Founder
August 24, 2025
34 min read
Cybersecurity insurance policies are specialized contracts designed to protect businesses from the financial impact of cyberattacks. Since the early 2020s, the rapid increase in ransomware, data breaches, and sophisticated cyber threats has led to a rising demand for insurance coverage against such risks. As traditional liability or property insurance policies often do not fully cover cyber incidents, corporate cyber insurance has become a critical risk management tool. This study examines the scope of corporate cybersecurity insurance, products from leading insurance companies, applications specific to the blockchain sector, challenges in this field, regulations, new trends and threats from 2023-2025, and prominent case studies.
Corporate cyber insurance is designed to cover various types of losses resulting from a cyber incident. First-party coverage protects the insured company from direct financial costs, such as system restoration and data recovery after a cyberattack, lost revenue due to business interruption, and ransom payments in the event of a ransomware attack. Third-party coverage addresses legal liabilities arising from the impact of a cyber incident on customers, business partners, or other external parties. For example, third-party coverage includes lawsuits filed by affected individuals in a data breach, fines from regulatory bodies (if legally insurable), and related compensation for reputational damage.
Generally, corporate cyber policies are structured to cover the following main items:
Breach/Incident Response Costs: Expenses incurred after a data breach, such as forensic investigation, legal consultation, notification of affected individuals, call center setup, and credit monitoring services, are covered by the policy.
Business Interruption and Loss of Income: The loss of profit and extra expenses a company incurs due to systems being shut down or services being disrupted as a result of a cyberattack are covered. Some policies may also include contingent business interruption, which covers loss of income resulting from issues experienced by third-party service providers.
Ransom and Cyber Extortion: Ransom payments made during ransomware attacks, as well as consultation and negotiation costs in cases of extortion, are included as a primary first-party coverage item.
Liability and Legal Expenses: Lawsuits filed by third parties (e.g., customers or employees) as a result of incidents like data leakage, along with defense costs and court-ordered damages, are paid under the policy. Regulatory fines, such as those from GDPR for failure to protect personal data, can be covered by insurance in some jurisdictions (depending on the laws of each country).
Reputation Management and PR: Many policies include coverage for public relations consulting and communication expenses incurred to protect a company's brand reputation after an incident.
Physical Damage and Bodily Injury: While cyber policies traditionally cover digital losses, some advanced products have expanded to include physical damage and third-party bodily injury caused by a cyberattack. For example, AIG's CyberEdge Plus product adds coverage for physical property loss, third-party injuries, and property damage triggered by a cyber incident as a primary coverage item.
A review of the general policy conditions shows that insurers require certain security measures to be implemented by companies to provide coverage. For instance, requirements such as the use of multi-factor authentication (MFA), regular backups, providing employees with cyber awareness training, and having an incident response plan may be included in the special conditions of the policy. As of 2024, cyber insurers have begun to require companies to prove that they have actually implemented these controls in their application forms (the era of relying solely on declarations is over). Similarly, the burden of proof for the insured having fulfilled the security obligations in the policy at the time of the incident is increasingly shifting to the insured. Exclusions, such as war, terrorism, state-sponsored attacks, and catastrophic events that widely affect infrastructure, are now being clearly defined in policies. For example, in many policies, events that can be characterized by official authorities as an "act of war" or "state-sponsored attack" are considered outside the scope of coverage (these will be discussed in example cases below). Such exclusions are part of the insurance industry's effort to control large-scale systemic risks.
Be the first to be informed about our new articles, opinions and case studies in the field of Blockchain.
The cybersecurity insurance market includes leading international insurance companies that stand out for both their capacity and product variety. Below is a summary of information on some of the leading providers in this field and the products they offer:
CyberEdge policies cover first-party costs such as data breach expenses, business interruption, and ransom payments. CyberEdge Plus extends this coverage to include physical damage, third-party bodily injury, and property loss resulting from a cyberattack. AIG (American International Group) also offers risk assessment and continuous security monitoring services to its policyholders through its cyber risk consultants and the CyberMatics® tool.
Chubb's Cyber ERM policy is based on three main principles: pre-incident risk reduction, rapid post-incident response, and transfer of residual risks. Its scope is broad, covering business interruption from cyberattacks, human error, or system failure; data loss and recovery costs; legal expenses, including contractual liabilities; regulatory inquiry costs; ransom and cyber extortion payments; and liabilities arising from the disclosure of personal data. With over 20 years of experience, Chubb holds a significant share of the cyber insurance market (36% market share as of 2019).
