Denied: Why 1 in 4 Cyber Insurance Claims Gets Rejected in 2026

A broker’s worst nightmare is not a client getting breached. It is a client getting breached, filing a claim, and having the carrier deny it. That scenario is becoming more common. Roughly 1 in 4 cyber insurance claims were denied in 2024, according to Fitch Ratings. In 2025, the denial-or-partial-denial rate reached 21%, up from 15% in 2023.

The denials are not random. They follow clear patterns — patterns that brokers can identify and address before a claim is filed, not after. This post breaks down the five most common denial reasons, the emerging coverage gaps that caught policyholders off guard, and specific steps brokers can take to protect their clients.

The Five Most Common Denial Reasons

Based on industry data from Fitch, ASi Networks, and claims analysis by Nossaman and HeplerBroom, the denial landscape looks like this:

Denial Reason	% of Denials	Trend
Failure to maintain stated security controls (MFA, EDR)	34-37%	Rising
Late notification (>72 hours)	17-22%	Stable
War/nation-state exclusion	16%	Evolving
Pre-existing vulnerability not disclosed	14%	Stable
Policy sublimit exhausted	9%	Rising

Education sector has the highest denial rate at 27% — a combination of underfunded security programs and complex IT environments spanning research networks, student devices, and legacy systems.

Let’s unpack each one.

1. Security Control Non-Compliance: The Silent Claim Killer

This is the single largest category of denials, and it is growing. Here is why: 73% of insurers now conduct external vulnerability scans before issuing or renewing policies. 96% require MFA on all remote access and 88% require EDR (Coalition). These requirements are typically written into the policy as warranty clauses or conditions precedent — meaning failure to comply voids coverage entirely.

The trap is subtle. An organization may have MFA and EDR deployed at the time of application. But if MFA is not enforced on a newly added cloud service six months later, or if EDR agents were uninstalled from a subset of endpoints during a migration, the policy warranty is breached. The carrier does not need to prove the gap caused the breach — only that the gap existed.

Real-world pattern: EDR log retention is a growing issue. Some claims have been rejected because log data only went back 30 days, not the 90 days the policy required. Having the tool is not the same as having proof it was running at the time of the incident.

AI-driven verification is changing the game. Carriers now scan public-facing assets and compare them against what was declared on the application. An insured that claimed “MFA everywhere” but has external services that do not enforce it faces not just a claim denial but potentially a rescission of the entire policy.

What brokers should do

• Request a security control compliance audit at each renewal, not just at application
• Ensure clients understand that policy warranties are continuous obligations, not point-in-time checkboxes
• Verify that MFA coverage extends to all cloud services, VPNs, admin consoles, and third-party tools — not just the primary identity provider
• Require clients to maintain 90+ days of security tool logs

2. Late Notification: The 72-Hour Window

Most cyber policies require notification within 72 hours of discovering an incident. Some carriers have shorter windows for specific event types. The logic is straightforward: early engagement allows the carrier’s incident response team to contain the damage, reducing the total claim cost.

The problem is that many organizations take weeks to fully understand what happened. Initial detection often underestimates scope. By the time the insured realizes the true severity, the notification window may have closed.

What brokers should do

• Establish a clear notification protocol with every client at policy inception
• Recommend filing a preliminary notice immediately upon any suspected incident, even before scope is understood — most policies allow supplemental filings
• Some carriers now incentivize early reporting with lower retentions for incidents reported within 72 hours (Coalition reduced average retention by $50K for early reporters)

3. War Exclusion: The $1.5 Billion Question

The war exclusion has become the most consequential coverage dispute in cyber insurance history. Two landmark cases set the stage:

Merck v. Insurers (NotPetya, 2017): Merck’s 40,000 computers were wiped in the NotPetya attack. Total damages claimed: $1.4 billion. Insurers invoked the war exclusion, arguing NotPetya was a Russian state-sponsored cyberweapon. The trial court and appellate court both ruled for Merck — the war exclusion language predated cyberwarfare and did not reference it. The case settled confidentially in January 2024 after insurers dropped their Supreme Court appeal.

Mondelēz v. Zurich (NotPetya, 2017): Same attack, same exclusion argument. Mondelēz suffered $100+ million in damages across 1,700 servers and 24,000 laptops. Settled confidentially in November 2022 after four years of litigation.

