Cyber insurance has matured from a niche risk transfer product to a near-mandatory component of enterprise risk management. The market has also hardened dramatically: average premiums increased 50% or more between 2021 and 2023, underwriters require detailed security questionnaires with evidence of controls, and insurers have become increasingly aggressive in disputing and denying claims. Security professionals who understand how cyber policies work — what triggers coverage, what limits it, and what voids it — can both make better procurement decisions and avoid the common failure modes that leave organizations uninsured at the moment they need coverage most.
What Triggers Cyber Coverage
A cyber policy is triggered by a defined set of covered events. The specific language varies by policy, but covered events typically include:
- Data breach / security failure: Unauthorized access to or exfiltration of the insured's data. The trigger is typically the discovery of unauthorized access, not the breach event itself — a breach that occurred in 2024 but was discovered in 2025 triggers under the 2025 policy year (claims-made basis).
- Ransomware / extortion: Malicious encryption of the insured's systems combined with an extortion demand. Most policies cover ransom payments (subject to OFAC sanctions compliance — paying a sanctioned group voids coverage and may constitute a federal violation), forensic investigation costs, and business interruption losses during recovery.
- Business Email Compromise (BEC): Fraudulent instruction from a spoofed or compromised email account causing the insured to transfer funds. Often sublimited under 'social engineering fraud' coverage — check whether this is a first-party coverage (your losses) or third-party (covered under crime insurance).
- Denial of Service (DDoS): Interruption to the insured's systems or network due to a DDoS attack, covered under business interruption.
- System failure: Some policies cover unintentional system failures that cause business interruption, distinct from security incidents. This is a coverage area where policy language varies substantially.
First-Party vs Third-Party Coverage
First-party coverage pays for the insured's own losses: forensic investigation and incident response costs (often $50,000-$500,000 per incident for IR firm costs alone), ransomware payment (subject to OFAC), business interruption and extra expense during recovery, notification costs (legal, credit monitoring, regulatory notification), and crisis communications/PR.
Third-party coverage (also called liability coverage) pays for claims made against the insured by others: regulatory fines and penalties (coverage for NYDFS or HIPAA fines varies widely — many policies exclude fines and penalties entirely, or cover them sublimited), litigation defense and settlements from affected customers or business partners, and PCI DSS fines and assessments from card brands.
Coverage Sublimits and Common Gaps
The headline policy limit — '$10 million cyber policy' — is often misleading because the coverages that matter most in an actual incident are sublimited to fractions of the total:
- Ransomware sublimit: Ransomware coverage is frequently capped below the headline limit — sometimes via a fixed sublimit far smaller than the aggregate (e.g., a $250,000 ransomware sublimit on a $3 million policy in CiCi Enterprises v. Continental Casualty), and during the 2021-2023 hard market via coinsurance or sublimits as steep as 50%, where insurers such as AIG required policyholders to absorb half of digital-extortion losses (Business Insurance, 2021). Ransomware IR engagements alone routinely exceed $1 million for enterprise incidents.
- Social engineering / BEC sublimit: Social engineering fraud is frequently sublimited to $250,000-$1,000,000 regardless of policy limit. The average BEC loss per reported incident was roughly $135,000 in 2023 — derived from 21,489 complaints totaling over $2.9 billion in adjusted losses (FBI IC3, 2023 Internet Crime Report); large wire fraud incidents routinely exceed $1 million.
- Business interruption waiting period: Most policies have an 8-24 hour waiting period before BI coverage begins. Incidents that disrupt operations for less than the waiting period generate no BI recovery.
- Retroactive date: Claims-made policies with a retroactive date exclude coverage for breaches that began before the retroactive date, even if discovered during the policy period. Ensure the retroactive date in new policies matches your prior policy's effective date.
The War Exclusion: NotPetya, Merck, and Lloyd's
The NotPetya malware attack of 2017 — attributed by the US, UK, and EU governments to the Russian military (GRU Sandworm) — caused an estimated $10 billion in global damages. Merck lost an estimated $1.4 billion. Merck's insurers (led by ACE American Insurance Co.) attempted to deny the claim under the war exclusion, which traditionally excludes losses from acts of war between nation states. The New Jersey Superior Court ruled in Merck's favor in 2021, finding that the war exclusion applied only to traditional armed conflict (Merck & Co. v. ACE American Insurance Co., N.J. Super. Ct., Union County, Dec. 2021; affirmed by the N.J. Appellate Division, May 2023) and that Merck had no way of knowing NotPetya would strike its systems as collateral damage from a nation-state operation.
The insurance industry responded by drafting explicit cyber-specific war exclusions. Lloyd's Market Association published updated war exclusion clauses (LMA 5567) for use in cyber policies. The Lloyd's of London marketplace mandated that all standalone cyber policies (risk codes CY and CZ) include state-backed cyber attack exclusions from 31 March 2023 (Lloyd's Market Bulletin Y5381, issued 16 August 2022) — clauses that exclude losses from cyber attacks attributable to state actors and attacks on critical national infrastructure.
The practical implication: review your cyber policy's war exclusion language carefully. If your policy uses LMA 5567 or equivalent Lloyd's systemic exclusion language, be aware that a nation-state attributed attack (a realistic scenario for financial services firms) may not be covered.
How Insurers Evaluate Claims and What Gets Denied
After a claim is filed, the insurer appoints a forensic investigation firm (often from a panel list — CrowdStrike, Mandiant, Kroll are common panel firms). The forensic investigation reconstructs the attack timeline and determines root cause. This is where retroactive control verification occurs:
- If the insured represented on the application that MFA was enabled on all remote access and the investigation finds VPN accounts without MFA, the insurer has grounds for denial based on misrepresentation on the application.
- If the insured represented that systems were patched within 30 days and the investigation finds a 9-month-old unpatched vulnerability was the attack vector, similar exposure.
- Pre-existing known vulnerabilities where the insured failed to act may be excluded under a 'known circumstances' clause.
Insurers dispute or deny cyber claims through a recurring set of mechanisms — material misrepresentation on the application (notably overstated security controls such as MFA), failure to maintain controls that were represented at binding, war or state-actor exclusions, late notification past the policy's reporting window, and category-level coverage exclusions. The relative frequency of each is not consistently reported across carriers, so organizations should treat all of these as live denial risks rather than rank them.
The claims process is adversarial. Retain your own counsel and, where possible, your own IR firm independent of the insurer's panel. Coordinating your response exclusively through the insurer's panel creates a situation where the firm conducting your investigation also advises the entity deciding whether to pay your claim.
The Fortress MSSP incident response retainer provides pre-established IR capacity that satisfies most insurers' requirements for having a qualified IR partner on retainer — often required for the lowest premium tier. The Fortress vCISO program can audit your technical controls against your insurance application representations to identify misalignment before it becomes a denial. Contact us to discuss your cyber insurance posture.