then financing. Insurance is the last balance-sheet layer. It should not be presented as the first governance control.

Registry discretion is a power, not an insured event

RIR agreements and procedures necessarily leave judgment to staff and boards. Corporate records differ across jurisdictions. Resource transfers can involve mergers, insolvency, name changes and competing representatives. Sanctions rules change. Fraud evidence is incomplete. Abuse allegations may be urgent and contested. A policy cannot specify every fact pattern.

Discretion allows the institution to interpret evidence and act where rigid automation would fail. It can also concentrate power. Staff may decide whether documentation is credible, whether a breach is cured, whether exceptional circumstances justify a different response, whether an account should close, whether resources should deregister or whether a contractual relationship can continue. Boards may ratify policy, hear appeals or decide that an institution cannot reasonably be required to maintain a relationship.

Insurance does not answer whether that discretion was exercised well. It does not define the evidential threshold, identify the decision-maker, require equal treatment, create an appeal or preserve reversibility. At most, a policy may respond to a claim alleging a covered wrongful act. The insurer will then apply contractual definitions and exclusions; it does not retrospectively supply a sound decision record.

This difference is clearest when the institution wins. A decision can be contractually permitted yet procedurally poor, inconsistently reasoned or unnecessarily destructive. If liability is excluded or capped, the insurer may owe little. The member can still lose time, trust and operational continuity. The registry can still weaken confidence in its neutrality.

It is equally clear when the institution loses. A judgment that conduct was unlawful does not guarantee payment. The wrong entity may be insured, the claim may be late, the relevant conduct may predate coverage, defence costs may have consumed the limit, or an exclusion may apply. Coverage litigation can continue after the underlying dispute. Governance must therefore be designed on the assumption that risk transfer may fail.

Service agreements allocate loss but do not prove coverage

The RIPE NCC Standard Service Agreement places broad responsibility on the member for use of services and Internet number resources. Article 8 excludes direct and indirect damages in stated terms, subject to its wording on willful misconduct or gross negligence, excludes damages connected with failure to make number resources available, addresses external telecommunications and force majeure, requires a member indemnity for third-party claims related to use, and states a cap equivalent to the member's service fee for the relevant financial year.

Article 9 sets grounds and procedures for termination. Some grounds are objective, such as payment default, insolvency or loss of association membership. Others require judgment, including falsified or repeatedly incorrect data, repeated refusal to assist audits, or circumstances in which continued agreement cannot reasonably be required for reasons not attributable to the registry. Termination leads to service cessation and cooperation with deregistration.

These provisions may reduce or structure legal exposure under the chosen law. They do not reveal whether a directors-and-officers, professional-liability, cyber or other policy would fund defence. Nor do they tell an affected operator how quickly an incorrect decision can be stayed or reversed. A small damages cap cannot restore an operational state.

The APNIC Membership Agreement likewise excludes liability broadly to the extent permitted by law, with specified exceptions including certain injury, tangible property, intentional intellectual-property infringement, confidentiality and privacy matters. It requires the member to indemnify the company for loss arising from member breach. The agreement also gives the institution discretion after notice and response to issue another notice or revoke rights and terminate, followed by an appeal to the Executive Council on stated grounds.

These texts show why contracts belong in the threat analysis. They allocate rights and create operating powers. But reading a liability exclusion as an insurance statement confuses two contracts involving different parties. Coverage can only be evaluated from the relevant policy, facts, claim and law.

The loss arrives before the lawsuit

Number-resource decisions can have immediate effects. An account suspension can prevent routine administration. Deregistration can change authoritative records. RPKI actions can alter what relying parties see. A transfer hold can affect a corporate transaction. Loss of portal access can impede contact changes during an incident. Public notices can influence banks, customers, peers and regulators.

Not every administrative action causes routing disruption, and operators make independent routing decisions. It would be inaccurate to treat an RIR database change as a universal off switch. The governance point is narrower: registry status and authority are inputs to many operational and commercial decisions, so an erroneous action can propagate through systems and relationships the registry does not control.

