A cyber insurance policy is not one thing. It is a stack of coverages bolted together — business interruption, data restoration, incident response, regulatory defense, cyber extortion — and the seams between those coverages are exactly where disputes live. Ransomware has put more pressure on those seams than any other peril in the short history of this market, and the policies are changing under that pressure in real time. Anyone advising an insured today is reading a different contract than the one they read three years ago.
I have spent a good deal of the last few years in the space where forensic facts meet policy language, and the recurring lesson is that the fight is rarely about whether something bad happened. It is about how the policy characterizes what happened, and whether the characterization the carrier reaches for lands inside or outside the grant of coverage.
What the policy actually buys
It helps to be precise about the product. Cyber coverage divides into first-party and third-party. First-party coverage responds to the insured's own losses: lost income when systems go down, the cost to restore or recreate corrupted data, the forensic and notification expenses that follow a breach, and cyber extortion — the consultants and, where permitted, the ransom payment itself. Third-party coverage responds to liability the insured owes others: privacy liability, network security liability, regulatory defense costs, media liability. A ransomware event can trigger both halves at once, which is part of why these claims are so contested. A single incident can spawn a business-interruption claim, a data-restoration claim, an extortion claim, and a downstream privacy claim from the customers whose data was exfiltrated.
There is also a structural choice that gets too little attention at the buying stage: a stand-alone cyber policy versus a cyber endorsement bolted onto a traditional policy. Stand-alone policies generally offer the broadest, most purpose-built coverage. Endorsements are cheaper and they look like coverage, but they are not as comprehensive, and the gap shows up at the worst possible moment, when a claim is being adjusted against language that was never written with a ransomware event in mind.
Why ransomware is rewriting the policies
The numbers explain the urgency. Underwriters have ranked ransomware as the number-one threat, and ransomware events have accounted for roughly a fifth of reported cyber claims in recent years. The average ransomware attack runs into the millions before any ransom is paid, and the threat model keeps escalating. The trend now is double extortion: the attacker both locks the network and threatens to release exfiltrated data, so paying for a decryption key no longer ends the exposure. That single tactical shift breaks the old assumption that restoration from backups makes the insured whole.
Carriers have responded the way carriers do. They tightened underwriting, pushing applicants to document existing controls, disaster recovery and business-continuity plans, vendor risk, and breach history. They raised the bar at the application stage, and that has created a quieter category of coverage dispute that has nothing to do with the attack itself.
The fight is rarely about whether something bad happened. It is about how the policy characterizes what happened — and whether that characterization lands inside or outside the grant of coverage.
That category is the application itself. Cyber applications often ask extraordinarily broad, technical questions and then expect a risk manager to answer yes or no in a checkbox. When a binary answer cannot capture a complex reality, it becomes easy for material information to be omitted or misstated. The carrier later reads that omission as application fraud and denies the claim. I tell clients that the application is the foundation of the coverage, not a formality. The diligence that goes into answering it accurately is the cheapest risk management available, and it is routinely skipped.
Where the coverage disputes are landing
The litigation tells the story of a market still defining its own terms. The most consequential fight has been over the war exclusion. When a pharmaceutical company sought coverage for losses from the NotPetya attack — an attack Western governments attributed to a nation-state — its insurers invoked the hostile-or-warlike-action exclusion to deny the claim. A New Jersey court held that the exclusion did not explicitly contemplate cyber and could not be stretched to cover an attack that was not traditional, physical warfare. The matter ultimately settled, but it was a case of first impression with long reach, because nation-states increasingly use cyber operations alongside conventional military capability. Carriers have since rewritten their war exclusions to say the word cyber out loud, which is precisely the kind of evolution that litigation forces.
Other disputes turn on older, less specialized language. Courts have wrestled with whether the encryption of data is direct physical loss or damage to property under an equipment endorsement, and whether a commercial crime policy covers funds an employee was tricked into wiring in a social-engineering scheme. In the social-engineering case, ambiguity in the policy's undefined terms was construed in favor of coverage. The throughline is familiar to anyone who works in insurance: when carriers draft around a peril without naming it, ambiguity tends to be resolved against the drafter.
The decision to pay, and the limits on it
Ransomware coverage also collides with public policy. The FBI generally counsels against paying ransoms because payment rewards extortion, with a recognized tension for critical sectors like healthcare where lives may be at stake. More pointedly, the U.S. Treasury's Office of Foreign Assets Control has advised that payments to sanctioned actors can themselves violate the law. The practical upshot is that the decision to pay, unless the demand traces to a sanctioned party, generally rests with the insured but requires carrier consent. That consent requirement is itself a frequent point of friction when an insured wants to move fast and a carrier wants to investigate.
Where this is heading
Cyber policies will keep getting more specific, because every coverage dispute teaches the market what its language failed to address. Expect sharper definitions, more granular sublimits, and exclusions written with named perils rather than borrowed property-policy boilerplate. For insureds, the lesson is to treat the policy as a technical document that deserves technical diligence — at the application stage, at renewal, and at the moment of claim. For everyone else, these disputes are well suited to forms of resolution that can absorb the underlying technical complexity. Coverage fights that hinge on what a forensic record actually shows are often better resolved through mediation or arbitration than through years of motion practice, because the real disagreement is usually narrow, factual, and resolvable once the room shares enough vocabulary to argue about the right thing.