Cyber Insurance Denial Due to Incomplete Security Controls (City of Hamilton, Ontario – ~$18 m Loss)

Written By Liz Deranja

Background
In February 2024 hackers launched a ransomware attack on the City of Hamilton, Ontario, crippling about 80% of its network (municipal services, transit, licensing). The ransom demand was ~$18.5 million. (Breached Company)

The insured made a claim for ~$18.3 million in recovery costs but the cyber insurer denied the claim. The reason: lack of full deployment of Multi-Factor Authentication (MFA) across critical systems, which was a condition of the policy. (Specops Software)

Coverage Issue
Though the insured held a cyber policy, the insurer argued the policy did not apply because the insured had failed to comply with minimum warranty/condition requirements (MFA). Without those controls in place, the insurer asserted the insured misrepresented its security posture and thus claim coverage was voided or denied. (Breached Company)

Why the Standard Package Fell Short

  • The cyber policy had control-conditions or warranties (e.g., MFA, back-ups, segmentation) which were not fully met.

  • The insured assumed “we have cyber insurance” meant full financial protection – but insurers increasingly require technical controls to be active and documented.

  • Strong underwriting/control-conditions mean failure to maintain required safeguards can lead to total denial.

What a Custom Policy or Program Would Have Changed

  • A policy with clearer wording on required controls and more realistic warranty structuring (perhaps a “best-efforts” control clause rather than mandatory).

  • Pre-binding audit of security controls so insurer and insured both know where gaps exist prior to a claim.

  • Coordination between cyber coverage and incident response/forensics so the insured is aware of what triggers coverage.

  • Ongoing compliance monitoring (evidence-based) to reduce the risk of non-compliance and denial.

Key Take-away for Startups & Tech Firms

A cyber policy is not just a check-the-box. For software/SaaS/AI companies, if you don’t maintain the security posture you represented at binding (MFA, segmentation, vendor controls, backups), your claim may be denied. Insurance is last-resort. Controls still matter.

NOTE: This case study is for informational purposes only. Execurisk was in no way involved in the brokering or advising of insurance in the case described above.

Liz Deranja
Previous

Practice Fusion, Inc. - Software Developer Denied D&O Coverage for ~$118 Million Settlement
Next

Medidata Solutions, Inc. — Social Engineering + Wire Transfer Loss (~US $4.8 m)