Allianz's globally offered Cyber Protect policy provides extensive protection that covers business interruption losses resulting from technical failure, human error, or official regulatory orders; indirect business interruption losses from suppliers; third-party liabilities arising from network security breaches; cyber extortion costs from ransomware attacks; data breach liability; internal investigation expenses for responding to regulatory body requests; and PCI-DSS compliance fines. Since each policy is shaped by a detailed assessment of the company's risk profile, flexible solutions are offered to meet specific needs.
Rather than a single product, Lloyd's is a marketplace that provides cyber insurance capacity through its member syndicates. For example, Beazley, one of the Lloyd’s syndicates, offers its "InfoSec" policy to global enterprises, providing coverage for legal defense, notification and crisis management, credit monitoring, business interruption, ransom, and data recovery. The Lloyd's market is known for being able to provide high-capacity coverage for large corporate risks. However, as of 2023, Lloyd's has mandated that its member insurers add clauses to all standalone cyber policies that exclude state-sponsored attacks and cyber incidents in a state of war. This move is aimed at preventing destructive nation-state-level cyber risks from destabilizing the insurance market. For example, from March 2023 onward, cyber policies issued in the Lloyd's market have begun to exclude damages resulting from large-scale events that affect a country's functioning and security.
Both companies are specialized insurers with roots in Lloyd's, offering cyber policies to a wide range of clients from SMEs to large organizations. Hiscox is known for its annual Cyber Readiness report and develops cost-effective policies specifically for SMEs. Its coverage includes loss of income, reputational damage, forensic IT and notification expenses, and losses related to supplier interruptions. Beazley serves global sectors such as healthcare, finance, and retail; with its InfoSec policy, it offers coverage for legal defense, crisis management, identity monitoring, business interruption, ransom, and data recovery. Both companies stand out by focusing on pre-incident risk reduction services (e.g., Hiscox Risk Academy), leveraging their extensive experience with large-scale cyber damages.
AXA is another global player in cyber insurance, collaborating with Accenture to offer integrated services to its clients. Its policy is developed with the principles of flexible coverage, proactive risk management, and customer-focused claims management. Coverage areas include business interruption and extra expenses, data breach liability, loss of electronic assets, forensic IT costs, public relations and notification expenses, regulatory defense and fines, data restoration, and cyber ransom payments. AXA XL also provides each client with a comprehensive pre-policy threat intelligence report and, with Accenture's guidance, ensures proper response during a cyber incident.
In addition to the ones mentioned above, insurers like Zurich, Travelers, Liberty Mutual, CNA, and insurtech startups like Coalition and At-Bay are also active in the cyber insurance space. For example, while Travelers' CyberRisk policy offers broad coverage that even includes social engineering (phishing) fraud and payment fraud through suppliers/vendors, it requires its clients to prepare a detailed cyber risk assessment and incident response plan with NetDiligence before coverage. In summary, most major insurance groups are updating their product portfolios for cyber risks, focusing on both offering broad coverage and preventing damages through risk engineering services.
Due to its reliance on digital assets, the blockchain and cryptocurrency sector is inherently vulnerable to cyber risks. While the decentralized and cryptographic structure of the blockchain infrastructure is considered secure, numerous security incidents have occurred at the application layer, such as on cryptocurrency exchanges, digital wallets, and smart contracts. This situation has prompted cyber insurance providers to develop specialized solutions for the blockchain sector.
Insurers have begun to adapt their products to address the unique risks that blockchain companies may face. For example, in 2020, the Lloyd's market, in collaboration with Coincover, developed cryptocurrency wallet insurance. This product provides protection against the risk of theft of cryptocurrencies held in online (hot) wallets, and the coverage amount is dynamically adjusted even if the value of the crypto asset fluctuates during the policy term. This innovative policy ensured that the customer's asset remained insured at its current market value, despite the volatility of crypto asset prices.
Similarly, some specialized insurance startups offer cyber crime and theft policies for crypto exchanges and custody services. For instance, the US-based firm Coalition provides hybrid coverage that protects companies in the cryptocurrency sector against both classic cyberattacks and crypto theft.
