According to Coalition's 2025 Cyber Claims Report, the average cyber loss across all businesses reached $115,000 in 2024, with ransomware averaging $292,000 per incident. The gap between what businesses assume their policy covers and what it actually pays is where real financial damage happens.
This article walks through realistic claim scenarios across four industries, explains what cyber insurance actually covers (and what it doesn't), and identifies the most common reasons claims get denied.
Key Takeaways
- Ransomware, business email compromise (BEC), and funds transfer fraud trigger the majority of cyber insurance claims
- Real-world claim costs range from $79,000 for smaller businesses to well over $300,000 for mid-market companies — per incident
- Cyber policies cover first-party costs (forensics, ransom, business interruption) and third-party costs (legal defense, fines)
- Claims get denied when businesses misrepresent security controls, fail to maintain MFA, or have pre-existing vulnerabilities
The Most Common Cyber Claims: By the Numbers
BEC and funds transfer fraud combined drove 60% of all 2024 cyber claims, according to Coalition data. Ransomware represented about 20% of claims but remained the most financially disruptive — averaging $292,000 per loss compared to $35,000 for BEC incidents.
What these claim types actually are:
- Ransomware — Attackers encrypt business systems and demand payment to restore access
- Business Email Compromise (BEC) — Fraudsters impersonate executives or vendors via email to authorize fraudulent transactions
- Funds Transfer Fraud (FTF) — Direct manipulation of payment instructions to redirect wire transfers to attacker-controlled accounts
Loss benchmarks by business size (2024, Coalition):
| Revenue Band | Claims Frequency | Average Loss |
|---|---|---|
| Under $25M | 1.07% | $79,000 |
| $25M – $100M | 3.99% | $139,000 |
| All businesses | 1.48% | $115,000 |
Industries with the highest claim severity in 2024 included energy ($262,193 average), real estate ($179,237), and healthcare ($144,662). Healthcare, financial services, and technology businesses handle large volumes of sensitive data, which drives both higher attack rates and steeper regulatory penalties after a breach.
Real-World Cyber Liability Insurance Claim Scenarios
Ransomware Attack on a Mid-Size Manufacturer
A 200-employee manufacturing company's production systems are encrypted after attackers exploit an unpatched remote desktop protocol (RDP) vulnerability. Operations halt. The initial ransom demand comes in at $2.3 million.
This scenario closely mirrors a documented Coalition case study involving an alcohol manufacturer with 51–250 employees. Coalition's incident response team negotiated the ransom down to $609,000 — saving roughly $1.7 million from the initial demand. The policyholder also used business interruption and extra expense coverage while machinery damage was assessed and repaired.
What the cyber policy covered:
- Ransom payment (post-insurer and law enforcement consultation)
- Business interruption losses during production downtime
- Forensic investigation to confirm attacker access was closed
- System restoration and recovery costs
Key lesson: Business interruption coverage is often the most valuable component for manufacturers. Every hour of production downtime compounds losses, and forensic verification — confirming the attacker is no longer present before resuming operations — adds days to recovery. Offline, tested backups are the single most effective control for limiting that downtime.
Data Breach at a Healthcare Provider
A regional clinic's employee email account is compromised, exposing tens of thousands of protected health information (PHI) records. Under HIPAA, covered entities must notify affected individuals within 60 days of breach discovery, and for breaches affecting 500 or more individuals, HHS must also be notified within the same window.
IBM reported that healthcare had the highest average breach cost of any industry at $10.93 million in 2023, with detection averaging 213 days — longer than most other sectors.
Even for smaller regional providers, regulatory penalties alone can be severe. 2024 HHS inflation-adjusted penalties for uncorrected willful neglect carry a minimum of $71,162 and an annual cap exceeding $2.1 million.
What the cyber policy covered:
- Mandatory breach notification and patient credit monitoring
- Legal defense fees for regulatory proceedings
- HIPAA regulatory fine defense
- Crisis management and public relations support
Key lesson: Healthcare businesses face some of the steepest regulatory consequences per incident. Third-party coverage — specifically regulatory defense — isn't optional for any business storing PHI. Soma places HIPAA-aligned cyber coverage for healthcare clients through carriers including CRC Group, Chubb, and Kinsale — carriers that understand this regulatory exposure.
