In February 2024, ransomware attackers took down roughly 80% of the City of Hamilton, Ontario’s network. Property tax processing, business licensing, transit planning, the fire department’s records system — gone. The attackers demanded $18.5 million. The city refused to pay, focused on containment, and ultimately spent $18.3 million on recovery, third-party expertise, and infrastructure upgrades. Painful, but survivable. There was, after all, a $5 million cyber insurance policy in place.
In July 2025, the insurer denied the claim.
The reason was not the attack itself. It was a clause buried in the policy application — a clause that businesses across Orange County, Los Angeles, and San Diego have all signed without understanding, and one that insurers are now using to deny claims at unprecedented rates. More than 40% of cyber insurance claims filed in 2024 and 2025 have been denied. The vast majority of those denials trace back to the same single mechanism. Here’s how it works, why it’s getting worse, and what every OC business should do about it before the next renewal.
The clause: “material misrepresentation” on the application
Every cyber insurance policy in the United States is underwritten on the basis of an application. Somewhere in that application, you (or someone at your company — usually IT, sometimes the CFO, occasionally an outside consultant) answered a series of questions about your security controls. Is multi-factor authentication enforced on all user accounts? Yes/No. Do you have endpoint detection and response on every endpoint? Yes/No. Is your data backed up to an immutable, off-site location? Yes/No. Do you provide regular security awareness training to all employees? Yes/No. Do you have a written incident response plan that has been tested in the last 12 months? Yes/No.
Most businesses answered “yes” to most of those questions. Some of those “yes” answers were accurate. Many were aspirational — “we’re working on it.” Others were genuinely mistaken because nobody actually verified.
And then the clause kicks in. Buried in the policy is language to the effect of: This policy is issued in reliance on the representations made in the application. Any material misrepresentation may result in rescission of the policy or denial of claims. Variations of this language appear in virtually every major cyber insurance policy. It is not new. What’s new is how aggressively insurers are using it.
In the landmark Travelers v. International Control Services case decided in 2024, Travelers Insurance sought to rescind a cyber policy entirely after discovering that International Control Services had stated on its application that MFA was deployed across all systems — when, in reality, it was not fully implemented. The court agreed with the insurer. The policy was rescinded. The ransomware claim was denied not because MFA caused the breach, but because the company had attested to a control that wasn’t in place. Intent didn’t matter. The misrepresentation, even if unintentional, was enough.
That ruling is now the template. The Hamilton case is the most visible recent example: their policy required MFA across all required systems, MFA wasn’t enforced consistently, the $5 million claim was denied. And in case after case throughout 2025, insurers have applied the same logic — your application is a continuing warranty, and the moment any one of those “yes” answers turns out to have been “mostly,” “we’re working on it,” or “we have it but didn’t enforce it everywhere,” the policy is in jeopardy.
The five attestations that come back to haunt businesses
The application questions are the same across most carriers. The misrepresentations that are getting claims denied are the same handful, repeated across industries.
| What the application asked | What businesses answered | What insurers found post-breach |
|---|---|---|
| “MFA on all user accounts?” | “Yes” | MFA on email only; not on VPN, EHR, or admin accounts |
| “EDR deployed on all endpoints?” | “Yes” | EDR on most workstations; not on servers or BYOD laptops |
| “Immutable, off-site backups?” | “Yes” | Backups exist on NAS in same building; never tested for restore |
| “Regular security awareness training?” | “Yes” | One video assigned 18 months ago; no documented completion records |
| “Tested written IR plan?” | “Yes” | A 4-page PDF written by IT, never tested, never updated since 2022 |
| “Patching within 30 days of release?” | “Yes” | Servers patched, but two firewalls and the VPN appliance running 14-month-old firmware |
| “90+ days of EDR log retention?” | “Yes” | Logs retained for 30 days, attacker dwell time exceeded retention window |
Each of those rows is a real pattern. Each one has resulted in denied claims across 2024 and 2025. And here’s the part that gets people: the breach doesn’t have to be caused by the control gap. The Hamilton attack was not specifically enabled by the systems that lacked MFA. Doesn’t matter. The misrepresentation existed at the time of underwriting. The policy was issued under false assumptions. Claim denied.
The new wave: AI exclusions, war exclusions, and tracking-pixel disasters
The application warranty is the most common denial mechanism, but it isn’t the only one. 2025 saw the rise of three additional exclusion categories that are catching businesses by surprise.
AI exclusions. Policies issued in 2025 and 2026 increasingly include language excluding coverage for incidents involving AI — even tangentially. If a phishing email was AI-generated, if your incident involved an AI-driven attack vector, if there’s any meaningful AI involvement in the chain of causation, some carriers are now disputing coverage. This language is poorly defined on purpose, and litigation around it will define the next few years.
