Cyber Insurance Isn’t a Safety Net — It’s a Tightrope
- Gregory Flatt
- 6 days ago
- 4 min read
When Merck filed a claim for $1.4 billion in damages after the 2017 NotPetya cyberattack, they expected their cybersecurity insurance to come to the rescue. Instead, their insurer pointed to an exclusion buried in the fine print: acts of war are not covered. Because NotPetya was linked to Russian state actors, the insurance company refused to pay. It took years of legal battles before a court finally ruled that Merck was entitled to coverage — but the message to businesses everywhere was crystal clear:
Having cyber insurance doesn’t guarantee you’ll get paid when you need it most.
And Merck is hardly alone. Over the past three years, companies ranging from small law firms to Fortune 500 giants have discovered that denied cyber claims are becoming shockingly common. Whether it’s because of accusations of “negligent security practices,” “failure to maintain reasonable controls,” or technicalities hidden in obscure endorsements, insurers are finding ways to push back.
In a world where ransomware groups operate like multinational corporations and regulatory fines soar into the millions, businesses can’t afford to assume that holding a cyber policy is enough. You must actively prepare to defend your claim before an incident ever occurs.
Why Are Claims Being Denied?
Insurance companies have adapted to the realities of cyber threats — and they’re passing the burden back onto the insured.
Here are some of the most common reasons claims get denied:
Failure to Follow “Security Warranties”: Many policies now include cybersecurity warranties — promises you make to maintain certain protections, like multi-factor authentication (MFA) or endpoint detection and response (EDR) tools. If you claim you have MFA enabled company-wide but it turns out one admin account didn’t have it, your claim could be denied entirely.
Failure to Notify Properly: Some policies require reporting an incident within as little as 24–72 hours. Missing that window, even unintentionally, can nullify coverage.
War and Terrorism Exclusions: As Merck found out, if an attack is tied to a nation-state actor, insurers might argue it’s an “act of war” and therefore not covered.
Negligence or Failure to Maintain “Reasonable” Cyber Hygiene: Courts have shown that if a business was negligent — for example, ignoring critical patches or running outdated systems — it could invalidate coverage.
Take the case of Cottage Health System. After a data breach involving patient records, their insurer, Columbia Casualty, sought to deny the claim, arguing that Cottage failed to follow basic security practices they had warranted in their policy — like maintaining risk assessments and incident response plans. Columbia ultimately demanded reimbursement for defense costs already paid.
These cases aren’t outliers. They’re signals that cyber insurers expect active, provable cybersecurity programs — and that shortcuts or misunderstandings can cost you millions.
How to Protect Your Business (and Your Claim)
The good news: you can protect yourself now so that if a breach happens, you aren’t fighting your insurance company and your attackers at the same time.
Here’s how to get proactive:
Understand and Document Your Warranties
Before you even sign a cyber policy, scrutinize the security warranties. These are not mere suggestions — they’re binding promises.
If the policy requires 24/7 endpoint detection, documented patching processes, or employee security training, make sure you have those controls in place and provable.
Keep screenshots, policy documents, audit logs, and training records. Assume you’ll need to “prove you were compliant” long after the breach.
Conduct Regular Cyber Hygiene Assessments
Auditors recommend formal cyber hygiene reviews at least twice a year — and insurers increasingly expect them too.
At a minimum, check:
MFA everywhere — and verify privileged accounts separately
Regular vulnerability scans and patch management
Active threat monitoring (either in-house or through a third-party MDR provider)
Updated incident response and disaster recovery plans
Bonus: If you can show you proactively found and fixed issues before a breach, it strengthens your insurance position dramatically.
Practice Breach Reporting Timelines
Don’t wait until a crisis to figure out your internal breach reporting procedures.
Create an incident notification checklist that clearly shows:
How incidents are escalated internally
Who is responsible for contacting your insurer (and your breach coach, if assigned)
Timeframes for initial notification and follow-up updates
Mistiming a report by even a few hours could complicate — or even void — your claim.
Negotiate Clarifications During Policy Renewals
Each time your cyber policy comes up for renewal, use it as a chance to negotiate clarity.
Ask for:
Clearer definitions of “reasonable security standards”
Narrower war exclusions (some insurers now offer endorsements that limit war exclusions to declared wars only)
Explicit lists of covered vs. excluded attack types
If your broker isn’t helping you negotiate these protections, it might be time to find one who will.
The Bottom Line
In cybersecurity today, there are no guarantees — but there are ways to tilt the odds in your favor. Cyber insurance isn’t a magic shield; it’s a complex contract with very specific rules. If you treat it like a one-time purchase and shove it in a drawer, you may find yourself blindsided after an attack.
If, however, you view your cyber policy as a living part of your risk management strategy — backed by documentation, controls, and vigilance — you give yourself the best possible chance of getting the protection you paid for.
Because in the end, the real battle after a breach isn’t just against the hackers. It’s making sure your own safety net actually catches you.
Comments