So You Think You Have Cyber Insurance? The Breach is Only the First Incident. The Claim is the Second.
Most companies think of cyber insurance the way they think of fire insurance. They assume that if something catastrophic happens—ransomware, a breach, a fraud scheme—the policy will respond. They believe cyber insurance is a modern form of resilience, a financial backstop for an operational inevitability.
But cyber insurance is not really one product. It is not even one coherent promise. It is an uneasy patchwork of coverages spread across cyber policies, crime policies, commercial general liability policies, professional liability towers, media and publicity policies, directors and officers programs, and sometimes even property insurance. When the incident happens, the insured often discovers that the question is not simply whether the loss is covered. The question is which insurer will agree that it is their loss to cover.
That is why cyber insurance disputes are now some of the most consequential insurance battles in the country. The breach is only the first incident. The claim is the second. And the denial is often the third.
To understand what cyber insurance really is, you have to begin with the kinds of cyber claims that actually arise today.
No Party Like A Second (or Third) Party
The most common cyber claim is not the theft of your own secrets. It is the theft of other people’s data sitting on your systems. Second-party breach claims arise when a company loses protected health information, personally identifiable information, customer payment data, employee tax records, or confidential client files. A hospital that suffers a breach does not simply face a technical event; it faces HIPAA exposure, state attorney general investigations, breach notification obligations, class action litigation, and reputational collapse. A law firm that loses privileged documents does not merely experience “network intrusion”; it experiences a professional crisis implicating fiduciary duty and ethical obligations.
These claims are exactly what cyber insurance is marketed to cover. And yet insurers frequently deny them, not because the breach did not occur, but because the breach is reframed as something else. Cyber insurers argue that the loss arises out of professional services and therefore falls within a professional services exclusion. Professional liability insurers argue that the loss arises out of a cybersecurity failure and therefore falls within a cyber exclusion. The insured is left with a modern version of the oldest insurance trick: overlapping policies that overlap only until the claim arrives.
The inverse problem also arises with first-party breaches, where the loss is not the exposure of other people’s data but the theft of the insured’s own trade secrets, source code, confidential deal information, or strategic plans. Companies increasingly discover that cyber policies are designed to pay for response costs, not for the economic value of stolen intellectual property. Data restoration is not a trade secret replacement. The loss is existential, but the policy language is often not.
The modern cyber claim landscape also includes third-party breaches that do not originate inside the insured’s own network. Most companies do not operate independent systems anymore. They operate ecosystems of cloud providers, outsourced IT vendors, MSPs, billing platforms, payroll processors, and contractors with privileged access. When those vendors suffer breaches, the insured suffers downstream harm. Insurers increasingly deny these claims under systemic failure exclusions, outsourced provider limitations, or contractual liability carveouts. The claim becomes an allocation fight: is this “your breach” or “their breach,” and which tower is supposed to respond?
Publication Claims vs Cyber Claims
Some cyber harms are not theft at all. They are publications. Modern cyber extortion frequently involves the threatened exposure of private data: doxxing campaigns, nonconsensual pornography, extortion threats to leak sensitive images, hacked accounts used for defamation, or breaches that turn into mass dissemination events. These claims implicate cyber policies, but also media and publicity liability coverage. Cyber insurers often deny because defamation, intentional publication, or “personal injury” offenses are excluded. Media insurers deny because the publication arose from a security failure. The insured again finds itself between towers, with every insurer pointing somewhere else.
Hostage Taking
Then there is ransomware, now the defining cyber risk of the decade. Ransomware is no longer simply encryption. It is usually a combined breach-and-extortion event. Threat actors encrypt systems, steal data, threaten publication, and demand payment. Companies pay not because they want to, but because the alternative is operational death.
Insurers, however, have increasingly argued that ransom payments are “voluntary,” or that they are not “direct” losses, or that policy conditions were not met because the insured did not obtain carrier consent quickly enough. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., 165 N.E.3d 82 (Ind. 2021), the insured sought coverage for a ransomware payment under a crime policy’s computer fraud provision, which covered “loss resulting directly from the use of a computer to fraudulently cause a transfer.” The insurer denied, arguing that the payment was voluntary and not direct. The Indiana Supreme Court refused to let extortion be reframed as consent and rejected summary denial.
Non-Compliance
Ransomware claims also increasingly intersect with sanctions law. OFAC restrictions, AML obligations, suspicious activity reporting expectations, and the risk of paying a sanctioned entity have become central features of cyber insurance conditions. Insurers may deny not because ransomware is excluded, but because the insured allegedly failed to comply with procedural requirements, such as using approved negotiators, conducting sanctions screening, or obtaining consent before payment. The denial becomes bureaucratic rather than substantive.
