Reading Time: 15 min | Last Updated: February 25, 2026
A City Lost $18.3 Million to Ransomware. Their Insurer Refused to Pay a Single Dollar.
In February 2024, the City of Hamilton, Ontario, was hit by a ransomware attack that crippled 80% of its infrastructure. Emergency services were disrupted. Municipal operations ground to a halt. The recovery bill? $18.3 million.
Hamilton had cyber insurance. They filed the claim. And in April 2025, the insurer said no.
The reason? Hamilton hadn't fully implemented multi-factor authentication.
The attackers had exploited weak credentials on an externally-facing system that didn't have MFA enabled. The insurance policy specifically required MFA on all critical systems. Hamilton hadn't completed the rollout. So the insurer invoked the policy's security requirements clause — and denied the entire $18.3 million claim.
Eighteen point three million dollars. Paid entirely by taxpayers. Because of one security checkbox that wasn't ticked.
This story tells you everything you need to know about cyber insurance in 2026: it can save your business — or it can be a completely worthless piece of paper. The difference is in the details.
Let me explain how cyber insurance actually works, what it really covers, what gets claims denied, and whether you actually need it.
What Is Cyber Insurance?
Cyber insurance — sometimes called cyber liability insurance — is a policy that covers the financial costs of a cyberattack or data breach. Think of it as car insurance, but for your digital life.
Just like car insurance covers the damage if you're in an accident, cyber insurance covers the damage when your business suffers a breach, ransomware attack, or data theft.
But here's where the analogy gets important: car insurance doesn't cover you if you were driving drunk. And cyber insurance doesn't cover you if you weren't following basic security practices.
What Cyber Insurance Covers (And What It Doesn't)
| ✅ Typically Covered | ❌ Typically NOT Covered |
|---|---|
| Data breach response costs (forensics, notification, legal) | Breaches caused by failure to maintain required security controls |
| Ransomware negotiation and payment | Pre-existing vulnerabilities or known, unpatched flaws |
| Business interruption (lost income during downtime) | Losses from a vendor or third-party not specifically covered |
| Data restoration and system recovery | Reputational damage or future lost business (usually) |
| Regulatory fines and penalties | Acts of war or state-sponsored attacks (some policies) |
| Credit monitoring for affected customers | Bodily injury or physical property damage |
| Crisis management and PR support | Social engineering/BEC unless specifically endorsed |
| Legal defence costs if you're sued | Intentional or fraudulent acts by insured employees |
Sources: MoneyGeek, Astra Security
Notice the pattern in the "NOT Covered" column? Almost every exclusion relates to negligence — the business failed to do something basic. Didn't enable MFA. Didn't patch known vulnerabilities. Didn't maintain required controls. The insurer's logic is: "We'll protect you from bad luck. We won't protect you from bad habits."
Cyber Insurance by the Numbers (2026)
| Statistic | Data |
|---|---|
| Average SMB premium (US) | $83/month ($999/year) |
| Global cyber insurance market | $28–30 billion |
| US businesses with cyber insurance | 65% (up from 49% in 2024) |
| SMB share of all claims | 56–65% |
| Average claim payout | $115,000 – $1.2 million |
| Ransomware average payout | $228,000 – $7.2 million |
| Claims denied due to no MFA | 37% of denials |
Sources: SQ Magazine, World Metrics, Security.org
Real Claims: The Ones That Paid — And The Ones That Didn't
Nothing makes this clearer than real stories. Here's what separates a claim that saves a business from one that leaves them holding the bag:
✅ Paid: Manufacturing Company — Ransomware ($1.55 Million)
A mid-sized manufacturer was hit through an unpatched remote desktop port. Five days of halted production. $500,000 ransom demand. Total damages: $1.55 million. The insurer paid in full because the company had MFA deployed, endpoint protection running, documented incident response, and reported the breach within 24 hours.
✅ Paid: Healthcare Provider — Data Breach ($1.3 Million)
An email compromise exposed 50,000 patient records. HIPAA-regulated response costs — notifications, credit monitoring, legal proceedings — totalled $1.3 million. Paid because the provider maintained compliance with security training requirements and reported promptly.
