The $18 Million Wake-Up Call

Hamilton, Ontario learned a harsh lesson in 2024: having cyber insurance doesn’t guarantee you’ll be covered when disaster strikes. After a devastating cyberattack crippled 80% of the city’s network, Hamilton discovered their insurance company would deny their entire $18.3 million claim. The reason? A missing security measure that seems almost trivial in hindsightβ€”multi-factor authentication.

This isn’t an isolated incident. Across industries and around the globe, organizations are discovering that their cyber insurance policies contain more exits than a highway system, leaving them financially exposed when they need protection most.

https://cyberinsurancecalc.com/

The Hamilton Case: A Municipal Nightmare

On February 25, 2024, Hamilton experienced what Mayor Andrea Horwath called β€œa serious and costly breach.” Attackers launched a sophisticated ransomware attack through an external internet-facing server, spending time studying the city’s systems before encrypting data and attempting to destroy backups.

The attack was devastating:

  • 80% of the city’s network was disabled
  • Critical services like business licensing, property tax, and transit planning were offline for weeks
  • Some systems were completely unrecoverable, including permit applications and fire department records
  • The attackers demanded $18.5 million in ransom

Hamilton made the strategic decision not to pay the ransom, citing unreliable decryption tools and concerns about funding organized crime. Instead, they spent $18.3 million on recovery effortsβ€”$14 million of which went to external experts.

But here’s where the story takes a devastating turn: Hamilton’s insurance company denied the entire claim. The city’s policy explicitly excluded coverage for losses where the absence of multi-factor authentication was the root cause. Even more frustrating? The insurance company had recommended implementing multi-factor authentication back in late 2022, and the city was aware they weren’t compliant as of 2023.

US State Breach Notification Requirements TrackerComprehensive tool for researching breach notification laws, ransomware requirements, and privacy regulations across all 50 US states.Breach Notification TrackerBreach Notification Tracker Ward 9 Councillor Brad Clark captured the frustration: β€œHow does council find out it wasn’t done if staff doesn’t share it with us? I find it immensely frustrating there has been zero accountability on this.”

The $1.4 Billion Precedent: Merck vs. β€œActs of War”

While Hamilton’s case involved basic security failures, pharmaceutical giant Merck faced a different challenge in their landmark legal battle over the 2017 NotPetya attack. Merck’s insurers initially denied a staggering $1.4 billion claim, arguing that because the attack was attributed to Russian military intelligence as part of the conflict with Ukraine, it constituted an β€œact of war” excluded from coverage.

The NotPetya attack was particularly devastating:

  • 40,000 Merck computers were infected within minutes
  • The malware spread globally, causing an estimated $10 billion in total damage
  • Unlike typical ransomware, NotPetya was designed to destroy rather than encrypt for profit

Merck fought back, arguing they were merely collateral damage in a conflict between other nations. After years of litigation, New Jersey courts ruled in Merck’s favor, finding that the war exclusion didn’t apply to a cyberattack on a non-military target. The case ultimately settled in 2024, but not before establishing important precedents about how β€œacts of war” clauses apply to cyber incidents.

The Heritage Company: When β€œComprehensive” Coverage Isn’t

Sometimes the devil is in the 54 pages of details. The Heritage Company, an Arkansas-based nonprofit telemarketing firm, discovered this harsh reality in 2019 when a ransomware attack shut down their entire operation, forcing them to lay off all 300 employees just before Christmas.

Despite purchasing what they believed was comprehensive cyber insurance covering ransomware attacks, data loss, and business interruption, their insurer Corvus Insurance completely denied the claim. The company filed suit, arguing they β€œrelied on the explanations and representations” of the insurance companies and believed β€œthe policy meant what it said.”

