Getty Images
How cyber insurance helped with breach recovery -- or not
Four organizations, each with cyber insurance policies, responded differently to data breaches. Read the real-world examples of what went right and wrong.
Since its emergence in the 1990s, cyber insurance has become a critical part of enterprise risk management. Initially an offshoot of errors and omissions insurance, cyber insurance coverage, which was limited in scope, swiftly matured as companies became more reliant on data and technology -- and as attackers posed a greater threat.
Cyber insurance, also known as cyber liability insurance, is a commercial product that transfers financial risk arising from cyberattacks to a third party, helping victims recover from financial losses and operational disruptions. While terms vary from policy to policy, insurers typically cover a range of scenarios, including data breaches, malware, social engineering attacks, system failures and business interruptions. According to MarketsandMarkets, the cyber insurance market, valued at $16.5 billion in 2025, is forecasted to grow to $32 billion by 2030.
Do organizations really need cyber insurance?
The FBI, in its IC3 Internet Crime Report, disclosed losses exceeding $20.8 billion as a result of cybercrime in 2025, a 26% increase from the prior year. Despite elevated cybersecurity awareness and sophisticated defenses, no organization is immune to digital threat actors.
The fallout from data breaches has grown more severe, too. Beyond financial damages, organizations recovering from a cyberattack potentially face negative press, loss of public trust, regulatory costs and concerns, unanticipated business disruptions and legal action from stakeholders. A successful data breach can easily cost millions and affect a company for years.
Traditional business insurance does not cover cybersecurity risks; cyber insurance carriers offer the only contract model that can help an operation get back on its feet after a breach. In recent years, businesses of all sizes and across industries have discovered the benefits and risks of cyber insurance coverage. The following incidents are a few of the high-profile data breaches that occur all too often, and highlight how cyber insurance policyholders responded.
Cyber insurance carrier breached
The CNA Financial Corporation breach is one of the most significant ransomware incidents to affect the insurance industry, particularly because CNA itself is a major provider of cyber insurance.
In March 2021, CNA disclosed that it had suffered a sophisticated cyberattack that disrupted its network and internal systems, including corporate email and employee services. The attack was later identified as ransomware, widely attributed to the Russian-linked Evil Corp/Phoenix group. It reportedly encrypted more than 15,000 devices across the company's network, including remote systems connected via VPN. This widespread disruption forced CNA to shut down parts of its IT infrastructure and engage forensic experts and law enforcement to investigate the breach.
CNA decided to pay approximately $40 million in ransom, negotiated from a $60 million demand, to regain access to its systems. At the time, it was one of the largest publicly known ransomware payments.
Cyber insurance played a paradoxical role in this event. As a leading cyber insurer, CNA offered policies designed to help other organizations recover from cyberattacks, including coverage for ransomware incidents, business interruption and incident response services. However, in its Securities and Exchange Commission filings, CNA said its cyber insurance coverage would probably not fully offset the financial losses from the attack.
Resort pays to recover loyalty data
In August 2023, Caesars Entertainment, operator of the Caesars Palace resort, was the victim of a social engineering attack targeting a third-party IT vendor. Attackers linked to the Scattered Spider group impersonated Ceasers employees and tricked its outsourced IT support vendor into sharing access credentials. Once inside, they exfiltrated a large database tied to Caesars' loyalty program, compromising sensitive personal information belonging to its rewards members, including some driver's license and Social Security numbers.
The attackers demanded a ransom of around $30 million. Caesars ultimately chose to pay $15 million in exchange for the attackers' assurances that the stolen data would be deleted. Caesars' decision to pay enabled casino and hotel operations to continue largely uninterrupted, an example of the high-stakes trade-offs organizations face during ransomware incidents.
In its regulatory filings, Caesars acknowledged that the total financial impact of the breach -- including ransom payment, investigation and remediation costs -- would be partially offset by its cybersecurity insurance coverage.
MGM Resorts refuses to pay
A month after the Caesars breach, MGM Resorts International suffered a similar incident. Scattered Spider used social engineering techniques to access MGM's systems by impersonating an employee and convincing the IT help desk staff to reset credentials. Attackers deployed ransomware, encrypting systems and forcing MGM to shut down large portions of its operations.
MGM did not pay its attackers. Hotels and casinos across Las Vegas experienced widespread outages, including inoperable slot machines, malfunctioning digital room keys and disabled booking systems. The disruption lasted several days, significantly impacting customer experience and revenue. MGM later confirmed that personal information, including names, contact details and some Social Security numbers, had been accessed.
Cyber insurance mitigated some of these losses but did not eliminate the financial impact. The company reportedly had a policy covering $200 million in business interruption- and ransomware-related costs, but it still disclosed a $100 million financial impact from the incident, with an additional $10 million incurred in costs for consultants, advisors and legal fees.
A city denied due to MFA
The February 2024 cyberattack on the city of Hamilton, Ontario, highlighted how failing to meet cyber insurance requirements might leave an organization fully exposed to financial loss. Attackers gained access to the city's network through weak credentials on public-facing systems. The incident crippled 80% of the municipal IT infrastructure. Critical services, including business licensing, property tax and transit planning, were offline for weeks. Some system backups, including permit applications and fire department records, were unrecoverable.
The attackers demanded $18.5 million in ransom. Hamilton chose not to pay, citing unreliable decryption tools and concerns about funding organized crime. Instead, it spent nearly the same amount -- about $18.3 million -- on recovery efforts.
Under normal circumstances, Hamilton's cyber insurance policy would help offset the losses. However, the city's IT teams had failed to fully implement MFA, as required under the policy, and the claim was denied. A lack of proper cybersecurity controls resulted in a fully uninsured financial burden shouldered by taxpayers.
With cybercrime costs surging and the fallout from breaches growing more severe, organizations should consider the role of cyber insurance in safeguarding operations, reputation and the bottom line. Whether policyholders decide to cede to threat actor demands or take a stand on principle, organizations must clearly understand what's covered, what's not and what cybersecurity measures are necessary to keep systems safe.
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
