Blog

3 Companies Denied Insurance Payouts Graphic

3 Instances Where Companies Were Denied Cyber Insurance Payouts

Cyber insurance protects organizations from the financial losses sparked by a cyberattack. This is a vital tool for companies of all sizes, but there are also some facts you should know before investing in a policy.

Even if you have cyber insurance, you aren’t guaranteed to get a payout in an incident scenario. This is due to the fact you might not have adequate coverage for specific cyberattacks, or you might not have been compliant with your policy’s requirements. Because of this, it is crucial to review your insurance policy and make sure your organization is appropriately protected.

Learn from past mistakes

Here are some examples of times when claims were denied:

Columbia Casualty versus Cottage Health

The problem came from a breach at Cottage Health System. They alerted their cyber insurer (Columbia Casualty Company), filing a claim for the desired coverage.

Despite this, the insurer sought a declaratory judgement against Cottage Health, declaring that they could not defend or give a payout since the insured did not comply with the policy terms. The insurer claimed that Cottage Health had agreed to maintain precise minimum risk controls, which they had failed to do.

This example reminds us of the significance of reading cyber policies carefully and understanding their implications.

Massachusetts Bay Insurance Company versus BitPay

A worldwide cryptocurrency payment service provider, BitPay, filed a hefty $1.8 million insurance claim. Their insurance company denied it, stating that BitPay’s loss was indirect and was therefore not covered by their policy. Indeed, the loss was triggered by an event of phishing where a hacker busted into Bitpay’s business partner’s network, stole the CFO credentials, impersonated the CFO, and managed to request a transfer of over 5,000 bitcoins to a separate account.

The example emphasizes the vitality of reviewing policies carefully to make sure you understand which scenarios are covered and which are not. The incident also shows us the importance of worker security awareness training and the need to contact an IT service support provider if you do not have a frequent training policy.

Travelers Property Casualty Company versus International Control Services 

Travelers Property Casualty Company rejected International Control Services’ attack claim concerning ransomware. The company states that International Control Services did not utilize multifactor authentication, which was needed to obtain cyber insurance. Multifactor authentication uses various factors to confirm users’ identities.

International Control Services declared falsely on its policy application materials that multifactor authentication is needed for workers and third parties to log in to the network remotely, access email, and access endpoints. The insurer claimed that International Control Services was only utilizing the multifactor authentication on its firewall and that other systems were not protected by it.

This example reminds us that insurers constantly scrutinize organizations’ cybersecurity practices and that businesses need to be honest about their cybersecurity posture.

Act now and collaborate with us!

As you have learned, there are some reasons why companies can be denied the payouts they want from cyber insurance policies. It can be because of naive error, the maintenance of low-quality cybersecurity hygiene, or other reasons.

However, an IT service support provider like us can help prevent these problems. Contact us today for a no-obligation consultation – we may just be the fit you’ve been looking for! We will collaborate with you to judge your risks and construct a suitable cybersecurity plan.

Furthermore, to learn a little more about cyber insurance, click here to download our infographic, What Every Small Business Needs to Know About Cyber Insurance.

Previous ArticleGuide to Cyber Insurance: What Are the Types and What Do They Cover? Next ArticleBursting Four Common Cybersecurity Myths