The Check That Never Came
They had cyber insurance. They’d paid their premiums for years. When ransomware finally hit, they filed a claim expecting to be covered.
The insurance company denied it.
This scenario plays out more often than most business owners realize. Cyber insurance isn’t a magic shield-it’s a contract with specific requirements. Miss one, and you could be on your own when disaster strikes.
Here are five reasons cyber insurance claims get denied, and what you can do to make sure yours doesn’t.
1. You Weren’t Using Multi-Factor Authentication
This is the most common reason for claim denials in recent years. Most cyber insurance policies now require multi-factor authentication (MFA) on email, VPNs, and administrative accounts. It’s often buried in the policy language or the application questionnaire.
If you told your insurer you had MFA enabled everywhere-but the attackers got in through an account that didn’t have it-your claim can be denied for material misrepresentation.
The fix: Audit every system that should have MFA. Don’t assume IT enabled it everywhere. Verify it yourself, and document it.
2. You Didn’t Report the Incident in Time
Most policies have strict notification windows-often 24 to 72 hours from when you discover a breach. Miss that window, and the insurer can argue you’ve prejudiced their ability to investigate or mitigate damages.
In the chaos of a ransomware attack, calling the insurance company often falls down the priority list. That’s a costly mistake.
The fix: Put your insurance carrier’s claims hotline number somewhere you can find it without computer access-a printed card in your wallet, your phone contacts, or a physical emergency binder. Make notification part of your incident response checklist.
Take Our 2-Minute Security Assessment
3. You Paid the Ransom Before Getting Approval
Many cyber insurance policies require you to get insurer approval before paying a ransom. If you pay first and ask questions later, you may not be reimbursed.
Insurers have reasons for this requirement. They want to verify the legitimacy of the demand, check if the attackers are on sanctions lists (paying them could be illegal), and sometimes they can negotiate better terms.
The fix: Know your policy requirements before an incident. If your policy requires pre-approval for ransom payments, make sure that’s part of your response plan.
4. Your Security Wasn’t What You Said It Was
When you applied for cyber insurance, you filled out a questionnaire about your security practices. Those answers become part of your policy. If they’re not accurate when a claim is filed, you have a problem.
Common misrepresentations include:
• Claiming all systems are patched regularly when some aren’t
• Saying backups are tested when they’ve never been verified
• Indicating all employees have completed security training when training lapsed
• Stating endpoint protection is on all devices when some are unprotected
The fix: Review your insurance application annually. Make sure what you claimed is still true. If your security posture has changed, notify your insurer.
5. The Attack Exploited a Known Vulnerability You Didn’t Patch
If attackers got in through a vulnerability that had a patch available for months, insurers may argue you failed to maintain reasonable security. This is especially true for critical vulnerabilities that made headlines.
The argument: you knew (or should have known) about the risk and didn’t address it. That’s negligence, not an insurable accident.
The fix: Have a documented patch management process with reasonable timeframes. Critical vulnerabilities should be addressed within days, not months. Keep records showing when patches were applied.
What You Can Do Now
Don’t wait for a claim to find out your insurance won’t pay. Take these steps:
Read your policy. Actually read it, or have someone explain it to you. Understand what’s covered, what’s excluded, and what’s required of you.
Review your application. Pull out the questionnaire you filled out when you applied. Is everything still accurate? If not, update it.
Document your security. Keep records of MFA implementation, patch management, backup testing, and employee training. If you ever need to prove you were doing the right things, you’ll have evidence.
Know your notification requirements. Understand exactly what you need to do and how quickly when an incident occurs.
Test your incident response plan. A tabletop exercise will reveal gaps in your process-including whether anyone remembers to call the insurance company.
The Bottom Line
Cyber insurance is valuable, but only if it actually pays when you need it. The time to understand your policy requirements is now-not when you’re staring at a ransom note wondering if you’re covered.
Take Our 2-Minute Security Assessment
centrexIT helps organizations understand their security posture and close gaps before they become claim denials. If you’re not sure whether your security matches what your insurance policy requires, let’s find out together.