The case illustrates a critical problem: policy language so complex that even sophisticated buyers can’t understand what’s actually covered.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data CategoriesComprehensive tool to explore which U.S. states classify different types of data as sensitive under privacy laws. Navigate compliance requirements across 19 states.PII Compliance NavigatorDavid Stauss

The Common Culprits: Why Claims Get Denied

Based on industry analysis and recent cases, cyber insurance claims are most commonly denied for these reasons:

1. Inadequate Security Measures

As Hamilton learned, insurers increasingly require specific security controls like multi-factor authentication, endpoint detection, and regular backups. Failure to implement these β€œminimum standards” can void coverage entirely.

2. Misrepresentation in Applications

Insurance applications require detailed information about cybersecurity practices. Any inaccuraciesβ€”whether intentional or notβ€”can lead to denied claims or policy rescission.

3. β€œActs of War” Exclusions

Nation-state attacks are increasingly common, but traditional war exclusions weren’t written with cyber warfare in mind. The Merck case provided some clarity, but coverage remains uncertain for state-sponsored attacks.

4. Insider Threats and Human Error

Claims may be denied if attacks originated from employees or resulted from human error like falling for phishing emails or misconfiguring security controls.

5. Pre-existing Vulnerabilities

If insurers discover undisclosed vulnerabilities that existed before the policy was purchased, they may deny coverage entirely.

6. Social Engineering Exclusions

Many policies contain exit points for social engineering attacks, with carriers arguing that voluntary transfers by authorized personnel fall outside coverage.

The Broader Implications

These cases reveal a troubling trend: as cyber threats evolve, insurance companies are becoming increasingly strict about coverage. Premium increases, tighter underwriting requirements, and narrower coverage are becoming the norm.

For organizations, this creates a perfect storm:

  • Cyber threats are more sophisticated and frequent
  • Recovery costs are skyrocketing (averaging over $4 million per incident)
  • Insurance coverage is becoming more restrictive and expensive
  • Claim denials are leaving organizations to bear full costs

Data Breach Cost Calculator | Estimate Your Breach CostsCalculate the potential cost of a data breach for your organization with our comprehensive breach cost calculator. Get insights on risk factors, security posture, and cost mitigation strategies.Breach Cost CalculatorData Breach Cost Calculator

Protecting Yourself from Denial

While cyber insurance remains essential, organizations need to approach it more strategically:

Before Purchasing:

  • Conduct thorough policy reviews with cybersecurity experts
  • Understand exactly what is and isn’t covered
  • Ensure all application information is accurate and complete
  • Pre-approve preferred incident response vendors when possible

Ongoing Compliance:

  • Implement and maintain all required security controls
  • Document cybersecurity practices thoroughly
  • Regularly review and update security measures
  • Train staff on proper incident reporting procedures

During an Incident:

  • Notify insurers immediately, even if the incident seems minor
  • Follow all policy requirements for vendor selection and approvals
  • Document everything throughout the response process
  • Work closely with breach coaches and legal teams provided by insurers

Data Privacy Compliance Fine CalculatorCalculate potential fines and penalties for data privacy violations across GDPR, CCPA, HIPAA, and other privacy laws.Privacy Compliance Calculator

The Bottom Line

Hamilton’s $18.3 million lesson serves as a stark reminder that cyber insurance is only as good as the fine printβ€”and your ability to comply with it. As Merck’s multi-year legal battle shows, even with policies worth billions, coverage isn’t guaranteed.

The Heritage Company’s ongoing litigation illustrates how complex policy language can leave organizations exposed despite believing they have comprehensive protection.

Organizations can no longer treat cyber insurance as a simple risk transfer mechanism. It requires ongoing attention, strict compliance with requirements, and careful documentation of security practices. In today’s threat landscape, the cost of assumption can be measured not just in millions of dollars, but in organizational survival.

As cyber threats continue to evolve, the relationship between insurers and policyholders will likely become even more complex. Organizations that understand these dynamicsβ€”and prepare accordinglyβ€”will be best positioned to weather both cyberattacks and the insurance challenges that follow.

The message is clear: in cybersecurity, prevention is still the best policyβ€”in every sense of the word.