Business Email Compromise at a Financial Services Firm
Attackers spoof a CFO's email address and instruct the finance team to wire funds to a fraudulent vendor account. The transfer clears before anyone flags the discrepancy. Total direct loss: $180,000. Add forensic investigation, security upgrades, and legal consultation, and the total incident cost approaches $250,000.
The FBI's IC3 reported $55.5 billion in exposed BEC losses across 305,033 incidents from 2013 to 2023. These scams succeed through social engineering — not technical exploits — meaning even organizations with strong technical defenses remain vulnerable.
What the cyber policy covered:
- Social engineering/fraudulent funds transfer losses (partial recovery through rapid insurer engagement)
- Forensic investigation costs
- Security upgrade expenses
- Legal consultation fees
Key lesson: BEC doesn't require a breach of your systems. It requires one convincing email. Dual-authorization requirements for wire transfers and DMARC email authentication (set to p=reject) are the two preventive controls that matter most — CISA identifies DMARC's reject policy as the strongest available protection against domain spoofing.
On the coverage side, social engineering claims carry their own sub-limit, separate from the main policy limit, and most carriers require documented verification procedures to be in place before honoring a claim.
Cloud Misconfiguration Exposing Client Data
A SaaS company's misconfigured cloud storage bucket exposes 100,000+ customer records for several days before discovery. Affected clients file third-party liability claims. Notification costs, legal defense, and client claims push total incident costs above $400,000.
The Verizon 2024 Data Breach Investigations Report found that errors — including misconfiguration — were involved in 28% of breaches. AWS's shared responsibility model makes clear that customers are responsible for security "in" the cloud, including data, access management, and configuration — not AWS itself. The FTC's enforcement action against Drizly shows how regulators respond: the company exposed 2.5 million consumer records through inadequate security and unsecured data storage, and faced mandatory security program requirements as a result.
What the cyber policy covered:
- Third-party liability claims from affected clients
- Breach notification and credit monitoring costs
- Legal defense fees
- Technology errors and omissions (Tech E&O) coverage
Key lesson: Using AWS, Azure, or Google Cloud does not transfer your liability. The business that stores or processes the data remains responsible when misconfiguration causes exposure. For SaaS and tech companies, Tech E&O coverage bundled with cyber liability is essential — Soma places this combination for technology firms through carriers including Chubb, Hiscox, Kinsale, and Liberty Mutual, each offering policy structures built around the third-party liability exposure tech businesses face.
What Cyber Insurance Actually Covers When a Claim Is Filed
First-Party Coverage
Costs your business incurs directly following an incident:
- Forensic investigation to determine breach scope and attacker access
- Data recovery and system restoration
- Ransom payment and negotiation (subject to sub-limits and insurer approval)
- Business interruption losses during recovery
- Post-breach employee training and security upgrades
Third-Party Coverage
Costs arising from external claims and regulatory actions:
- Legal defense fees for lawsuits filed by affected customers or partners
- Court-ordered settlements
- Regulatory fine defense (HIPAA, GDPR, CCPA, state-level requirements)
- Customer notification and credit monitoring obligations
The Incident Response Vendor Panel
Most policies include access to a pre-vetted network of forensic investigators, legal counsel, PR firms, and ransom negotiators. That access is often as valuable as the financial payout itself. Coalition's incident response team negotiated ransomware payments down by an average of 60% in 2024, a figure that reflects what skilled negotiation — not just coverage limits — can deliver.
Sub-Limits: The Detail Most Businesses Miss
Many policies set separate sub-limits for:
- Ransomware payments
- Social engineering and BEC losses
- Regulatory fines
The headline coverage limit — say, $1 million — may not apply to all loss categories. A policy with a $1 million limit but a $100,000 BEC sub-limit will only pay $100,000 on a $250,000 wire fraud loss. Reviewing policy declarations carefully before a claim happens is non-negotiable.
Sub-limit structures also vary by industry. A healthcare business handling PHI faces different exposure than a retail operation, and the policy language should reflect that. Soma works with hundreds of carrier partners specifically to match sub-limit structures to each client's risk profile — so coverage holds up where it actually matters.