The insurance sector has also started to leverage blockchain technology in its own processes. With the use of blockchain in conjunction with artificial intelligence, there is clear potential for development in areas such as secure data sharing for risk analysis, automated compensation payments via smart contracts during claims processes, and increased speed and transparency in reinsurance transactions. For example, in parametric cyber insurance solutions, smart contracts can automatically make payments when a specific triggering event occurs (e.g., a service outage for a certain duration), thereby accelerating the claims process.
Cyber insurance often requires contracts to be flawless. Ensure your smart contracts are legally sound and secure with our expert analysis.
Risk analysis for the blockchain sector is more complex compared to traditional businesses. Insurers consider the advantages of decentralized networks, such as the lack of a single point of failure, as well as new risk areas like smart contract vulnerabilities or private key theft. Attacks on decentralized finance (DeFi) platforms (e.g., the famous DAO incident or various DeFi protocol hacks in the 2020s) demonstrate that blockchain systems are not infallible. For this reason, insurers focus on the following issues when evaluating blockchain companies:
Smart Contract Audits: Have the company's smart contracts undergone independent security audits? Have code vulnerabilities been addressed?
Key Management: Are multi-signature (multi-sig) or hardware security modules used in crypto asset custody processes? How secure are the private keys?
Cyber Hygiene and Network Security: What is the level of the company's general IT infrastructure, cloud systems, and employee cyber awareness? Is the level of protection against traditional attacks (phishing, malware) high?
Regulatory Compliance: Is the company compliant with crypto regulations in the countries where it operates? Does it implement Know Your Customer (KYC) and Anti-Money Laundering (AML) controls?
In developing policies for this sector, insurers also experience the challenges of risk measurement posed by the decentralized structure. For example, in traditional insurance, loss probabilities are modeled based on historical data; however, in the blockchain space, there is a limitation of sufficient actuarial data due to the novelty of the technology and the rapid evolution of attack vectors. Therefore, insurers are attempting to estimate potential losses using methods such as machine learning and scenario analysis.
However, one of the benefits of cyber insurance for the blockchain sector is its role in encouraging security standards. Since companies must implement certain security measures to qualify for a policy, insurance helps reduce the existing level of risk. The increasing role of cyber insurance in the blockchain industry can contribute to the elevation and maturation of security standards.
The process of insuring blockchain and cryptocurrency-focused companies presents various challenges for both insurers and prospective policyholders.
Because blockchain companies operate in an innovative and rapidly changing sector, insurers tend to classify this area as high-risk. The fact that many cryptocurrency exchanges have been subjected to large-scale attacks in the past and present has made insurance companies more cautious. Due to the limited historical loss data and the uncertainty of the risks, insurance premiums are set at a relatively high level. For example, a cyber policy premium for a crypto finance company of a similar size might be significantly higher than for a traditional technology firm of the same scale, as the insurer assumes a greater magnitude and likelihood of loss in the event of an attack.
The price volatility of crypto assets can make it difficult to determine appropriate insurance coverage. Since the value of assets to be insured (e.g., a digital asset reserve held by an exchange) can rise and fall drastically in a short period, it becomes challenging to set an appropriate coverage limit. Despite innovations like the dynamic limit policy developed by Lloyd's to mitigate this issue, value fluctuations remain a source of uncertainty for insurers.
The crypto sector still lacks clear legal frameworks in many countries. For insurers, an uncertain regulatory environment means risk. For example, if a crypto company is accused of illegal activity in a country, it could be considered a "fault of the insured" from a policy perspective, creating issues with claims payments. Similarly, the ambiguous legal status of crypto assets in some countries leads to hesitation in insuring these assets.
GRC (Governance, Risk and Compliance) for TokenizationServicesJuly 12, 2025👤Genesis Hukuk
Many standard cyber policies may not directly include coverage for crypto asset theft or smart contract errors. Insurers limit their risks by placing such exceptions in traditional policies. This can make it difficult for blockchain companies to find a policy that fully meets their needs. For example, if "theft of digital currency" is an exclusion in a policy, thefts from crypto wallets will not be covered.
