3 Times Businesses Were Denied Cyber Insurance Payouts

Published: 2023-02-03 in security

Cyberattacks pose a great threat to your business and can become very costly. Cyber insurance exists to protect businesses from the financial risks of a cyberattack. While cyber insurance is a critical layer to your protection, there are a few things you should know before buying a plan.

Imagine purchasing a cyber insurance policy, only to find out you’re not covered in the event of an attack and are denied a payout. This can happen due to not having the correct coverage for the type of cyberattack. You may also be at risk of this happening  if your business has fallen out of compliance with the security requirements detailed in your plan. It is crucial to review these plans carefully to ensure coverage. 


Learn from the past

We have gathered a few real examples of businesses that had been denied their cyber insurance claim.


Cottage Health vs. Columbia Casualty

Cottage Health System experienced a security breach and filed a claim with their cyber insurance company, Columbia Casualty Company. Unfortunately for Cottage Health, their insurer had filed a declaratory judgement against them indicating Cottage health had not followed the agreements of the insurance plan. Due to not following the specific risk mitigation protocols required, Columbia Casualty had denied Cottage Health any compensation.

This example stresses the importance of fully comprehending your policy and adhering to its terms of agreement.

BitPay vs. Massachusetts Bay Insurance Company

The Bitcoin payment service provider, BitPay was at the center of a phishing scam where a cybercriminal hacked into the network of BitPay’s business partner. The cybercriminal stole the sensitive information of the CFO, and with his credentials requested a transfer of 5,000 bitcoins to a fake account. When BitPay filed a $1.8 million dollar insurance claim, their insurance company, Massachusetts Bay Insurance Company denied them saying that their loss was not direct therefore not under the policy’s coverage agreement. Massachusetts Bay claimed that having a business partner compromised does not fall within the parameters of their plan and they are not liable.

BitPay is appealing this denial, but this case still goes to show the importance of understanding your cyber insurance policy and all the scenarios that are covered and what is not. This example also shows how critical security awareness training is and that it should regularly be taught to an organization’s employees.

International Control Services vs. Travelers Property Casualty Company


International Control Services fell victim to a ransomware attack. Their insurer, Travelers Property Casualty Company has rejected their claim reporting International Control Services had failed to properly use multifactor authentication (MFA) which was one of the terms to obtaining the insurance. Multifactor authentication uses multiple factors to confirm a user’s identity, making credentials and accounts more secure.

Travelers Property Casualty Company claims that International Control Services was only using MFA for their firewall, while other critical systems such as their servers, email, remote network access, and endpoints were not protected with MFA. Travelers Property Casualty Company reported that Control Services had lied on their application, stating that all employees and third parties are required to use MFA to access all of the above systems.

This real-life example serves as a reminder to be honest with your application and practices. Insurance companies are getting tighter with cybersecurity requirements and will find out if you haven’t been meeting them.

Travelers Property Casualty Company is fighting for the court to declare the contract null and void, with no responsibility to reimburse or defend Control Services for any claim.


Don’t be late to act

There are many reasons why insurers can deny benefits to compromised businesses. Some of these reasons could simply be a mistake or misunderstanding of the policy. Sometimes it may be poor cybersecurity hygiene or lack of training.

Call us today to learn more about how an experienced IT provider like us can help you avoid these problems.

We can assess your risk and work with you to develop a comprehensive cybersecurity plan to keep you in alignment with your cyber insurance policies.


RCC Business IT - Contact Us