Damages law works slowly and retrospectively. The claimant must establish jurisdiction, duty, breach, causation and recoverable loss, while contractual limits and defences are tested. Insurance follows that legal contest or a policy-specific loss definition. During the interval, the institution needs an operating remedy.

For high-impact discretionary acts, the remedy design should include prior notice where safe, a clear statement of evidence, a response period, independent approval, a temporary rather than irreversible state, notification through more than one trusted channel, a rapid escalation contact and the ability to restore records with an auditable explanation. Emergency action may be required, but it should expire unless confirmed through fuller review.

The institution should also consider downstream communication. If a status change was wrong, a quiet database correction may not reverse notices, customer decisions or security alerts already triggered. A remediation plan may need a signed correction, direct notice to affected parties and preserved timing evidence. Those are governance and incident-response costs whether an insurer pays them or not.

Defence, indemnity and remediation are different money

A liability policy can contain several financial promises. The insurer may have a duty to defend, a duty to reimburse defence expense, a duty to indemnify covered settlements or judgments, or some combination. Cyber coverage may pay selected incident-response and restoration costs. The definitions differ, and so does control over counsel and settlement.

Defence costs may sit inside the aggregate limit, reducing the amount available for settlement. A serious cross-border dispute can consume a large limit before liability is decided. Multiple claims may share one annual aggregate. Related claims can be treated as one claim first made in an earlier period. A retention may apply to each claim or related series. One policy may be excess over another, producing disputes over which responds first.

Remediation can fall between categories. Restoring an account, repeating a transfer review, correcting records, notifying operators, commissioning an independent investigation and compensating emergency technical work may be prudent even if not legally required. Some costs may fit cyber incident response; some may be ordinary operating expense; some may be excluded as improvement or performance of a contract.

The Board should therefore maintain separate financial plans. It needs liquidity for immediate correction without waiting for insurer consent. It needs authority to appoint independent counsel where directors, executives and the institution have diverging interests. It needs records sufficient for timely notification. It needs a reserve for uncovered remediation and the retention.

Insurance adequacy should be tested against realistic cost sequences, not only a headline limit. The scenario should include first response, parallel legal advice in several jurisdictions, technical investigation, member communication, temporary service, restoration, third-party claims, regulatory inquiry, appeal and possible coverage dispute. A nominally large policy can be exhausted by the time the most consequential remedy is due.

Exclusions concentrate around contested judgment

Insurance is designed around fortuity: an uncertain event rather than a guaranteed or deliberately produced loss. The precise doctrine varies by jurisdiction and policy. The practical result is that allegations concerning intent, known circumstances, personal benefit, fraud or deliberate violation often receive special treatment. Final-adjudication wording, severability and imputation determine whether an allegation, one person's knowledge or a concluded finding affects others.

Contractual liability can also be contested. A registry's obligation may arise from the service agreement, while the insurer asks whether liability would have existed without that contract. Professional-services exclusions in one policy may push the claim toward another. Cyber exclusions can interact with technology errors. Regulatory fines and penalties may be covered only where legally insurable. Sanctions can prevent an insurer from paying even if the underlying act is covered.

Prior knowledge and claims-made timing are especially important for long-running disputes. If staff knew of facts likely to produce a claim before inception, a later notice may face challenge. If a claim is first made after a policy ends, run-off or extended reporting may be necessary. A change of insurer can create gaps around related events. Corporate restructuring can affect who remains an insured.

Consent provisions create another tension. The registry may want to reverse a decision, apologize or settle quickly to protect operational trust. An insurer may require consent before admitting liability, incurring defence expense or settling. The institution should understand in advance how to correct service without prejudicing coverage. Public-interest restoration should not be improvised under threat of losing insurance.

None of these common coverage questions proves that a particular RIR policy contains a particular exclusion. The policies are not in the cited public record. They show why directors should reject vague assurance that an act is insured. The correct statement is conditional, documented and scenario-specific.