War and nation-state exclusions. The NotPetya litigation between Merck and its insurers shaped this. Most policies now have specific exclusions for “hostile or warlike action” by nation-state actors. The problem: attribution in cybersecurity is murky, and “Russian-linked” is often enough for an insurer to invoke the exclusion even if the attribution is contested. Several major 2025 ransomware claims have been denied on this basis.
Web tracking and privacy exclusions. The lawsuits over Meta Pixel, Google Analytics, and similar tracking technologies on healthcare and financial websites generated billions in class action exposure in 2024–2025. Insurers responded by adding explicit exclusions for claims arising from unauthorized data collection via cookies, pixels, or analytics tools. If your marketing team implemented a tracking pixel that violated HIPAA or California’s CCPA, your cyber insurance probably won’t cover the resulting lawsuit.
Why this got dramatically worse in 2024–2026
Cyber insurance was a generous, growing market through 2020. Premiums were low, requirements were loose, claims paid. Then ransomware losses exploded, carriers absorbed unsustainable payouts, and the industry tightened — fast. Premiums climbed (some carriers raised rates by 50% or more), capacity contracted, and underwriting became substantially more rigorous.
The application questions, which used to be a formality, became a battleground. Carriers started using AI-driven underwriting that scans your public-facing assets and compares what they find to what you claimed on the application — and if your customer portal doesn’t enforce MFA but you said “MFA everywhere,” that’s now flagged before the policy is even issued. After issuance, carriers are running mid-term reviews and checking that controls remain in place. This is no longer “pass the medical exam once and keep paying premiums.” It’s “keep passing the medical exam every month.”
For most Orange County businesses, this has produced a quiet but enormous problem: they’re paying premiums for a policy that, if a claim ever hit, would almost certainly be denied. The policy is functioning as expensive theater. The risk transfer it was supposed to provide doesn’t exist.
What every OC business should do before the next renewal
The fix here is not “switch insurance brokers.” It’s making sure that what you attested to is what you actually have, before the application is signed and continuously after. Here’s the practical sequence:
- Pull your current application out of the file. Whoever signed it. Whenever. Read every “yes” answer.
- Verify each “yes,” in writing, against the actual state of your environment. Don’t ask IT if MFA is “on” — ask for a report showing every account, every system, and whether MFA is enforced. Same for EDR, backups, training, patching, IR plan.
- Identify the gaps before the insurer does. If you said yes and the answer is actually “mostly” or “we’re working on it,” that’s a misrepresentation waiting to deny a claim. Close the gap or correct the application — both are dramatically better than leaving it unresolved.
- Enforce MFA on every account, every system, no exceptions. This is the single biggest denial driver. Partial MFA is functionally equivalent to no MFA from an insurance standpoint.
- Document your training program. Phishing simulations with completion records. Quarterly micro-trainings with attendance logs. If OCR, the bar, or an insurer asks for proof, you should be able to produce it within an hour.
- Test your incident response plan. A tabletop exercise once a year. Document it. The first time you “test” your IR plan should not be during an actual incident.
- Know your notification clause cold. Print it. Tape it to the wall. The 17% of denials for late reporting are completely preventable.
None of this is theoretical. The controls that prevent insurance denials are the same controls that prevent breaches in the first place. A real cybersecurity program for an Orange County business produces the documentation, evidence, and continuously-enforced controls that both insurers and attackers respect — and the absence of that program is what gets claims denied.
The honest version
If you read the policy carefully, talked to your broker honestly, and verified every control on your application — your cyber insurance is genuinely useful. It’s the safety net it was designed to be. If you didn’t, it isn’t, and you won’t find out until the moment you need it most.
The companies that get their claims paid are the ones who treated the application as a serious legal document, not a paperwork exercise. They built the controls first, then bought the insurance, then maintained the controls continuously. The companies whose claims get denied are the ones who bought the insurance first, attested to controls they intended to build, and discovered after a breach that “intended to” doesn’t pay claims.
The next renewal is the right moment to fix this. So is the moment your managed IT provider in Orange County finishes their next quarterly review — assuming you have one. If you don’t, that’s the deeper problem this article is really about.
Intelecis has helped Orange County businesses align their cybersecurity programs with their insurance attestations since 2010 — so that when something happens, the claim actually pays. NSA-Accredited, with documented experience supporting cyber insurance renewals and post-incident response. Book a free security assessment and we’ll show you, in writing, exactly where the gaps between your policy and your environment are.
Get Your Free Security Assessment →
📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010
Related reading:
Cybersecurity Services for OC Businesses ·
Managed IT Services in Orange County ·
Why MFA Enforcement Is the Single Highest-Leverage Security Control ·
What an Incident Response Plan Should Actually Look Like ·
Schedule Your Free Security Assessment