To overcome these challenges, insurance companies and brokers specializing in this area have stepped in. Companies like Evertas, which focus solely on digital asset insurance, or the crypto divisions of traditional insurers, customize policies to meet the needs of blockchain companies. This allows for the creation of combined packages, such as cyber liability + crypto crime insurance, for a crypto exchange. Technology-focused brokers like Founder Shield offer integrated solutions to blockchain companies, combining multiple types of insurance like cyber liability, crime, professional liability (E&O), and directors and officers liability (D&O).
Insurers are collaborating with cybersecurity firms to better understand the risks of blockchain companies. For example, they may require a comprehensive technical audit (penetration testing, code analysis) before issuing a policy. Some insurance companies also provide security consulting services to their clients throughout the policy term, aiming to both reduce risks and lower the probability of a claim.
When large players in the crypto sector cannot find adequate commercial insurance, they resort to self-insurance methods. Some major crypto exchanges, instead of insurance, create "emergency reserve funds" to protect customer assets. For example, the Binance exchange has a pool called the "SAFU Fund," promising to cover user losses if the platform is hacked, which is effectively a self-insurance mechanism. In the future, sectoral pools or mutual insurance structures may also emerge.
Part of the long-term solution involves the maturation of security standards within blockchain companies. The stronger a company's internal security is, the easier it becomes to find insurance and obtain a policy with favorable terms. Insurers will be more willing to offer policies or provide premium discounts to companies that implement measures like multi-sig wallets, cold storage, and smart contract security audits. Indeed, some policies have already begun to offer premium discounts to blockchain companies that meet specific cyber hygiene criteria.
Various approaches to the regulation and promotion of cybersecurity insurance are seen worldwide. Regulations and standards affecting both the insurance sector and policyholders are evolving, particularly in the US, EU, and Asian markets.
There is no federal law in the US that mandates businesses to purchase cyber insurance. However, the stability of the cyber insurance market and its importance for national cyber resilience are increasingly on the agenda. In 2023, the White House’s National Cybersecurity Strategy identified exploring the possibility of a federal insurance backstop for large-scale cyber catastrophe scenarios as a key objective. The Federal Insurance Office (FIO), an office within the US Department of the Treasury, has conducted extensive work on this issue and, as of late 2023, has found preliminary evidence that a public-private partnership for a federal insurance mechanism may be necessary to address catastrophic cyber risks. For instance, in November 2023, Treasury officials stated that "a properly designed federal insurance solution could support private sector offerings by addressing tail risks." The underlying reason for this initiative is to secure the economy's recovery in the event of a cyberattack of a magnitude that private insurers alone could not handle (e.g., one that disables critical national infrastructure).
The scarcity of historical loss data for a major cyber catastrophe, combined with the uncontainable nature of such events (their ability to spread without geographical limitation), increases this risk. Therefore, a state-backed reinsurance or guarantee fund model for cyber risks, similar to the TRIA framework implemented after 9/11 for terrorism risks, is being discussed. While no legal regulation exists yet, concrete steps on cyber insurance backstop mechanisms are likely in the US in 2024 and beyond. On the other hand, since the US insurance sector is regulated at the state level, some states may have incentives for financial institutions or critical sectors to obtain cyber insurance. Regulators like the New York State Department of Financial Services (NYDFS) consider the use of insurance in cyber risk management as a best practice for financial institutions. In addition, the NAIC (National Association of Insurance Commissioners) monitors the cyber insurance market and has issued guidance for insurance companies on managing their accumulation risks in this area.
In terms of industry standards in the US, the cybersecurity framework published by NIST (National Institute of Standards and Technology) helps companies with risk management and indirectly serves as a basis for insurance. Insurers may consider a firm's level of compliance with standards like the NIST CSF in their risk assessment. Furthermore, major insurers have established their own minimum security requirements as de facto standards—for example, multi-factor authentication (MFA) for all remote access, regular backups of all critical data, and timely implementation of updates are now considered essential conditions for policies.
There is also growing interest and regulatory discussion concerning cyber insurance in Europe. While there is no direct EU-level regulation mandating that "companies must have cyber insurance," some regulations have indirect effects. The General Data Protection Regulation (GDPR) can impose high administrative fines on companies in the event of a data breach (up to 4% of turnover). Although the coverage of these fines by insurance is prohibited in the laws of some member states (e.g., in Germany, paying administrative fines from insurance is considered against public policy), the GDPR risk itself has driven companies to seek cyber insurance. This is because expenses triggered by a data breach, such as legal consultation, forensic IT, customer notifications, and potential lawsuits for damages, can be covered by insurance.