Directors-and-officers cover protects roles, not institutional legitimacy

Directors-and-officers insurance commonly addresses claims against directors, officers and sometimes the entity for alleged wrongful acts, subject to policy structure. It can protect volunteers and executives from ruinous defence costs and help an institution recruit capable governors. APNIC's by-law authority and ARIN's annual committee review reflect that legitimate need.

The presence of cover can nevertheless distort discussion. A Board may hear that a decision is within authority and insured, then treat legal resilience as substantive justification. But the insurer is not the membership and coverage counsel is not an appeal body. A defensible decision can still exceed the institution's social mandate; a covered settlement can still leave the registry's neutrality damaged.

Individual and institutional interests may diverge. Directors may seek separate representation. Management may defend the accuracy of staff work while the Board wants independent investigation. The organization may have to decide whether to advance costs, pursue repayment after an exclusion finding or settle claims against some parties but not others. Policy allocation rules become part of governance under pressure.

The Board should know who controls notice, defence and settlement; whether former directors are covered; how outside directorships are treated; whether investigations before a formal claim trigger costs; and what happens after merger, insolvency or policy cancellation. It should also know whether defence expense reduces the limit and whether entity coverage competes with individual protection.

Most importantly, directors should never understand insurance as permission to use maximum discretion. The best protection for a good-faith Board is a contemporaneous record: authority, disclosed conflict, evidence, alternatives, reasons, proportionality, member impact, legal advice, dissent and review. Insurance finances parts of the contest. The record makes accountable judgment visible.

Cyber policies are often associated with intrusion, malware, privacy incidents, business interruption, extortion and incident response. Registry harm can fit awkwardly when the system operates as designed but an authorized person makes an improper or mistaken decision.

Suppose a staff member with valid access accepts fraudulent evidence and changes account authority. There may be social engineering and data-integrity loss, but no exploit in the conventional sense. Suppose a privileged contractor follows an instruction that later proves unauthorized. Suppose an automated rule suspends a service based on erroneous external data. Whether these events fit a cyber insuring clause depends on wording and facts.

Even where cyber coverage responds, business-interruption measures may focus on the insured's own income loss and restoration. The greater public harm may fall on the member or downstream operators. Data restoration can put records back, but it cannot decide which claimant has legitimate corporate authority. Forensic services can identify changes without resolving the policy or legal dispute that produced them.

This is why the institution's cyber model must include governance events, and its discretion model must include technical consequences. Treating the categories separately creates a gap between the chief information security officer, general counsel, registry operations and the Board. Each can believe the risk belongs to another function.

An annual cyber-insurance review should therefore ask about authenticated harmful action, member identity fraud, erroneous revocation, supplier-authorized change, disputed legal authority and integrity-preserving restoration. The answer may be that some loss is outside coverage. That is useful information. It identifies where stronger prevention, an internal reserve or a different policy is required.

Appeals are the primary loss-control mechanism

An effective appeal can stop a registry error before it becomes an insurance matter. APNIC's membership agreement illustrates a defined sequence: notice describes the perceived breach and remedy, the member may respond or identify exceptional circumstances, the institution decides whether the breach remains, and a member can appeal a revocation notice to the Executive Council on stated grounds. The agreement's exact legal operation depends on facts and law, but the structure recognizes review.

Appeal quality depends on more than existence. The reviewer must be sufficiently independent from the original decision. The member needs the substance of the evidence, subject to lawful protection. Time limits must reflect operational urgency. The status of resources and services during review must be clear. The body must be able to stay, vary and reverse the decision, not merely recommend reconsideration.

Board-level appeal can create its own problems. Directors may have approved the policy, received earlier briefings or face litigation exposure. A full Board may lack time or technical detail. A small committee may be efficient but too close to management. Institutions should publish recusal rules and allow independent expertise where identity, sanctions, insolvency or routing consequences are complex.

Statistics can reveal whether appeal is real. The annual record can state how many material adverse actions occurred, how many were appealed, how many were stayed, varied or reversed, median decision time and principal categories, without exposing member secrets. A system in which no one appeals can indicate perfect decisions, inaccessible review or fear of antagonizing the registry. The Board should find out which.