❌ Denied: City of Hamilton — Ransomware ($18.3 Million)
As we opened with. MFA wasn't fully deployed. Policy required it. Entire claim denied. $18.3 million out of taxpayers' pockets.
❌ Denied: BEC Wire Transfer ($175,000)
A real estate firm lost $175,000 when attackers impersonated a vendor and redirected a wire transfer. The firm's policy didn't include a social engineering endorsement. Claim denied because BEC wasn't in their specific coverage.
Sources: Embroker, Specops, ASI Networks
The pattern is unmistakable. Claims get paid when businesses had the security basics in place and reported fast. Claims get denied when businesses cut corners on the exact controls their policy required.
Why Claims Get Denied (The Top 5 Reasons)
| Denial Reason | What Went Wrong |
|---|---|
| 🚫 No MFA (37% of denials) | Policy required MFA; it wasn't fully enabled on critical systems |
| 🚫 Outdated systems | Running unpatched or end-of-life software with known vulnerabilities |
| 🚫 Late notification | Missed the 48–72 hour reporting window |
| 🚫 Misrepresentation on application | Claimed security controls were in place that actually weren't |
| 🚫 Coverage gap | BEC, social engineering, or vendor attacks not endorsed in the policy |
Do YOU Need Cyber Insurance?
You Probably Need It If:
- You handle customer personal data — names, emails, payment info, health records
- You process financial transactions — e-commerce, wire transfers, invoicing
- You rely on digital systems to operate — and downtime means lost revenue
- You're in a regulated industry — healthcare, finance, legal, education
- You have clients who require it — increasingly, enterprise clients require vendors to carry cyber insurance
You Might Not Need It If:
- You're a solo freelancer with no client data and minimal digital assets
- Your business is entirely offline with no digital customer records
But honestly? In 2026, that second category barely exists anymore. If you have a business email address, a website, and customer data of any kind — you're a target. And with premiums averaging $83/month for small businesses, the cost of insurance is a rounding error compared to the cost of an uninsured breach.
How to Buy Cyber Insurance (Without Getting Burned)
Step 1: Get Your Security House in Order FIRST
Don't buy insurance and then worry about security. Do it the other way around. Insurers will ask about your security posture on the application, and what you claim must be true — misrepresentation is grounds for denial.
At minimum, have these in place before applying:
- ✅ MFA on all accounts — email, VPN, admin systems, cloud
- ✅ Password manager with unique passwords
- ✅ Endpoint protection (EDR) on all devices
- ✅ Regular backups (tested quarterly)
- ✅ Software patches and updates current
- ✅ Employee security training
- ✅ Documented incident response plan
This isn't just for the application. These controls are what get your claim paid when something goes wrong.
Step 2: Understand What You're Buying
Read the policy. Actually read it. Or have someone explain it. Focus on:
- Coverage limits — is the payout cap sufficient for a serious breach?
- Deductible — how much you pay out-of-pocket before insurance kicks in
- Endorsements — BEC, social engineering, and supply chain attacks often need separate endorsements
- Exclusions — what's NOT covered? Acts of war? Vendor failures? Regulatory fines in certain jurisdictions?
- Notification window — how quickly must you report an incident? (Usually 48-72 hours)
Step 3: Be Brutally Honest on the Application
If the application asks "Do you have MFA enabled on all remote access?" and you have it on email but not on your VPN — the answer is no. Saying "yes" when it's not fully true is the fastest path to a denied claim. Fix the gap, then answer honestly.
Step 4: Review and Update Annually
Your threat landscape changes. Your business changes. Your security posture changes. Review your policy every year. Make sure coverage still matches reality.
The Bottom Line
Cyber insurance is not a replacement for cybersecurity. Let me say that louder for the people in the back: cyber insurance is not a replacement for cybersecurity.
It's a safety net. A financial backstop for when something goes wrong despite your best efforts. And like every safety net, it only works if you've done your part.
