hippopotosauruses

Obviously I'm not OP, but I also work in the cyber insurance industry.

I'd need a small novel to address how claims are actually processed, but I think we need to untangle a couple of concepts.

Cyber insurance terms, like other insurance terms, are set at the time of underwriting. And those terms remain in force for the duration of the policy (usually a year). An insurer can't change the terms of coverage once you make a claim.

Insurers are trying to underwrite to an overall picture of cyber security posture. What does your network look like? Who manages it? What security controls do you have, and how do you deploy them? We underwrite knowing full well your security posture isn't akin to an impenetrable fortress. If it was, you wouldn't need us. But we give better terms to good risks, and worse terms to bad risk. If a risk is bad enough - which is common in this market - we won't offer terms at all.

As for cyber insurance claims not paying out, that assertion makes the rounds at security conferences, usually by salty old admins or some guy who heard it from a guy who heard it from a guy. And if you dig into the specific claims (assuming you can even get a name), you'll find it's almost never a cyber insurance policy at issue. It's somebody getting hit with ransomware and trying to get coverage under a property policy, or a general liability policy, or a crime policy. E.g. that Mondelez v. Zurich claim that was all over the news after NotPetya. That was a property insurance policy.

Those policies don't underwrite your cyber risk and generally aren't intended to cover it. And these days most of them have very bright line exclusions for cyber risk. But a few years back, those exclusions weren't always so clear, and sometimes creative lawyers win and find coverage on those policies because courts uniformly resolve language vagaries against the insurer, not the insured.

But if you're buying actual cyber insurance coverage, where your cyber risk posture is underwritten, you'll find those claims get paid. Unless you're, like, lying on the application or intentionally misrepresenting your security, then you can expect it to be declined. Just keep an eye on sublimits. These will be obvious - on a declarations page or summary of coverage from your broker. Cyber insurance policies cover a lot of different things, and not all of them have full limits all the time. And some will have coinsurance. Nobody's being cute or hiding it, but insurance policies are complicated things, and your broker ought to be explaining them to you.

Edit: also, beware the sort of self-fulfilling prophecy of the person who uncritically buys the cheapest thing they can, doesn't spend any time on the details, and then complains that it doesn't work how they wanted it to. It's frustratingly common in insurance and tech, and cyber insurance sits right at the nexus of both. And there are some seriously crappy companies out there selling "cyber insurance."

Edit 2: I'm going to shut up and let OP respond. It's his AMA and I'm just some rando on the Internet.

Have you seen subrogation actually used (e.g. under a network security liability insuring agreement, or against some supplier's E&O) in cyber insurance? And if so, is it used often?