Insurers may value strong review because it reduces severity and improves evidence. That is a welcome side effect. The constitutional reason is more important: an institution with exclusive regional functions should correct its own mistakes promptly rather than require members to finance years of litigation.

Liability limits can transfer risk to those least able to bear it

A service-fee cap makes financial exposure predictable. It can protect a member-funded non-profit from a claim grossly disproportionate to annual fees. Broad consequential-loss exclusions respond to the difficulty of tracing outages or registry decisions through many networks and commercial relationships. There is a coherent collective-interest argument for preserving the institution.

The same clauses transfer risk to members and third parties. A small operator may pay a modest fee but depend heavily on stable resource records. Its recoverable amount can bear little relationship to its actual emergency cost. A downstream customer may have no direct claim. The institution's reserve and insurance remain collective, while loss is concentrated on the affected party.

This asymmetry makes procedural protection more important, not less. Where monetary remedy is limited, notice, verification, pause, appeal and restoration must carry more weight. The Board cannot argue both that damages are unavailable and that after-the-fact litigation is the adequate safeguard.

Members also need honest communication about the boundary. Marketing language about trust, resilience and critical service should not imply a guarantee contradicted by the agreement. Service commitments, liability limitations, insurance and recovery objectives should be described together. Trust is improved by precision, not by hiding legal allocation in a link.

The Board should examine incidence when approving liability terms. Which member classes bear the greatest operational dependence? Do national registry relationships move risk again? Are legacy resource holders treated differently? Can a member realistically buy its own insurance for a registry decision it cannot control? Is an emergency technical remedy available regardless of damages rights?

The aim is not unlimited liability. It is a proportionate package in which institutional survival is protected without using the cap as a substitute for fair administration.

Sanctions, court orders and regulatory demands need a separate model

RIRs operate across many jurisdictions while being incorporated in one. They may receive court orders, law-enforcement requests, sanctions obligations and regulatory demands. Some actions leave little lawful discretion. Others require interpretation of scope, identity, timing and conflict of laws.

Insurance may contain territorial, jurisdictional or sanctions provisions. An insurer cannot necessarily make a payment that law prohibits. Legal costs in one jurisdiction may be covered differently from another. A government investigation may not meet the definition of a claim until a formal stage. A court-ordered act can still generate member disputes elsewhere.

The governance record should distinguish compelled action from institutional choice. If a court specifically orders deregistration, the decision path differs from a staff conclusion that a broader compliance step is prudent. If law requires secrecy, the institution should record internally what cannot be disclosed and when review becomes possible. If several lawful options exist, insurance should not decide which option the registry chooses.

Scenario exercises should include conflicting demands, not only a clear order. What happens when a member is incorporated in one country, operates in another, holds resources used across several regions and is owned through a contested structure? Who confirms identity? Which service changes are necessary? Can unaffected services continue? Who informs the Board and insurer? What appeal or external review remains?

A public annual statement can aggregate these matters: number of material compelled actions, legal jurisdictions, categories, whether external review occurred and whether any action was reversed, subject to lawful limits. That transparency helps members distinguish systemic legal exposure from discretionary expansion.

The hardest case is not proof that insurance failed. It is proof that governance must remain capable when coverage, disclosure and ordinary notice are constrained simultaneously.

The claims process should not control the correction process

Insurance policies commonly require prompt notice, cooperation, preservation of evidence, approved counsel and consent for settlement or expense. Those obligations protect the insurer's ability to evaluate and defend the claim. A registry needs a prepared sequence that meets them without delaying urgent restoration.

The first decision should be operational containment: prevent further unauthorized change, preserve authoritative integrity, maintain safe service and establish trusted communications. The second is decision review: identify who had authority, what evidence was used and whether the action should stand. Insurance notice and legal preservation should run in parallel under pre-agreed authority.

The person who made or approved the contested decision should not control the evidence record. Logs, documents, messages and external instructions need preservation. Privilege should be used to protect legal advice, not to erase the factual chronology. The Board or an independent committee should know when management, directors and the institution may need separate counsel.