The NIS2 Directive (revised Network and Information Systems Security Directive), which came into force as of 2023, mandates cyber risk management for companies in critical sectors (energy, transport, health, finance, etc.) and of a certain size. Although NIS2 does not directly mention insurance, it requires these companies to take risk-mitigating measures and holds top management accountable. In this context, cyber insurance is also starting to be evaluated as a risk transfer tool by critical infrastructure operators. The European Union Agency for Cybersecurity (ENISA) published a report in 2023 on the use of cyber insurance among Operational Service Providers (OES). The report found that critical sector firms still face various challenges with cyber insurance. For example, many surveyed firms complained about the complexity of policy terms and coverage ambiguities. ENISA suggests that insurance penetration can be increased through more data sharing and standardization in this area. There are also regulations in Europe for insurance companies to manage their own exposure risks; concerning "silent cyber" (cyber risks not explicitly defined in policies), Lloyd's and other European reinsurers have begun clarifying policy language. The Solvency II framework, which regulates insurers' capital adequacy, also requires them to consider the severe tail risks that cyber risks can pose to their portfolios. Therefore, European insurers are opting to share large cyber risks through reinsurance or participation pools.
The sector also has its own standard-setting initiatives in Europe. For instance, Data Sharing Initiatives have been established to assess cyber risks in the insurance market (e.g., platforms like CyberAcuView, which, though US-heavy, also have European members). The goal is to create a shared pool of experience for healthier pricing and terms.
The cybersecurity insurance market in Asia is growing rapidly, driven by both the impact of regulations and the region's digitalization momentum. In recent years, economies like Singapore, Japan, South Korea, and Australia have adopted comprehensive policies on cyber risk management. The Monetary Authority of Singapore (MAS) has published cyber hygiene regulations for the finance and insurance sectors (e.g., MAS TRM Notice), mandating minimum security measures for institutions. As data protection laws are enacted in Asian countries (e.g., Singapore's PDPA, Japan's APPI, and India's proposed Digital Personal Data Protection Act), breach notification requirements and punitive provisions are increasing companies' risk awareness.
Regulations in Asia, in particular, are indirectly steering companies toward cyber insurance. For example, in some jurisdictions (such as Singapore and Malaysia), companies operating in critical sectors are expected to have a certain level of cyber risk insurance. According to a 2024 report by Gallagher Re, the cyber insurance market in the Asia-Pacific region is expanding with growth rates reaching up to 50% annually and, as of early 2024, accounts for approximately 7% of global premiums. A key driver behind this is the regulation-driven increase in demand: as many Asian countries implement new data protection laws, having adequate cyber insurance coverage is becoming a de facto compliance requirement. For example, China's Cybersecurity Law and Data Security Law impose significant liabilities on companies, leading to an expansion of insurance policies to cover these risks.
Industry standards and initiatives are also developing in Asia. In Japan, the government has organized campaigns to raise awareness of cyber insurance among SMEs; in South Korea, the financial regulator has issued guidance on banks' cyber risk transfer strategies. Another notable point in the APAC region is the diversity of the market: alongside global players like AIG, Chubb, Beazley, and Zurich, local/regional companies such as Sompo Japan, Tokio Marine, and Ping An also offer cyber products. While a lack of standardization and differences in policy language are still cited as a challenge, reinsurers and brokers are working to establish more understandable policy terms and risk modeling techniques in Asia as well. Furthermore, government support programs (awareness training, potentially subsidies) are being considered to encourage the adoption of cyber insurance by SMEs, not just large corporations.
In summary, on the regulatory front, the US is embarking on a quest for a national solution, the EU is mandating risk management and focusing on industry guidance, and Asia is following a path of encouraging the proliferation of insurance through regulatory compliance. In all three regions, standards aimed at clarifying the framework and scope of cyber insurance continue to evolve.
The last few years have been a period marked by the emergence of new threats on the attack side and significant trends on the insurance side of the cyber risk landscape. The 2023-2025 timeframe, a period in which post-pandemic digitalization has become permanent and geopolitical tensions have spilled into cyberspace, is full of lessons for corporate cyber insurance.