BEC Frauds
Business email compromise is now arguably the most common cyber loss of all, and it is also one of the most litigated coverage battlegrounds. Fraudulent invoices, spoofed executives, and redirected vendor payments cost billions annually. Many cyber policies sublimit these losses as “social engineering fraud,” leaving insureds to seek recovery under crime policies. Crime insurers respond with denial, arguing that employee involvement breaks causation or constitutes authorization.
In Medidata Solutions, Inc. v. Federal Insurance Co., F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, 729 F. App’x 117 (2d Cir. 2018), attackers spoofed emails and induced employees to wire $4.8 million. The insurer denied the claim, arguing this was not “computer fraud” because employees authorized the transfer. The disputed clause covered “loss resulting directly from the use of any computer to fraudulently cause a transfer.” The court held that spoofing still qualified as computer fraud.
The same “direct loss” dispute played out in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., 895 F.3d 455 (6th Cir. 2018), where Travelers denied coverage by arguing that employee steps broke the chain of causation. The Sixth Circuit rejected the insurer’s attempt to turn “directly” into “instantaneously.”
Insurers cite the opposite outcome in Apache Corp. v. Great American Insurance Co., 662 F. App’x 252 (5th Cir. 2016), where the Fifth Circuit held that the email was merely incidental to the fraud. The result is that BEC coverage has become jurisdictional roulette, turning on the interpretation of a single word: direct.
Bank Shot
Cyber fraud claims also increasingly trigger banking-law allocation disputes rather than straightforward insurance disputes. Under UCC Article 4A, commercial wire transfers are governed by security procedure rules that determine whether the customer or the bank bears the loss. Banks argue that payments are effective if credentials are used. Customers argue that security procedures were not commercially reasonable. Consumer fraud implicates Regulation E. Cyber insurers may deny or delay coverage by arguing that the insured’s loss is really a recoverable banking loss or a contractual allocation issue, not a cyber theft. These disputes are now triangulated: insured versus insurer versus bank.
AI Frauds
The newest frontier involves AI. Deepfake voice impersonation is already reshaping business email compromise. AI-driven exploitation automates vulnerability discovery. Model inversion and training data leakage create new privacy harms. Algorithmic discrimination claims may arise from compromised AI systems. Cyber policies were not drafted for synthetic fraud, AI governance failures, or model-based privacy risks. Insurers are already positioning these claims as outside traditional “network security” definitions, or as professional errors, product liability, or governance failures. AI will be the next decade’s cyber coverage litigation engine.
Perhaps the most revealing truth about cyber insurance is that insureds often recover only by climbing across unexpected towers. Some ransomware claims have succeeded not under cyber policies but under property insurance. In National Ink & Stitch, LLC v. State Auto, 435 F. Supp. 3d 679 (D. Md. 2020), ransomware rendered systems unusable. The insurer denied because there was no “direct physical loss of or damage to” property. The court disagreed, holding that loss of functionality could qualify.
You Realize, Of Course, This Means War
And then there is the ultimate denial strategy: cyber as war. After NotPetya, insurers argued that systemic cyberattacks attributed to nation-states fell within war exclusions. In Merck & Co., Inc. v. ACE American Insurance Co., N.J. App. Div. (May 1, 2023), insurers invoked an exclusion for “hostile or warlike action… by any government or sovereign power.” The court rejected that attempt to stretch war into an ordinary cyber catastrophe.
Merck matters because if insurers can label major cyber events as war, cyber insurance disappears precisely when systemic risk arrives.
It’s Not One Policy
The real lesson is that cyber insurance is not purchased as a single promise. It is tested as an ecosystem fight. Crime versus cyber. Cyber versus professional liability. Cyber versus CGL. Cyber versus media/publicity. Cyber versus property. Everyone versus everyone.
Cyber insurance is sold as certainty, but it is often experienced as litigation with premiums. The breach is only the first incident. The claim is the second. The denial is often the third.
So if you think you have cyber insurance, the question is not whether you have a policy. The question is whether you have negotiated coverage that survives the moment of loss. Does it affirmatively cover ransomware payments? Does it cover business email compromise without trivial sublimits? Does it carve back professional services for hospitals and law firms? Does it address OFAC and AML compliance explicitly? Does it contemplate AI-driven fraud and synthetic impersonation? And when the loss happens, will the insurer pay—or litigate first?
Cyber insurance is not defined when you buy it.
It is defined when you need it.