Public correction should not await admission of liability. The institution can state facts, restore a service and explain a procedural change without conceding every legal allegation. Counsel and insurer should have planned language for rapid operational notices. A policy that effectively deters correction creates a governance risk the Board should address at renewal.

After resolution, a lessons report should compare the event with the coverage map. Which cost was insured, retained, excluded or disputed? Did defence consume an unexpected share of the limit? Did notification occur on time? Did vendor or counsel panels work across the region? Most importantly, did insurance considerations alter the speed or quality of remedy?

This review should reach the risk register, appeal design, contract terms and next insurance purchase. A paid claim is not evidence that the system worked; an unpaid claim is not necessarily evidence of a bad policy. The measure is whether the institution preserved service, corrected error, treated affected parties fairly and remained financially resilient.

Boards should test gaps, not celebrate limits

An annual broker presentation can become a tour of policy names and aggregate limits. The Board should instead commission scenario tests. One scenario should involve a mistaken resource deregistration followed by urgent member loss. Another should involve a fraudulent transfer authorized through valid credentials. A third should involve claims against directors, the entity and a contractor with conflicting interests. A fourth should involve sanctions preventing payment to or for a party.

For each, directors should ask who is an insured, what event starts coverage, when notice is due, who appoints counsel, what retention applies, whether defence erodes the limit, which exclusions may be raised, how related claims are treated, whether remediation is covered and what funding fills the gap. The exercise should record uncertainty rather than forcing a reassuring answer.

The Board should test concentration. Several policies may sit with one insurer or group. One broker may hold critical institutional knowledge. One panel firm may be expected to handle disputes across jurisdictions where it lacks presence. A simultaneous cyber event and governance claim can draw on the same aggregate or executive attention. Counterparty failure belongs in the model.

It should also test allocation among institutions and people. A single resource dispute can name the registry entity, current directors, former directors, executives, technical staff and an outside provider. One policy may defend only some of them. Another may respond after a different retention. If covered and uncovered allegations are intertwined, the insurer and institution may divide costs. Directors should know in advance who decides that division and whether the organization can finance representation for a person whose interests no longer align with management.

An adequacy review should include the counterparty that is missing from most insurance presentations: the member. The Board should ask what practical relief the affected organization receives at hour one, day three and month three. It should identify which remedy is controlled by the registry, which depends on a court, which might be reimbursed by insurance and which remains with the member. If the answer consists only of a claims address and liability cap, the institution has financed its defence without designing recovery for the party exposed to its authority.

There should be a severity ladder. A minor account inconvenience, a disputed transfer, an integrity event affecting registry records and a regionally significant trust-service failure should not share one response. The ladder should trigger progressively independent decision-makers, legal and technical review, Board notification, insurer notice, communication and public reporting. It should state who may declare the highest level when senior management is implicated or unavailable.

The test should include a wrong but reversible decision and a correct but damaging one. In the first, the institution needs to detect error and restore the member. In the second, it may have lawful grounds to act but should minimize collateral harm, explain proportionality and provide transition where rules permit. Insurance analysis can obscure this distinction because both may generate claims. Governance has to assess legitimacy and impact separately.

Directors should request the insurer's and broker's assumptions in writing. Does the quoted programme assume no material change to services, legal exposure, geographic reach or claims history? Does a new RPKI function, identity system, cloud dependency or expanded enforcement practice alter the risk description? A policy can remain formally in force while the institution's operations have moved beyond the facts on which it was underwritten. Renewal should reconcile those changes rather than repeat last year's schedule.

External comparison must be used carefully. Another RIR's limit, premium or policy mix may reflect different law, revenue, member agreements, reserves, claims experience and services. A low premium is not evidence of efficiency; a high limit is not evidence of safety. The useful comparison is structural: which scenarios are tested, who reviews adequacy, what remains retained, how appeals work and whether the institution can correct harm before coverage is resolved.