The year 2023 marked a veritable return of ransomware attacks. Although a temporary downward trend was observed in 2022, global ransomware attack numbers reached record levels again in 2023. Worldwide detections of ransomware attacks increased by a dramatic 74% in 2023 compared to the previous year. Ransomware gangs like LockBit stood out as the most active threat actors (LockBit variants were responsible for approximately a quarter of all attacks reported in 2023). Attackers continued to target critical infrastructure, healthcare organizations, government institutions, and large corporations. Indeed, there was a dramatic 128% increase in ransomware attacks on the healthcare sector in 2023; attacks on healthcare organizations worldwide surged from 113 to 258 in a single year, making the sector one of the most targeted.
The "double extortion" method—where attackers not only encrypt data but also threaten to leak it—became standard, while some groups increased pressure with "triple extortion" tactics (e.g., by also extorting customers). 2023 was also a year when supply chain attacks made headlines. The infiltration of thousands of organizations via a zero-day vulnerability in the widely used file transfer software MOVEit, leading to data breaches at many institutions including the BBC and British Airways, demonstrated the cascading effect of a single software vulnerability. Such attacks raise "catastrophic risk" concerns for insurers because a single security flaw can affect a large number of organizations simultaneously.
The success of ransomware groups in 2023 was also reflected in the amounts of ransom demanded and paid. According to Chainalysis data, ransomware actors received over $1 billion in payments via cryptocurrency in 2023—the highest annual ransom payment total ever recorded. The fact that ransom payments, which had decreased in 2022, broke a record in 2023 shows how profitable and, therefore, appealing this threat remains. For example, in September 2023, giant companies like MGM Resorts in the US were hit by a ransomware attack; although MGM chose not to pay the ransom, the multi-day system outage cost the company around $100 million. These losses demonstrate that whether or not a ransom is paid, the indirect costs of ransomware (business interruption, system recovery, customer compensation) are steadily increasing.
Heading into 2024 and 2025, ransomware threat actors continue to diversify their tactics; security experts highlight the rise of new methods such as AI-powered phishing emails and the use of deepfake audio/video to impersonate senior executives and deceive finance departments (cases of scammers using deepfake audio to call and request urgent wire transfers as if they were a CEO are being reported).
In parallel with the increasing threats, significant changes are also occurring in the cyber insurance sector. First and foremost, large-scale damages and claims payments are affecting insurers' appetite. Following the frequent ransomware damages in 2020-2021, a noticeable increase in cyber insurance premiums was observed in 2022 and 2023. Premium increases of 30-50% have become common during renewal periods, especially in sectors with a high number of claims (e.g., healthcare, education). It was noted that premiums for some healthcare policies increased by over 100% in 2023.
Another trend is the tightening of underwriting processes. As of 2024, insurers are no longer content with customers' declarations and are demanding proof of their actual situation. For example, a simple declaration of "Yes, we perform backups" is no longer sufficient, and companies may sometimes be required to provide backup reports to the insurer. Similarly, in a post-incident claim, the burden of proof for the insured having implemented the security measures they committed to in the policy is now shifting to the insured. These developments aim to reduce the "moral hazard" problems that insurance companies have experienced in the past (i.e., preventing companies from neglecting security investments by thinking they are insured anyway).
War and state-sponsored attack exclusions have been clarified and are becoming more common. In 2023, the rule introduced by Lloyd’s mandated that all standalone cyber policies must include clauses that exclude certain state-sponsored attacks from coverage. In this context, the Lloyd’s Market Association (LMA) published various model clauses (such as LMA5564 and its variants) to define different exclusion scenarios, ranging from low to high severity. Consequently, many major insurance policies today exclude destructive attacks by nation-state actors or large-scale "cyber war" events, even if they occur during peacetime. This is directly related to the impact of legal cases like the Merck lawsuit on the industry (discussed below).
The correlated nature of cyber risks—their ability to hit multiple customers at the same time—led reinsurers (the institutions that insure insurance companies) to take a cautious approach. A few years ago, some reinsurers were shrinking their cyber portfolios, but by 2023, a signal of confidence began to re-emerge. Alternative capital (such as insurance-linked securities) is slowly but surely entering the cyber space; for example, the first-ever pure cyber risk-based catastrophe bonds were issued in the final quarter of 2023, providing a total capacity transfer of over ~$400M. Such innovations could help deepen the cyber insurance market in the long term.
