Ask anyone working in cyber claims what actually derails coverage, and you don’t hear much about exotic exclusions. You hear about behaviour: what the insured did – or didn’t do – before and during the breach.
On a NetDiligence panel in Toronto, Tendai Moyo (pictured centre-right), senior vice president, cyber insurance practice lead at Risk Strategies, and Zack Garcia (pictured centre-left), assistant vice president, financial and professional services claims at Liberty Mutual Canada, laid out a brutally simple list of ways policyholders still sabotage their own claims. None of them require bad faith from the insurer. They just require you to ignore some basics.
Here’s how to torpedo your own cyber claim in three easy steps – and, more usefully, how not to.
The first set of landmines gets planted long before a breach.
Moyo said brokers still see clients make significant mid‑term changes – acquisitions, new lines of business, major shifts in technology stack, changes in active directory exposure – without ever looping in their broker or carrier. When that comes out for the first time in the middle of a live incident, it’s a recipe for friction.
From the insurer’s point of view, the risk they priced may no longer be the risk they are actually on.
The same applies to control declarations. On the cyber application, multi‑factor authentication, endpoint detection, backup architecture and patching processes all tend to appear as neat “yes/no” questions. When the answer is aspirational rather than factual, the problem often surfaces only when a claim exposes what is – and isn’t – really in place.
“We stress when they're completing the applications that they complete them with accuracy,” Moyo said. “If some controls are discovered to be missing when it's a claim that could be a problem, and we've seen that happen.”
Her advice is blunt: treat ongoing disclosure as a standing obligation, not a box you tick at inception. If in doubt whether a change is material, tell your broker and let them decide.
Once something suspicious appears on the network, the next misstep is trying to manage everything internally and delaying notification out of fear of “making it a big deal”.
Moyo sees this regularly: IT teams trying to contain an incident on their own, or business leaders unsure whether what they are seeing “is worth reporting”. Best practice, she said, is the opposite.
“Best practice, when in doubt, just report. Report often, report early. Cyber carriers love over‑communication. They love hearing from their clients,” she said. “Don't try and handle everything in-house by yourself.”
From the claims desk, Garcia said timing remains the single biggest practical issue, even as the market has matured.
“I think, from a claims perspective, number one is timing for sure,” he said. “I don't know what's worse, when we get an incident, and they've done everything already, hired five different vendors, and they say everything's great and good, or when they report it three days late, nothing's happened. They're both not ideal from our perspective.”
The stakes are high. Incident response firms can easily bill hundreds of thousands of dollars a week in a serious event. If those costs are incurred off‑panel, without consent, and then reported late, the carrier has a much stronger argument that conditions around notice and consent have been breached and coverage prejudiced.
“In an ideal world, an incident happens, they call their broker immediately,” Garcia said. “We start getting that process ready. I cannot stress that enough.”
The third way to damage your own claim is to treat carrier panels and processes as optional.
On vendor selection, Garcia said there is still a persistent suspicion among some insureds that panel firms exist to save the carrier money. They would rather lean on their usual corporate counsel or internal IT teams.
He pushed back hard on that perception.
“I think some of our insureds are sometimes a little reticent to go with a panel vendor because they think… we're just trying to shove like a cheap vendor down their throat because we have a better rate with them,” he said. “And I think that couldn't be further from the truth.”
Cyber panels, he argued, are built around firms that live and breathe these incidents: they handle dozens or hundreds of cyber losses, know the products and the claims workflows, and can move fast and adapt to different scenarios. By contrast, generalist advisers or in‑house teams are “usually, or often, not adequate to respond to a pretty serious incident”.
That doesn’t mean there is never room for insured‑preferred vendors, but trying to run a major ransomware or network intrusion entirely off‑panel, and only looping the carrier in when bills arrive, is a good way to invite disputes.
And the responsibility doesn’t end once notice is given. Garcia noted that some insureds still treat notification as a hand‑off, then step back just when breach coaches and incident responders need decisions.
“It really is an ongoing process, and the insureds need to know that they need to be available throughout the life of the claim.”