The exercise should finish with decisions, not observations. Each material gap needs an owner, treatment, funding source and date. The treatment may be additional cover, a contract amendment, a larger reserve, stronger identity controls, a faster appeal or acceptance by the full Board. If a gap is accepted, the record should say why and identify who bears the resulting loss. That is the point at which an insurance review becomes governance rather than procurement administration.

It should test time. A claim made years after an act can cross policy periods. A departing director needs run-off protection. A change in corporate form or control can end ordinary cover. A known circumstance must be notified before renewal. Records must remain accessible beyond staff turnover.

Finally, it should test member remedy without insurance. Assume the carrier reserves rights for six months. Can the registry fund restoration, independent review and fair interim measures? If the answer is no, the institution is relying on a contract whose central obligation is contested at the moment of need.

A bounded public insurance adequacy statement

Publishing complete policies may expose pricing, negotiation and security-sensitive information. It may also confuse readers because endorsements and law determine meaning. Total secrecy is unnecessary. Members financing the institution can receive a reliable high-level account.

The statement should list policy classes: directors-and-officers, cyber, professional or errors-and-omissions, crime, general liability, property, employment, travel and any specialist cover relevant to registry operations. It should state limit bands, major retentions, whether defence costs erode the limit, insurer concentration and material territorial limits. It should identify run-off arrangements for former directors and claims-made transitions.

It should summarize principal exclusions that matter to public authority without predicting coverage: intentional conduct, personal benefit, prior knowledge, contractual liability, professional services, sanctions, regulatory matters and infrastructure interruption. It should state whether the Board has tested authenticated harmful action, erroneous registry decisions, resource disputes, privacy loss and supplier compromise.

The statement should identify oversight. Who selects the broker, who reviews conflicts, which Board committee assesses adequacy, whether independent coverage counsel participates and when the full Board accepts retained gaps? ARIN's charter provides a public assignment of annual review; other RIRs can disclose an equivalent route without revealing premium negotiations.

It should also state what insurance cannot promise. Coverage depends on facts, policy wording and law. It does not determine whether an RIR decision was correct, does not guarantee service restoration and may not compensate members or downstream parties. This sentence would improve public understanding more than a generic claim of comprehensive cover.

Governance must work when the insurer says no

The final resilience test is refusal. Imagine that the insurer denies coverage, reserves all rights or cannot decide quickly. The registry still has members, authoritative records, legal duties, operational dependencies and a reputation to preserve. Its governance cannot stop at the edge of the policy.

Nor should the institution assume that a later recovery makes early expenditure neutral. Emergency advisers charge premium rates, contested decisions absorb senior staff and public correction requires technical and communications work. Even if an insurer eventually reimburses a covered share, management attention and member trust are not restored by the payment. The Board should measure these retained costs after each event and use them when deciding whether a cheaper preventive safeguard, such as dual approval or a temporary hold, deserves priority.

That requires liquid funds for retentions, emergency counsel, independent investigation and remediation. It requires directors who understand their indemnification rights and conflicts. It requires staff authority to restore safe service without waiting for a coverage conclusion. It requires an appeal route whose independence does not depend on the defendant's insurer. It requires records that can support both correction and defence.

It also requires humility in public claims. RIPE NCC's combined budget line, ARIN's insurance figure and committee reviews, and APNIC's power to insure governors are evidence of prudent attention. They are not public guarantees. The service agreements allocate risk; they do not eliminate the institutional duty to act fairly. Appeals can correct decisions; they do not replace prevention.

The central governance question is therefore not whether registry discretion is insured. It is whether each discretionary power is bounded, evidenced, reviewed, reversible where possible and financially survivable if coverage fails. Insurance can protect the institution from a covered consequence. It cannot lend legitimacy to the act that produced it.

For a territorial monopoly over essential registry functions, that difference is fundamental. Members should never have to accept an opaque decision because the Board believes its legal exposure is capped or its defence is funded. The measure of resilience is not the policy in the drawer. It is the institution's ability to make a difficult decision carefully, correct it quickly and bear responsibility when it is wrong.

Sources