Why Some Cyber Claims Get Denied
Failed Security Control Requirements
Insurers now treat baseline security controls as conditions of coverage, not recommendations. Coalition lists MFA, endpoint detection and response (EDR) or antivirus software, and current patching as essential cyber insurance requirements. Failing to maintain these controls at the time of a claim can void coverage entirely.
The Travelers v. ICS case made this concrete: Travelers alleged the insured misrepresented its MFA implementation on the insurance application. Lockton described the matter as a warning to every business about answering cyber applications accurately and maintaining the controls you claim to have.
Controls that insurers typically require:
- Multi-factor authentication on all remote access tools and email
- Endpoint detection and response (EDR) or antivirus software
- Active patching of known vulnerabilities
- Documented incident response procedures
Security control failures aren't the only path to a denied claim. Even when coverage isn't voided outright, specific loss types routinely fall outside what the policy will pay.
Common Exclusions That Limit or Block Payouts
Even on valid claims, certain losses typically fall outside coverage:
- Future lost profits unrelated to the specific incident
- Reputational harm from leaked internal communications
- Intellectual property theft losses
- War or hostile nation-state act exclusions (increasingly contested in court)
- Social engineering losses where required verification procedures weren't followed
Understanding these exclusions before a claim happens — not after — is what separates businesses that recover quickly from those left covering losses out of pocket.
Lessons Businesses Can Apply Right Now
The scenarios above aren't edge cases. For businesses handling customer data, processing payments, or running operations on networked systems, a cyber incident is a matter of timing.
Three actions that reduce risk and often lower premiums:
- Implement MFA everywhere — on email, remote desktop, VPNs, and cloud applications. This is the single most-required control across carriers.
- Maintain tested offline backups — backups connected to your network can be encrypted alongside everything else. Air-gapped or immutable backups are the difference between a week of downtime and a decision about ransom payment.
- Run annual phishing and BEC awareness training — since most BEC attacks succeed without ever exploiting a technical vulnerability, employee awareness is a legitimate defensive control.
Those controls reduce exposure — but your policy structure determines what actually gets covered when something goes wrong. On the coverage side, three things are worth reviewing now:
- Audit sub-limits for ransomware, social engineering, and regulatory fines
- Confirm coverage limits match your actual revenue and data exposure
- Check that your policy reflects your industry's regulatory environment — a $500,000 policy with a $50,000 BEC sub-limit won't cover a $180,000 wire fraud loss
If your current policy wasn't built for your industry, it probably has gaps you won't find until you file a claim. Soma works with businesses in healthcare, financial services, technology, and other complex industries to place cyber coverage that reflects actual exposure — not a one-size-fits-all quote.
Frequently Asked Questions
What is covered by cyber liability insurance?
Cyber liability insurance covers both first-party costs — forensic investigation, ransom payment, business interruption, and data recovery — and third-party costs including legal defense fees, regulatory fines, and customer notification obligations. Coverage applies to incidents like data breaches, ransomware attacks, and BEC scams.
What is the average payout for a cyber insurance claim?
Coalition reported an average cyber loss of $115,000 in 2024 across all businesses. Smaller businesses under $25M in revenue averaged $79,000, while mid-market firms ($25M–$100M revenue) averaged $139,000. Ransomware incidents averaged $292,000 per loss.
What types of cyber incidents trigger the most insurance claims?
BEC and funds transfer fraud drove 60% of 2024 cyber claims, with ransomware accounting for roughly 20%. Data breaches in healthcare and financial services also generate a significant share, particularly due to regulatory notification and fine exposure.
Can a cyber insurance claim be denied?
Yes. Claims are commonly denied when businesses failed to maintain required security controls (like MFA), misrepresented their security practices on the application, or when the incident falls under a specific policy exclusion. Review your policy terms carefully before an incident occurs.
Does cyber insurance cover ransomware payments?
Most cyber policies cover ransomware payments, but typically under a sub-limit separate from the main coverage amount. Payment requires insurer approval and sometimes law enforcement consultation beforehand, so notify your insurer before attempting to pay.
How do I file a cyber liability insurance claim?
Notify your insurer or broker immediately after discovering an incident, as delays can jeopardize coverage. Preserve logs and document the damage without altering anything that could destroy forensic evidence. Your insurer's incident response process typically deploys a forensic team and legal counsel within hours.
