A clean audit trail can coexist with weak real-world resilience, and cyber insurance terms may not close that gap.