The Enforcement Year
Cyber Insurance: Know What You Have
bottom line up front: Most organizations discover the gaps in their cyber insurance policy at exactly the wrong moment — after a breach. Understanding what your policy covers is a governance decision, not an IT decision.
Cyber insurance has become a boardroom staple. In a world of rising breach costs and regulatory pressure, executives understandably treat it as a safety net. The problem is that many policies are purchased with assumptions that turn out to be wrong when a claim is filed.
The most common misconception is that cyber insurance functions like general liability: that if something goes wrong, the policy pays. In practice, most policies are riddled with conditions. Coverage can be denied if the insurer determines that basic security controls weren't in place at the time of the incident. "Basic controls" is often defined in the fine print and may include things like multi-factor authentication across all systems, encrypted backups, and documented incident response plans. If your organization wasn't meeting those standards when the breach occurred, your claim may be rejected.
A second blind spot is the distinction between first-party and third-party coverage. First-party covers your own losses: recovery costs, business interruption, forensic investigation. Third-party covers claims made against you by customers or partners whose data was compromised. Many executives assume they have both. Not all policies include both.
Ransomware coverage deserves particular scrutiny. Some policies exclude ransom payments entirely, others cap them well below what attackers typically demand. Increasingly, insurers are requiring organizations to demonstrate they have offline, tested backups before ransomware coverage applies because an organization that can restore from backup has less reason to pay, which reduces the insurer's exposure.
Sources: Lloyd's of London Cyber Insurance Market Report 2025 · Woodruff Sawyer Cyber Insurance Benchmarking Study · CISA Cyber Insurance Resources
Case Study: When The Policy Didn't Pay
On February 25, 2024, a ransomware attack struck the City of Hamilton, Ontario , disabling roughly 80 percent of its network. Business licensing, property tax processing, transit planning, and finance systems were taken offline for weeks. Some systems, including fire department records management and permit applications were unrecoverable entirely. Attackers demanded approximately $18.5 million CAD. The city refused to pay and was able to restore critical services within 48 hours using backups.
That part of the story is a qualified success. What followed was not.
When Hamilton filed its cyber insurance claim, the insurer denied it. The reason, stated plainly in the policy: no coverage was available for losses where the absence of multi-factor authentication was the root cause of a breach. MFA had not been fully implemented across city departments at the time of the attack. The city obtained an independent legal review of the denial, and that review confirmed the insurer's position. Hamilton did not pursue further legal action. Taxpayers were left to cover the full $18.3 million CAD recovery bill.
What makes this case instructive is the timeline that preceded it. The city's insurer had flagged MFA as a policy requirement as early as 2022. A pilot rollout began the following year, covering only a few departments. Full implementation was still in progress when the attack occurred. The gap was known. It simply hadn't been closed.
Sources: City of Hamilton Official Cybersecurity Incident Summary, July 2025 · CBC News, July 31, 2025 · Global News, July 31, 2025
Compliance: What's Active In 2026
Several major regulatory frameworks moved from preparation to enforcement this year. These are not future planning items — they carry board-level accountability and regulators are already inspecting.
February/Spring — EU AI Act High-Risk Guidance Expected. High-risk AI system classifications are being clarified. If your organization uses AI in hiring, credit decisions, customer-facing services, or operational management, you need to know whether those systems fall under high-risk designation and what obligations follow.
March 23-26 RSA Conference, Moscone Center in San Francisco. Not a compliance deadline, but the moment the industry sets its agenda. Expect significant announcements around regulatory interpretation, vendor capabilities, and emerging threat intelligence. Worth tracking even for executives who don't attend.
Spring 2026 — NIS2 Enforcement Accelerating Across the EU. Enforcement timelines vary by member state: Belgium has active inspections underway with a milestone on April 18, while Germany requires BSI registration by April 2026 — but NIS2 now applies across a significantly broader range of sectors than its predecessor, including mid-sized organizations in energy, transport, healthcare, and digital infrastructure. If you have European operations and haven't completed a NIS2 gap assessment, the time is now.
2026 — DORA Supervision Now Active. The ICT Risk Management Framework deadline passed on January 17, 2025, and 2026 is the first full year of active supervisory scrutiny; regulators are inspecting and will ask to see documentation. Organizations still treating this as a future planning exercise are already non-compliant and at immediate risk of regulatory action.
2026 — UK FCA / PRA Operational Resilience: Now Under Active Supervision. The March 31, 2025 compliance deadline has passed, and 2026 is the first full year of active supervisory scrutiny; regulators will expect firms to demonstrate their resilience arrangements work in practice, not just on paper. Final rules on operational incident reporting and third-party arrangements are expected from the FCA and PRA in H1 2026.
2026 — SEC Cybersecurity Disclosure Rules: Enforcement Is Active. Material cybersecurity incidents must be disclosed within four business days, and the SEC has already pursued enforcement actions against companies for understating incident severity to investors. If your firm doesn't have agreed materiality thresholds and draft-ready disclosure language in place, that is your most immediate exposure.
Question for Your Security Team
The City of Hamilton case leaves every executive with a simple question: do you know what your policy requires you to have in place right now, and can you confirm it's actually there?
Start with these three questions for your security and legal teams:
- What does our policy actually exclude?
- What security controls are we required to maintain to keep coverage valid?
- When did we last test whether our incident response process meets the insurer's requirements?
How generative AI is quietly expanding your organization's attack surface, and what a sound response looks like for non-technical leaders.