Parametric cyber insurance products are being discussed as solutions that accelerate the claims process by paying a fixed compensation amount if a specific event occurs (e.g., a cloud service outage lasting longer than X hours). While not yet widespread, some startups have launched products in this area. Additionally, insurance companies have standardized the offering of pre-incident services to their clients. For example, many policies now include a 24/7 emergency response hotline and support from a contracted cybersecurity firm in the event of an attack. Major players like Chubb, AIG, and Beazley have established their own incident response teams and consultant networks. This way, customers know whom to turn to in an incident and can take quick action, which helps prevent the damage from escalating. In short, the insurance industry is evolving from "just paying claims" to becoming a "risk management partner."
A very large portion of Fortune 500 companies now have cyber policies. Awareness is also growing among SMEs, but there are still regions where it is not at the desired level (SME penetration is particularly low in the APAC region, where there is significant growth potential). Cyber insurance tenders have become highly competitive in some sectors; for example, in fields like financial services or healthcare, insurance limits have risen (large banks can secure total insurance programs of over $300M). However, rising premiums and hardening market conditions are also pushing some companies to narrow their coverage or turn to self-insurance. As of 2024, comments have begun to emerge suggesting a slight market softening; it is anticipated that the rate of premium increases may slow down with potential improvements in claims frequency and the entry of new capacity.
Insurers have started to proactively scan for and warn their clients about security vulnerabilities (e.g., external vulnerability scans, darknet monitoring, etc.). For example, AIG has stated that it provides cyber intelligence to its policyholders, warning them when a vulnerability is detected so that action can be taken before an attack even occurs. These types of services are evolving the value proposition of insurance from just "financial compensation" to a direct cyber risk consultancy. On the client side, there is also a trend toward sharing more technical data with insurers, as sharing more security data can lead to more accurate pricing and better terms.
Below is a compilation of some notable incidents that highlight the importance, scope, or limitations of corporate cyber insurance:
In June 2017, a destructive malware known as NotPetya, which began as a cyberattack targeting Ukraine, quickly spread to global companies. The American pharmaceutical giant Merck & Co was affected, losing approximately 40,000 computers and servers, which disrupted its production and operations. Merck filed an insurance claim for the total $1.4 billion in damages under its property insurance policy. However, its insurers denied the claim, citing a "war exclusion" clause in the policy, as the attack was alleged to be linked to Russian military intelligence. The dispute went to court, and in 2022, a New Jersey court delivered a landmark decision in favor of the insured: the court stated that the war exclusion in the policy was meant to cover traditional, physical acts of war, not a cyberattack, and ruled that Merck was entitled to receive compensation. This decision was described as groundbreaking for the insurance sector, as it set a precedent for similar cases such as Mondelez vs. Zurich. Ultimately, Merck and its insurers reached a settlement in early 2024, ending the legal process. This case highlighted the need for a clearer definition of the concept of cyber warfare in insurance policies and paved the way for industry moves like Lloyd's 2023 rule.
In September 2023, the Las Vegas-based MGM Resorts hotel and casino chain made headlines after a cyberattack disabled various operational systems, from its reservation systems to its slot machines. During the approximately 10-day outage, customers were unable to check in, and casino operations were handled manually. In a statement in November 2023, the company announced that the attack had resulted in a financial loss of around $100 million. Notably, MGM's CFO, Jonathan Halkyard, stated in the same announcement that they expected nearly all of this loss to be covered by their cyber insurance policies. Thanks to its comprehensive cyber insurance, MGM will be able to receive business interruption compensation and largely offset its losses. This case demonstrates the critical role that cyber insurance plays in ensuring financial continuity. Another casino company affected by a similar attack, Caesars Entertainment, disclosed that it paid a $15 million ransom; a portion of the ransom is believed to have been covered by insurance (exact details are confidential). The MGM case showed how attackers using social engineering to compromise an IT employee's credentials can cause massive disruption, even with multi-factor authentication in place, and underscored the importance of insurance policies for such frauds.