Both cases hinged on specific policy language. The exclusions were written for kinetic warfare and did not mention cyber operations. Lloyd’s of London responded by mandating state-based cyber attack exclusions across its market. New “cyber war” exclusion language is still being crafted industry-wide as of 2026, and the lack of standardization means coverage varies significantly between carriers.

What brokers should do

• Read the war exclusion language in every quote. The specific wording matters enormously
• Understand whether the exclusion uses a “kinetic warfare” threshold (narrower, better for insureds) or a “state-sponsored cyber operation” threshold (broader, riskier for insureds)
• For clients in sectors likely to be affected by nation-state attacks (energy, finance, healthcare, government contractors), negotiate for narrow war exclusion language or a separate cyber terrorism sublimit

4. Sublimit Traps: When Coverage Exists But Is Not Enough

A growing number of denials are not outright rejections — they are sublimit caps that leave the insured under water. 58% of cyber policies now carry ransomware sublimits capping coverage at 50-75% of the total policy limit.

The CiCi Enterprises v. HSB Specialty Insurance case (N.D. Texas, 2026) illustrates the problem. A pizzeria chain suffered $1.2 million in ransomware losses. The insurer attempted to cap the payout at a $250,000 ransomware sublimit. The court rejected the cap — the endorsement lacked explicit language modifying the cyber extortion coverage grant. But this was a lucky outcome based on specific drafting errors. Most sublimits are enforceable.

44% of insured businesses are underinsured, meaning their coverage is less than half their estimated maximum breach cost. The gap is often invisible until a claim is filed.

What brokers should do

• Map every sublimit against realistic loss scenarios for the specific client
• Pay special attention to social engineering sublimits — many policies cap social engineering at $250K on a $1M+ policy, which is grossly inadequate in the era of $500K+ deepfake fraud losses
• Negotiate for sublimits that reflect actual risk, not arbitrary percentages

5. Emerging Gap: Deepfake and AI Fraud Coverage

The newest coverage gap is also the fastest-growing. Deepfake fraud losses reached $893 million in 2025, according to the FBI IC3 report’s first-ever dedicated section on AI as a cybercrime tool. But coverage for these losses is far from clear.

The core issue is classification. When an employee receives a deepfake video call from someone impersonating the CFO and wires $500,000 to an offshore account, several policy provisions collide:

• Voluntary parting exclusion: If the employee “voluntarily” transferred the funds — even under deception — some policies exclude the loss entirely
• Cyber vs. crime classification: If no network intrusion occurred (the employee used legitimate credentials and systems), the loss may fall outside the cyber policy and into the crime policy territory
• Fraudulent instruction definitions: Policy language written for email-based BEC may not cover deepfake Zoom calls or Teams messages

One multinational company’s finance employee wired $25 million after a deepfake video call impersonating the CFO and multiple colleagues. Whether that loss falls under cyber, crime, or neither depends entirely on policy language.

What brokers should do

• Review whether existing policies have affirmative coverage for social engineering via deepfake or AI-generated content
• Check if “fraudulent instruction” definitions are broad enough to cover video calls, voice cloning, and AI-generated messages
• Consider whether the social engineering sublimit is adequate given average deepfake incident costs of ~$500,000

The Pre-Claim Audit: A Broker’s Checklist

Rather than waiting for a claim to test coverage, brokers should conduct a pre-claim coverage audit at every renewal. Here is what to verify:

Item	Why It Matters
Security control warranties still met	#1 denial reason (34-37%)
MFA enforced on ALL remote access	96% of carriers require this
EDR agents active on all endpoints	88% of carriers require this
Log retention meets policy requirements	Typically 90+ days
Notification protocol documented	72-hour window
War exclusion language reviewed	Varies significantly between carriers
Sublimits mapped to realistic scenarios	44% of businesses underinsured
Social engineering coverage includes AI/deepfake	Emerging gap
Vendor/supply chain coverage adequate	30% of breaches involve third parties
Regulatory fine insurability confirmed	Varies by jurisdiction

The Bottom Line

Most claim denials are preventable. They happen not because the insured did something wrong after the breach, but because the policy was not structured correctly — or the insured’s security posture drifted from what was represented at application.

The denial rate is rising because carriers are getting better at verifying compliance, not because policyholders are getting worse at security. AI-driven underwriting verification, external scanning, and post-incident forensic audits mean that gaps that would have gone unnoticed three years ago are now being caught and used to deny claims.

Brokers who treat policy placement as a one-time event rather than an ongoing risk management process are exposing their clients to the 21% denial rate. The fix is not complicated — it just requires attention before the claim, not after.