It is commonly believed that cyber insurance claims are routinely denied because the policyholder failed to implement specific security procedures.

To buyers of consumer insurance, this myth makes intuitive sense. Home insurance claims are denied if the thief got in through an open door or window. Loss adjusters start asking questions if your travel insurance claim happened at 4am after a night out drinking. So surely cyber insurance doesn’t cover claims caused by open vulnerabilities or employees falling for social engineering.

To any potential buyer of cyber insurance, the myth makes even more sense. Application forms are a minefield of poorly defined security questions that could be pulled apart by a lawyer:

  1. “How many PII records are held on your network?”
  2. “Do you perform regular backups and store them in a secure off-site location?”
  3. “Do you limit remote access to all computer systems by using two-factor authentication?”

The first question is more or less unknowable (e.g. can you quantify how much PII is stored in employee email inboxes). The second question does not specify what regular means or whether continuously addressable cloud back-ups count as secure (according to CIS they do not). The third question makes sense as a company wide policy, but IT teams inevitably introduce exceptions—disabling MFA when a senior leader loses their phone while on a business trip.

Given that insurers dispute claims in other lines and policies have enough ambiguity to do so in cyber, it seems inevitable that cyber insurance claims would be rejected because of the claimant’s security posture. Weirdly, it just doesn’t happen that often.

This blog post unpacks why cyber insurers rarely dispute claims in this way, but first I need to convince you that it is actually rare.

The Mysterious Lack of Cyber Insurance Disputes

First, our argument is not that insurers never deny coverage because of the policyholder’s security posture—examples do exist—instead we argue it is actually very rare.

Estimating the frequency is challenging because observing denials of coverage is a bit like observing icebergs—we can only see a small fraction of each, at least via public sources. Many denials of coverage are simply accepted by the policyholder. Others are resolved by discussions between the insurer, insured and possibly the broker who facilitated the transaction. If that fails, most disputes go to private arbitration in order to avoid costly legal fees.

The coverage dispute iceberg makes it difficult to understand how often different kinds of disputes happen.

As we get to the top of the iceberg of coverage denials, people who are not parties to the contract start to be able to observe disputes. Legal databases contain information about coverage litigation. Such cases are not easy to find, at least without a subscription to an expensive legal service, but it is at least possible.

Last, but certainly not least, media coverage is the main way that the public hears about insurance disputes. The insurance trade press report on interesting cases. In some cases, insurance disputes even make their way into mass media like articles in the New York Times, Financial Times, and Wall Street Journal.

Make no mistake, the reality that most disputes are resolved in private makes it difficult to say anything reliable about disputes. However, we can at least focus on what we can be observed, namely online reports from academia and industry. To do this, I extracted the specific disputes discussed in 101 online articles (full methodology here). My rough assumption is that the frequency at which different types of disputes occur is representative of how frequently they occur in other parts of the iceberg.

I collected articles from different publications, and identified references to real insurance disputes.

Clearly, the assumption does not hold for mass media, where the business model focuses on generating clicks. Indeed, we found that of the 20 references to disputes found in mass media publications, 19 related to war clause disputes. In these cases, the insurer dismissed coverage because the cyber incident resulted from a warlike action. Despite regular reporting in mass media publications, only two such disputes are publicly known and both involve conventional insurance products (property and all-risk insurance), not cyber insurance.

In fact, most of the reporting comes from industry publications. This makes sense as practitioners need to be informed about emerging disputes in order to do their job. In looking into this reporting, the most surprising finding is that of the 23 disputes that were reported on, only 4 were claimed under specialist cyber insurance. This means the vast majority of disputes (83%) involved policyholders being denied coverage under policies like property, commercial liability and business owners’ insurance.

Number of disputes by insurance line.

Even if we zoom into the specialist cyber insurance disputes, only one dispute related to security procedures followed by the insured. In 2016, a cyber insurer denied coverage for a healthcare data breach in which the supplier stored in which a hospital’s supplier stored patient records in an externally accessible server without any access control. The insurer argued that the “Failure to Follow Minimum Required Practices” exclusion applied (note, many policies exist without this kind of exclusion). This is the archetypal example of how InfoSec practitioners intuitively expect cyber insurance works—yet there is just one example in our sample.

Taking stock, we now have two surprising findings to explain:

  • The majority of disputes over cyber losses relate to conventional insurance.
  • The majority of disputes claimed under a specialist policy are unrelated to security procedures.

This is admittedly the weakest part of my argument because I only observed one slice of the dispute iceberg. Perhaps there is some deep structural bias in online reporting that means disputes relating to security postures are ignored. Perhaps there is even a conspiracy not to report on them. In either case, I would be completely blind to this.

I, perhaps naively, believe we live in a free and competitive society. At least one journalist would realize they could report on the presently ignored disputes and generate clicks. But I appreciate not everyone is so Panglossian. If you’re not an optimist, I hope we can agree that security posture disputes are somewhat rare, or, even just, more rare than you’d expect.

