4 myths about cyber insurance

The cyber insurance market has seen remarkable growth over the past 15 years. It is estimated that over 75% of large and medium sized companies now carry cyber insurance. Yet despite this widespread acceptance, there are basic misconceptions about cyber insurance that persist, even among sophisticated lawyers and business executives. Four of these common myths are addressed below. If left uncorrected, they can result in poor quality coverage and reduced recoveries on insurance claims.

Myth # 1: We do not need cyber insurance if we have strong cybersecurity

This is a common view among companies that have not yet purchased cyber insurance. It is based on the assumption that cyberattacks can be prevented with sufficient security. But the history of the past two decades teaches us that it is impossible to eliminate the risk of cyberattacks. Threat actors have continually evolved their tactics and techniques to penetrate even the best defenses - which means every organization is vulnerable.

According to a recent study, 47% of surveyed organizations had suffered some type of cyberattack in the prior year. The average cost of a cyberattack in 2024 rose to $4.9 million. In the absence of cyber insurance, these costs will be borne by the owners and shareholders of the victim company. Considering these realities, it is hard to see why any company that can afford to purchase a cyber policy would opt not to do so.

Myth #2: All cyber policies are alike

Companies that decide to purchase cyber insurance are often led astray by the myth that all policies provide essentially the same coverage and, therefore, they should shop for the lowest premium. This view has more validity for other lines of coverage that rely on standard policy forms. But as discussed in a prior Daily Journal column (Growing pains: The first 25 years of cyber insurance, March 27, 2025), there are no standard forms for cyber insurance. Policies from different insurers vary greatly in their scope of coverage. All cyber policies cover certain basic risks such as data breaches, ransomware attacks, network shutdowns, and data privacy claims. But there are a range of additional risks that are covered under some but not all cyber policies - for example, fraudulent fund transfers, damage to tangible property, and errors in professional services. Many companies need coverage for such specialized risks based on their business activities.

Cyber policies also vary in quality of coverage, with some offering more generous coverage grants and more limited exclusions. In addition, different insurers have different claim practices. Some insurers are known for efficient claims handling and reasonable coverage determinations, while others attempt to pay as little and as late as possible. In short, companies that choose their cyber policies based solely on pricing are likely to regret their decision when a cyber incident occurs.

Myth #3: There is no point pursuing an insurance claim because insurers never pay and will interfere with our breach response

This is perhaps the strangest misconception I encountered in my 20 years of assisting clients in cyber insurance matters. Companies with cyber policies are sometimes advised not to pursue coverage because insurers will dispute the claim and obstruct the incident response. Neither of these reasons for passing up coverage are accurate. Insurers frequently make large claim payments for cyber-related losses. A recent study by NetDiligence based on 10,000 cyber incidents found that, on average, roughly 50% of claim costs were paid by insurers, with self-insured retentions or deductibles accounting for a sizable portion of the remaining 50%.

Concerns about excessive insurer interference are also misplaced. To be sure, insurers seek to exercise a greater degree of control in cyber insurance claims than in other lines of coverage. Cyber policies require the policyholder to obtain insurer consent to retain counsel, forensic experts, and other vendors; to make ransom payments; and to provide breach notifications and credit monitoring services. Insurers will demand detailed information about the nature, cause, and scope of the incident. These demands can be burdensome, but experienced coverage lawyers know how to handle them in a way that fulfills the policyholder's obligations without ceding control to the insurer. Policyholders have a duty to cooperate with their insurers but are not required to comply with unreasonable demands that will impair the company's response efforts. It is entirely possible for a company to mount a strong and effective response to an attack without sacrificing the financial benefits provided by its cyber policy.

Myth # 4: We should deal with the breach incident first and can address insurance issues later

In the crisis atmosphere of a cyber incident, company executives sometimes back burner coverage issues while they address the urgent needs of containing the attack and restoring business functions. This may be a workable approach for crisis claims under commercial property policies, but it is fraught with peril under cyber policies.

The consent requirements discussed above make it critical to immediately open a dialogue with the primary insurer. Failure to do so could lead to disputes over costs incurred without insurer consent. Once this dialogue begins, the insurer will ask detailed questions about the nature and cause of the breach. Before responding, the policyholder should have a solid understanding of the available coverage, the required conditions, and the potential exclusions. This knowledge should be shared with the corporate team handling the breach response to avoid missteps that could violate the policy or reduce the insurance recovery. For these reasons, it is best practice to start focusing on the insurance claim within 48 hours after discovery of a breach.

Myths provide great stories but can obscure our search for truth. If companies can see past these common myths and manage their cyber insurance with a clear-eyed focus, they will obtain better policies and recover a higher percentage of the losses they sustain in cyber incidents.