The Norwegian aluminum producer Norsk Hydro was hit by the LockerGoga ransomware attack in March 2019. IT systems at the company's facilities worldwide were locked, and some factories temporarily shut down. Hydro decided not to pay the ransom and instead restored its operations using backup systems. The total cost of the incident was estimated at approximately $70 million. Thanks to Hydro's cyber insurance, the company reportedly received about $3.6 million of the damages from its insurers. Although the policy did not cover the entire loss (the remaining large portion was covered by its own funds), Hydro's management stated that the support from insurance was critical. This case revealed the importance of setting realistic insurance limits; Hydro subsequently increased its insurance limits. Additionally, the company was praised for its transparent communication strategy, keeping the public informed about the cyberattack as it unfolded. This also served as an interesting note for insurance: due to the limited reputational damage resulting from the open communication, the third-party damages that insurance had to cover were also relatively low.
In 2013, retail giant Target suffered a cyberattack in which credit card data of 40 million customers was stolen. The total cost of this breach, considered enormous for its time (including legal fees, technological improvements, fines, etc.), reached around $250 million. At the time, Target had a cyber insurance policy with a $100 million limit, and thanks to this policy, the company received approximately $90 million in compensation, covering a significant portion of its losses from insurance. The Target incident is referred to as the "first major test" of cyber insurance because a claims payment of this scale had not occurred until that point. This case was a lesson for other retail and financial companies, and a significant increase in demand for cyber policies was seen in the US after 2014. There were also lessons for insurers from the same breach: since some payments were higher than expected, revisions were made to policy sub-limits and premium calculations. For example, the costs of post-breach customer credit monitoring and call centers were very high, leading insurers to consider setting sub-limits on them. However, due to competition, policies continued to maintain broad coverage.
The food company Mondelez International was another company affected by the NotPetya attack. The company's claim for damages was over $100M; however, its insurer, Zurich, refused payment due to the war exclusion. After years of legal proceedings, and influenced by developments in the Merck case, the parties reached a settlement in 2023. The Mondelez case, along with Merck, is one of the most important examples that brought the uncertainty surrounding the "cyber war exclusion" to the forefront. As a result of these lawsuits, updating the language of war clauses in policies became inevitable.
In early 2022, the Crypto.com exchange lost approximately $30 million worth of cryptocurrency in an attack. The company announced that it had compensated user losses and that insurance coverage was partially used for this. In the same year, the crypto custody service BitGo announced that it had a $250M insurance coverage from the Lloyd's market to protect against potential thefts. These examples show that blockchain companies are also beginning to secure large policies. However, in a much larger incident in 2022—the Axie Infinity/Ronin Network attack (a crypto theft of ~$600M)—no commercial insurance was available to cover such a massive loss. The project team and investors covered a portion of the loss with their own funds. This case is cited as an example of how limited insurance capacity for the crypto sector can still be.
The cases above contain important lessons on the real-world applications of cyber insurance. These examples show that policy details (exclusions, conditions) are of critical importance, that the insured's security posture affects the process at the time of a claim, and that cyber risks can reach unexpected dimensions. At the same time, situations where insurance accelerates financial recovery (like with MGM and Target) also prove its value.
At the corporate level, cybersecurity insurance has become an indispensable safeguard for businesses in today's complex digital risk environment. While comprehensive policies compensate for the multifaceted damages that can arise after a cyberattack, pre- and post-policy consulting services elevate companies' defense levels. In the 2023-2025 period, the cyber insurance sector has both undergone internal transformations (tighter underwriting, new products, state-backed initiatives) and faced increasing threats, particularly from ransomware. New areas such as the blockchain and cryptocurrency sector have also become part of this picture, with insurers starting to adapt their products to these industries.
In the coming years, driven by regulations, the prevalence of cyber insurance is expected to increase further, and its standards are anticipated to mature. As the collaboration between insurance companies and policyholders deepens, a joint effort will emerge not only to compensate for financial losses but also to prevent attacks and minimize their impact. Consequently, corporate cybersecurity insurance will continue to play a key role in managing the risks of the digital economy, forming a crucial pillar of businesses' cyber resilience.
Take proactive steps to minimize the financial and legal damages that a potential cyberattack could create. For expert support regarding the adequacy of your cyber insurance, the interpretation of policy terms, or the legal processes that may arise after a cyber incident, contact us.
Our expert legal team provides the guidance you need to navigate compliance, risk, and governance in the blockchain sector.
