In cyber insurance, most conversations still center on underwriting. Controls, questionnaires, and security posture dominate the evaluation of risk before a policy is even written. But increasingly, the real test is not happening before the breach. It is happening after.
Consider the Marriott breach, where attackers gained access to Starwood's systems in 2014 and
Beyond regulatory penalties, incidents like Marriott's expose a deeper issue. When organizations cannot clearly reconstruct what happened, they struggle to defend their decisions, their disclosures, and increasingly, their insurance claims.
The shift: Claims disputes are happening during the breach
Post-incident investigations now focus on questions like:
- Were required controls, such as multi-factor authentication, fully deployed?
- Did the organization follow incident response and policy requirements?
- Were decisions, such as ransom payments, made within policy terms?
Real-world cases show how costly gaps can be. After a ransomware attack on the city of Hamilton, Ontario, the insurer denied coverage, citing incomplete MFA implementation.
The rise of forensic defensibility
This shift is driving a new requirement in
1) Preserve evidence in a legally admissible format.
2) Reconstruct a detailed timeline of the incident.
3) Demonstrate root cause and scope with confidence.
The difference between being prepared and unprepared often comes down to timing. Prepared organizations collect and preserve data before remediation begins, whereas unprepared organizations attempt to reconstruct events after systems have been wiped, patched, or rebuilt, often destroying critical evidence in the process. The result is like investigating a fire without knowing what was in the room before it burned.
Evidence sprawl: Why reconstruction is so difficult
Even when organizations try to investigate thoroughly, they face another challenge: evidence sprawl. Today's environments distribute data across SaaS platforms such as Microsoft 365 and Google Workspace, endpoints and security tools, collaboration platforms such as Slack and Teams, and legacy systems and acquired infrastructure. Over time, this creates fragmentation. Mergers, tool sprawl, and unused yet retained systems create blind spots.
There is a moment in many breach investigations when the issue becomes unavoidable, typically occurring when regulators require disclosure within strict timelines, legal teams prepare public statements, and insurers request detailed incident documentation. At that point, organizations may realize they cannot answer basic questions with certainty. They do not know exactly what data was accessed, where it was stored, or who was impacted. That uncertainty becomes the turning point.
Why reconstruction determines payouts
In cyber claims, if an organization can prove that a limited number of records were exposed, response efforts remain targeted. If it cannot prove scope, it must assume a worst-case scenario. That leads to over-notification of customers, expanded remediation and monitoring costs, and increased legal and regulatory exposure.
These inflated costs often create friction with insurers, particularly when the organization cannot substantiate its claims. If an organization cannot prove what happened, then it must pay for what might have happened.
As claims become more complex, breach response is no longer just a technical exercise. It is a legal one. Three functions must now work in parallel:
1) Incident response, which focuses on containment and recovery.
2) Forensics, which focuses on root cause analysis.
3) Legal and eDiscovery, which focus on liability and litigation.
These priorities can conflict. Rapid remediation can overwrite evidence. Forensic preservation can delay recovery. Legal requirements can expand the scope of data collection. Without coordination, critical evidence may be lost or rendered inadmissible. This is why legal hold, defensible collection, and clear documentation are becoming central to cyber claims.
The misconception puts organizations at risk
A common assumption persists: if an organization can respond to a breach, it is covered.
That assumption is incomplete. Response alone does not produce admissible evidence, verifiable timelines, or defensible claims. In some cases, response actions can even destroy the data needed to support coverage.
What defensibility ready looks like
Organizations that successfully defend claims share several characteristics, including clear, documented incident response policies that are regularly tested, strong coordination between security, legal, and IT teams, and visibility across all data environments, including legacy systems.
Defensible organizations also have a strong understanding of policy requirements before an incident occurs. Most importantly, they practice. Tabletop exercises routinely uncover unknown systems, communication gaps, and decision-making challenges before a real breach occurs.
The bottom line is that cyber insurance is evolving. It is no longer enough to have the right controls on paper. Organizations must be able to prove what happened, how it happened, and what was impacted. That requires a shift in mindset, from prevention to reconstruction, from response to defensibility, and from security alone to alignment between security, legal, and risk.
