Your Policy Says Cyber Event — But What Risk Does That Actually Expose?

Open any cyber insurance policy and you’ll find a definitions section. Near the top, usually in the first five terms, sits a phrase that silently determines whether a claim gets paid or denied:

“Cyber Event” — any actual or suspected unauthorized access, use, disclosure, modification, or destruction of electronic data, or any actual or suspected disruption of electronic systems.

It sounds comprehensive. It is not.

The problem isn’t what this definition includes — it’s what it fails to distinguish. When “unauthorized access” and “disruption of systems” share the same term, a ransomware attack that encrypts production databases gets bundled with a misconfigured firewall that briefly exposed an internal wiki.

Both are “cyber events.” Both trigger the same insuring clause. But the risk profiles are entirely different.

The Definition Problem

Here’s what most policies do with “cyber event”:

1. Bundle unrelated threat categories — nation-state espionage, script-kiddie scanning, employee negligence, and SaaS outages under one umbrella term
2. Conflate frequency and severity — a thousand failed login attempts and one successful ransomware deployment are both “cyber events”
3. Create ambiguity at claim time — adjusters and policyholders argue over whether a specific incident falls within the definition, and courts interpret inconsistently

We already covered the full list of 12 essential clauses every underwriter must check. This post is about the one clause that undermines all the others: the definition of the insured event itself.

Three Real Scenarios Where the Definition Fails

Scenario 1: The AI Hallucination Claim

An underwriting team uses an AI-powered risk assessment tool. The tool produces a report with hallucinated regulatory references. The client relies on it, fails a compliance audit, and files a claim under their cyber policy’s “system failure” coverage.

The question: Is an AI hallucination a “cyber event”? There was no unauthorized access. No system disruption. No data breach. But there was a digital system (the AI) producing an incorrect output that caused financial loss.

Most policies were written before AI-generated outputs were a claim category. The definition doesn’t account for them.

Scenario 2: The Cloud Outage that Isn’t a “Cyber Event”

A major cloud provider goes down. Your insured’s e-commerce platform is offline for 14 hours. Revenue loss: €800,000.

The question: A cloud outage is a system disruption — so it’s a cyber event, right? Not necessarily. Many policies define cyber events to require a “security” element. If the outage was caused by a provider’s infrastructure failure (not an attack), some insurers argue it falls under business interruption, not cyber coverage.

The definitions weren’t written to distinguish between adversarial and non-adversarial disruptions. The result? One in four cyber claims gets denied, and definition ambiguity is the second most common reason.

Scenario 3: The Supply Chain Breach

Your insured’s managed service provider (MSP) is compromised. The attacker accesses the MSP’s credentials and uses them to pivot into your insured’s environment.

The question: Whose “cyber event” is this? The initial compromise happened at the MSP. Your insured was affected, but the unauthorized access occurred on third-party systems.

Some policies require the event to occur on the insured’s own systems. Others include third-party events under dependent business interruption. The distinction — and whether coverage applies — hinges entirely on how “cyber event” and “insured’s systems” are defined.

Why Underwriters Should Care

These aren’t edge cases. They account for a growing share of claims:

• AI-related claims — insurers like QBE and Beazley have already introduced 10% AI sublimits, effectively carving cyber events into “AI events” and “non-AI events” because the base definition can’t handle the distinction
• Cloud outage claims — increasing in frequency as business dependency on SaaS and IaaS deepens
• Supply chain incidents — doubled as a share of all breaches in 2025

The common thread: the definition of “cyber event” was designed for a world where threats came from outside, through perimeter defenses. That world is gone. Threats now emerge from:

• AI systems producing incorrect outputs (no “attacker” in the traditional sense)
• Third-party failures cascading through supply chains (no “insured’s system” was compromised initially)
• Operational technology failures (no “data” was affected)

What Better Definitions Look Like

Instead of a single catch-all “cyber event” definition, policies can segment:

This doesn’t require rewriting the entire policy. It requires adding sub-definitions that let claims adjusters and underwriters distinguish between fundamentally different risk categories.

The Underwriting Action

Three things to check on your next submission:

1. How does the policy define “cyber event”? If it’s a single paragraph covering everything from malware to system failure, the definition is too broad for today’s threat landscape.
2. Does the definition require a “security” element? If yes, cloud outages and AI failures may fall outside coverage — even though they cause the same financial loss.
3. Are third-party events included? Specifically check whether supply chain incidents affecting the insured but originating externally are covered under the cyber event definition or require a separate dependent BI trigger.

If you can’t answer these questions from the definition alone, neither can the claims adjuster three years from now.

Michael Guiao is the Founder of Resiliently.ai and the author of Resiliently. He holds CISM, CCSP, CISA, and DPO (TÜV) certifications and has 8+ years of experience across insurance, auditing, and consulting at firms including AXA, Xella Group, and PwC.