In 2024, roughly 40% of cyber insurance claims were denied. Coalition’s data on those denials found that 82% involved organizations without multi-factor authentication fully implemented — meaning the policyholder failed a control they had attested to having in place. The premiums were paid. The breach was real. The payout did not arrive.
That gap is the central problem with treating cyber insurance as a substitute for security. Risk transfer moves the financial consequences of a loss to a third party. Risk mitigation reduces the probability or severity of the loss itself. The two are complements, not alternatives — but boards and finance teams often buy the policy and treat the security program as discretionary. The cases below show what happens when that bet goes wrong.
What Risk Transfer Actually Buys
A cyber policy is a contract that pays out under a narrowly defined set of circumstances. It does not prevent intrusion, restore data, or rebuild trust with regulators and customers. Modern policies cover a mix of first-party costs (forensics, business interruption, ransom payment, data restoration) and third-party liability (regulatory fines where insurable, breach-notification class actions, vendor claims). They almost universally exclude pre-existing vulnerabilities, insider acts in many forms, regulatory penalties tied to willful conduct, and — increasingly — losses tied to state-sponsored attacks.
The economic case for transfer is real. The average uninsured small-business cyber incident exceeds $79,000, and the average ransomware claim now sits around $1.18 million per Resilience’s H1 2025 data — a 17% year-over-year increase. For a mid-sized company, a single bad week can be a solvency event. Insurance smooths that variance.
The problem is that the contract only pays when the policyholder’s security program is genuinely operating as represented. That is the part organizations underestimate.
How Insurers Actually Deny Claims
The denial mechanisms cluster into four categories. Each has produced a public case worth studying.
The Travelers v. ICS Lesson
In July 2022, Travelers Property Casualty filed in the U.S. District Court for the Central District of Illinois to rescind a $1 million cyber policy issued to International Control Services, an electronics manufacturer in Decatur, Illinois. ICS had attested on its application that it required MFA for administrative and privileged access across email, remote access, endpoints, servers, and directory services. After a May 2022 ransomware attack, Travelers’ forensic investigation found that MFA had been deployed on the firewall only — not the server that was compromised, and not the other digital assets named in the application.
The case never reached a contested ruling. By August 26, 2022, ICS had stipulated to rescission, and the court entered judgment voiding the policy from inception. The legal mechanism is straightforward under U.S. insurance law: a material misrepresentation on an application, whether intentional or not, gives the insurer grounds to unwind the contract if the underwriter would not have issued the policy on accurate facts.
The takeaway is not that ICS lied. It is that the gap between what the CEO signed and what the security team had actually deployed was discoverable in roughly an hour of forensic work. Modern cyber applications run dozens of pages. Carriers using AI-driven underwriting now scan public-facing assets and compare them to attestation answers before binding. The Lockton analysis of Travelers v. ICS warned that misrepresentation defenses would become routine — and Coalition’s 2024 data confirmed that pattern: 82% of denied claims involved organizations without MFA fully implemented.
When Exclusions Eat the Policy: Merck and NotPetya
The other instructive case is the inverse — coverage that did pay, but only after seven years of litigation. Merck & Co. lost roughly $1.4 billion to the NotPetya wiper malware in June 2017. The attack, attributed to the Russian military’s Sandworm group and aimed at Ukrainian targets, escaped into Merck’s environment via tainted Ukrainian accounting software (M.E.Doc) and destroyed data on more than 40,000 machines.
Merck’s $1.75 billion all-risks property policy covered software-related data destruction. ACE American and seven other insurers denied the claim under a hostile/warlike-action exclusion, arguing NotPetya was an instrument of Russian state hostilities. A New Jersey trial court ruled for Merck in 2022; the state appellate court affirmed in May 2023, finding the carriers had not shown the attack qualified as “hostile” or “warlike” under the policy. The case settled in January 2024 just before the New Jersey Supreme Court was scheduled to hear oral arguments.
The industry response was immediate and corrosive to coverage. Lloyd’s Market Association published model cyber war-exclusion clauses in 2022; effective March 2023, Lloyd’s required member syndicates to use exclusions for state-backed cyberattacks. U.S. carriers followed. Today’s cyber policies routinely exclude losses from cyber operations with a “major detrimental impact” on a state’s functioning, and many exclude state-attributed activity outright. The policy that paid Merck no longer exists in the standard market.
What Actually Reduces Risk
Mitigation is not a slogan. It is a finite set of controls that demonstrably change the probability and severity of a breach. Resilience’s 2025 data found social engineering and phishing drove 88% of incurred losses, with AI-assisted phishing achieving a 54% success rate against users compared to 12% for traditional attempts. Infostealer-driven credential theft surged 800% in early 2025. Against that threat surface, the controls that move the needle are unglamorous and well-documented:
None of these eliminate residual risk. That residual is what insurance is for.
When Insurance Is the Wrong Answer
The wrong answer cases are specific. Insurance is the wrong primary response when:
The organization treats coverage as a substitute for controls. Ransomware Interlock has been observed stealing victims’ cyber policies during exfiltration and pricing demands just below the policy limit. A policy that adversaries can read becomes a benchmark for extortion, not a shield.
The risk is reputational or operational rather than financial. Customer trust, regulatory standing, and board confidence do not rebuild on a payout. The 17% rise in per-incident ransomware costs in 2025 is partly downstream of recovery and notification expenses that exceed sub-limits.
The exposure is concentrated and catastrophic. War exclusions, infrastructure exclusions, and the new state-actor language mean that the highest-impact scenarios are exactly the ones modern policies exclude. NotPetya-class events would not be covered by today’s standard market.
The premium plus deductible plus expected denial-adjusted payout does not beat the cost of the controls insurers require anyway. Carriers now demand MFA, EDR, immutable backups, and patch programs as preconditions. An organization that can underwrite itself for those controls has done most of the mitigation work; the remaining transfer is a smaller, cleaner decision.
The Honest Framing
Cyber insurance is a financial instrument that pays out when a counterparty agrees you have met its conditions. It is not a security strategy, and it has never been one. The organizations that recover well from incidents in 2026 share a pattern: they implement the controls, document the controls continuously, read their policy language line by line, treat the policy as a sensitive document, and use insurance to absorb the variance their program cannot eliminate.
Buying the policy is the easy part. Earning the payout is the work.