Hamilton thought they had protection. $18.3 million in damages later, they discovered that a policy is only as strong as the security controls backing it up. One missing checkbox — MFA not fully deployed — turned a survivable incident into a catastrophic financial loss.
The manufacturer that got paid $1.55 million? They had MFA. They had endpoint protection. They had a response plan. They reported in 24 hours. The insurer paid without question.
Same type of attack. Same type of policy. Completely opposite outcomes.
So here's my advice: implement the security basics from our small business guide. Then buy cyber insurance as your safety net. Then sleep a little better knowing that if the worst happens, you've got both the defences AND the financial backup to survive it.
Insurance protects your finances. Security protects your business. You need both.
Continue the full series: antivirus, Zero Trust, 10 mistakes, ransomware, VPN vs Zero Trust, social engineering, password managers, supply chain, MFA, WiFi security, encryption, dark web, privacy, AI cybersecurity, quantum, firewalls, cloud security, small business, IoT security, and phishing guide.
— Harsh Solanki, Founder of FutureInsights.io
Frequently Asked Questions
How much does cyber insurance cost for a small business?
The US average for small businesses is about $83/month ($999/year). Actual costs range from $52 to $3,398/month depending on your industry, company size, the data you handle, your security posture, and claims history. Businesses with strong security controls (MFA, EDR, backups, training) typically get lower premiums. Businesses in high-risk industries (healthcare, finance) or with previous breaches pay more. Getting multiple quotes is essential — rates vary significantly between insurers.
Will cyber insurance pay for ransomware?
Most policies cover ransomware-related costs, including ransom negotiation, ransom payments (if authorised), system recovery, data restoration, and business interruption during downtime. However, coverage is contingent on meeting the policy's security requirements. If the breach resulted from a security gap the policy required you to address (like missing MFA or unpatched systems), the claim can be denied. Some policies also have sub-limits specifically for ransomware that are lower than the overall policy limit, so check the fine print.
What happens if I lie on the insurance application?
If you misrepresent your security posture on the application — saying you have MFA when you don't, or claiming your systems are patched when they're not — and a breach occurs because of that exact gap, the insurer will almost certainly deny the claim. In some cases, they can void the policy entirely and refuse all coverage retroactively. Forensic investigators can quickly determine whether controls were actually in place. The application is a contract. Honesty isn't optional.
Does cyber insurance cover my employees' mistakes?
Generally yes, if the policy is structured to cover human error — like an employee clicking a phishing link or accidentally exposing data. This is one of the primary values of cyber insurance, since human error causes the majority of breaches. However, intentional malicious acts by employees (insider threats) are typically excluded. And if the "mistake" was possible because a required control (MFA, training) wasn't in place, the insurer may deny the claim on those grounds.
Do I need cyber insurance if I already have general liability insurance?
Yes. General liability insurance typically does not cover cyber incidents. It covers things like physical injuries, property damage, and advertising liability. Data breaches, ransomware, business email compromise, digital theft, and regulatory fines are specifically excluded from most general liability policies. You need a dedicated cyber insurance policy (or a cyber endorsement added to your existing business policy) to cover digital risks.
How fast do I need to report a cyber incident to my insurer?
Most policies require notification within 48 to 72 hours of discovering an incident. Some require "immediate" notification. Failing to meet this window is one of the most common (and most avoidable) reasons for claim denial. The moment you suspect a breach: (1) start your incident response plan, (2) call your insurer's claims hotline, and (3) document everything. Don't wait until you've "figured out what happened." Report first, investigate concurrently.
📚 Further Reading & Research
- Average Cyber Insurance Cost 2026 — MoneyGeek
- Cyber Insurance Statistics 2026 — SQ Magazine
- Cyber Insurance Claims Statistics 2026 — World Metrics
- 64 Cyber Insurance Claims Statistics — Astra Security
- MFA Failure Costs Hamilton $18M — Specops
- 5 Cyber Insurance Claims Examples — Embroker
- Why Claims Get Denied 2025 — ASI Networks
- Cyber Insurance Claims 2025 — Cyber Insurance News
- Cyber Insurance Statistics 2026 — Security.org