As cyber-attacks increase, disputes between businesses and cyber-attack insurance providers are also escalating. Common areas of disagreement include the extent to which losses are covered, what constitutes a misuse of data, where liability for the breach lies, and whether the business has adequately met its cybersecurity obligations.
In arranging insurance to cover losses arising from a cyber-attack, it is essential that businesses understand exactly what their policy covers and have a clear idea of the potential extent of losses in the event of a serious attack.
Recent cases of cyber attacks
The recent major attacks on Jaguar Land Rover and M&S were notable not only for their scale, but for the lack of adequate cyber-attack insurance. While Jaguar Land Rover had none, M&S had a policy that offered nowhere near enough cover for the losses sustained. Businesses need to consider not only immediate losses and claims against them, but also the length of time it is likely to take to return to full operations.
Many of the cases relating to insurance cover that are reaching the courts relate to data protection and breach of confidence.
In Warren v DSG Retail Ltd [2021], a claim of £5,000 was brought against a retailer, Dixons Carphone. Dixons had suffered a cyber-attack in 2018, and around 14 million data points were potentially accessed. The claimant alleged that his name, address, phone number, date of birth, and email address were potentially accessed, and brought a claim for breach of the Data Protection Act 1998, misuse of private information, breach of confidence, and negligence.
The court rejected the claim. The judge ruled that a loss of control of personal data did not meet the standard of “material damage” that would be necessary for a claim to succeed.
More recently, in the case of Farley & Ors v Paymaster (1836) Ltd (trading as Equiniti) [2025], a group of former police officers claimed damages for misuse of their personal information and a breach of the UK General Data Protection Regulation. The defendant had sent their pension benefit statements to old addresses. The judge ruled that their claims could not succeed because there was no evidence that a third party had actually accessed the benefit statements,
The Court of Appeal disagreed with this analysis. It confirmed that such compensation claims for distress resulting from the fear of the consequences of a breach of personal data can succeed under without the need to prove that a third party has accessed the data. Also there is no minimum “threshold of seriousness” which a claimant must prove. At the same time the claim must be objectively well-founded, it cannot be hypothetical.
Guidance on covering risk with cyber-attack insurance cover
Businesses need to take the risk of cyber-attacks extremely seriously. They must ensure that they have sufficient insurance cover in place and they are complying with the conditions of their insurance policies. Experts should be engaged to check the proposed terms of a policy, ensuring that it provides the insurance expected.
Key issues include:
- Identifying the risks which need to be insured against, for example deliberate employee actions.
- Establishing the level of coverage realistically required, taking into account:
- Losses that could potentially be sustained including data recovery costs, legal costs, loss of business, and ransom demands;
- Third-party claims, including breach of contract, breach of confidence, breach of data protection rules, and fines by the authorities.
- Complying with the terms and conditions of the policy, likely to require adherence to strict cybersecurity procedures and regular reviews, staff training, and updates to software
Potential areas of dispute between cyber insurers and policyholders
Common areas of dispute between claimants and those providing cyber-attack insurance include:
- Whether the incident is a cyber event or results from internal issues including employee negligence or deliberate employee misconduct,
- Lack of compliance with the terms and conditions of the insurance policy, for example, the claimant’s failure to meet its cybersecurity obligations,
- Failure to disclose an earlier incident,
- Disagreement over the origin of the loss where a third party is involved,
- Whether the attack is by a foreign government, which is routinely excluded from insurance coverage, and
- Disputes over the extent of losses and the value of the claim
How 3CS can help
Our expert dispute resolution solicitors provide strategic and effective assistance in resolving disputed cyber-attack insurance claims. For assistance, please reach out to your usual 3CS contact.