If you can accept that, the surprising lack of cyber hygiene disputes needs an explanation. To do that, I describe a hypothetical world in which written contracts do not exist. The ambiguity around cyber risk and security hygiene means we are closer to this world than in other lines of insurance.

How to Sustainably Sell Vague Promises

Imagine there were potential buyers and sellers of vague promises in a world without writing. Let’s say the sellers are cyber insurers and the promise is to send money to the policyholder if a specific bad cyber thing happens. Both parties have a rough idea of what would constitute the bad cyber thing and what they are reasonably expected to do to prevent it, but no-one can write the specifics down. How could this market function sustainably?

Let’s try policyholders buying direct from insurers. When the first valid cyber claims start to roll in, honest insurers pay the claims, and accept this eats into their profit margin. However, an unscrupulous insurer could say “oh well you didn’t install the Zero Trust, AI powered quantum fandangle that constitutes basic cyber hygiene” and refuse to pay the claim. As nothing was written down, the policyholder has to eat the cyber loss and say goodbye to the premium they originally paid.

The policyholder then tells their friends that the unscrupulous insurer doesn’t pay out on claims. But what the friends are likely to hear is “cyber insurance” doesn’t pay claims. The businesses who didn’t hear these stories would continue to buy from the unscrupulous insurer, who would later refuse their valid claims. Over time, these anecdotes build up, undermine trust in the product (not the specific insurer), and no-one wants to buy cyber insurance. The unscrupulous insurers’ selfishness can lead to the demise of the whole industry—the perfect example of a collective action problem.

Now what if instead of buying direct, customers instead bought through an intermediary? In this world, the unscrupulous insurer might refuse a claim that should be covered, but the broker would remember this insurer cannot be trusted. The broker could then tell other brokers, in their firm and beyond. Any broker who heard this could decide never to place business with the unscrupulous insurer. Over time, that unscrupulous broker would lose market share.

This market power can even force the insurer to pay that specific claim. The broker can say “if you don’t pay this claim, my team will never place business with you again in the future”. These statements are not hypothetical, I heard a senior financial lines broker make this exact demand while interning at WTW, after which the insurer paid the claim.

In this way, brokers create a system where unscrupulous insurers can exist in the short-term, but in the long-term they are starved of business. So yes, the market could function sustainably even without ever writing down the promise.

Why Coverage Disputes are Rare in Cyber Insurance

Putting two and two together, I argue that brokers are the reason for the mysterious lack of cyber hygiene disputes. Cyber insurance has been seen as a growth line of insurance for the last decade. Insurers avoided claims denials because doing so would jeopardize their future growth prospects. This explanation can help make sense of why folk intuitions about cyber insurance are wrong.

First, experiences from personal lines insurance are not useful because of the lack of brokers. Most consumers buy property and travel insurance direct from the insurer, often finding the policies via a price comparison website. In some cases, consumers might look to the reputation score associated with insurers, but such concerns are swamped by price. In contrast, cyber insurance is mainly bought through brokers. That’s why your personal lines insurer disputes your claims, but your businesses’ insurer might not.

Second, brokers are particularly powerful in cyber insurance because it is a buyers’ market. This can be seen in Howden’s Global Cyber Insurance Pricing Index, which shows prices were largely held constant until 2021 (and even decreased from 2017–2018). This was driven by more and more insurers entering the market, under-cutting each other on prices. These insurers were desperate to grow their cyber portfolio and could not afford to damage relationships with brokers.

Howden’s Global Cyber Insurance Pricing Index – 2014 to 2Q23.

This means that even when security questions are vague and could be pulled apart by a lawyer, insurers are reluctant to do it. This is not true for other lines of insurance like property or commercial liability. In those lines, insurers were more willing to risk relationships with brokers because there was less to gain from growing market share. Further, it might even be in the brokers’ interest to dispute claims under conventional policies, as this creates a new selling opportunity (cyber insurance).

Now, there are nuances to this argument. From 2021 to 2022, cyber insurance market was briefly a sellers’ market. You can see this in the soaring prices in the figure. Given the market power shifted towards insurers, we would have expected to see more cybersecurity posture disputes.

It is difficult to conclude anything meaningful based on a handful of cases, in part due to the dispute iceberg. However, there was more press reporting on disputes during the harder market. The first German case on a cyber insurance dispute related to a ransomware incident in 2020. In a case filed in 2022, Traveler’s sought to void a cyber insurance policy as the policyholder misrepresented their security posture in the application process. Both cases involved inadequate Multi Factor Authentication, and the German court ruled against the insurer.

Outlook

So what are the takeaways for businesses?

  1. Do not rely on conventional products to cover cyber losses as these represent the majority of disputes reported by the press
  2. Brokers have significant market power over cyber insurers, and this prevents insurers denying claims
  3. Buy cyber insurance through a specialized cyber broker as they can navigate policies and wield their market power if a dispute arises
  4. Disputes are especially unlikely during soft markets, which describes the market in 2023 and 2024

One final note, I would love to see more research into this topic. I’ve tried to make sense of this topic based on the evidence that is available, but it is far from complete. Please collect your own data and share the results, especially if they diverge from my findings.