A business owner told me last year, “We’ve got cyber insurance, so we’re covered.” He said it with the same confidence someone uses when they say they’ve got a good lawyer. Like it was a magic shield.
Six months later, his company got hit with a business email compromise. $80,000 wired to a fraudulent account. He filed a claim.
The insurer denied it.
Let’s be clear about what cyber insurance actually is: it’s a financial recovery tool. It doesn’t prevent attacks. It doesn’t stop ransomware. It doesn’t keep your data safe.
It’s supposed to help you pay for the cleanup after something goes wrong. And even that is becoming less reliable.
Insurers are getting smarter. And stricter. And they’re denying claims at a rate that should make every business owner uncomfortable.
Here’s what’s happening: insurance companies started offering cyber policies when the market was new and the premiums were flowing. Then the claims started pouring in. Ransomware alone cost insurers billions. So they adapted.
Now, most cyber insurance policies come with a long list of security requirements. If you can’t prove you met those requirements at the time of the incident, your claim gets denied. Common reasons include:
No MFA enabled. This is the big one. If you weren’t enforcing multi-factor authentication on email, VPN, and critical systems, many insurers won’t pay. Period.
No backup and disaster recovery plan. If your backups weren’t tested, weren’t offsite, or weren’t actually working, that’s a denial.
No endpoint management. If your devices weren’t being monitored and patched, the insurer can argue you weren’t maintaining reasonable security practices.
No employee training. If the breach started with a phishing email and you have no record of security awareness training, you’ll hear the word “negligence” in the denial letter.
No incident response plan. Insurers expect you to have a documented plan for how you’ll handle a breach. If you were making it up as you went, that’s a problem.
Read that list again. Those aren’t obscure technical requirements. They’re basic cybersecurity hygiene. And most small to mid-sized businesses aren’t doing all of them.
It’s not just claims that are getting stricter. Getting the policy in the first place is becoming a challenge.
Cyber insurance applications now look like security audits. They ask about your patch management, your backup frequency, your admin access controls, your network segmentation, and whether you’re running endpoint detection and response. If you can’t answer those questions, you either get denied coverage or you pay through the nose for a policy with major exclusions.
Some businesses are filling out these applications optimistically. Checking boxes they shouldn’t be checking. That’s a dangerous game, because if you claim MFA is enforced and it wasn’t at the time of the breach, that’s misrepresentation. Your policy is void.
We’ve helped clients fill out these applications honestly and still get competitive rates. How? Because we actually implement the controls the insurers are asking about. When you can truthfully check every box, the premiums go down.
Here’s the thing: if you do the work to actually qualify for good cyber insurance, you dramatically reduce the chance you’ll ever need to file a claim.
Think about that for a second.
The security measures insurers require aren’t arbitrary. They’re the same controls that prevent the vast majority of cyberattacks. MFA. Endpoint protection. Backup and recovery. Employee training. Incident response planning.
Do those things right, and insurance becomes what it should be: a last resort safety net, not your primary defense strategy.
Here’s what we implement for every client at Keeran Networks:
MFA on everything. Email, VPN, cloud apps, admin accounts. No exceptions. This single control stops the vast majority of credential-based attacks.
Managed endpoint protection. Every device monitored, patched, and protected. Not just antivirus. Real endpoint detection and response that catches threats traditional tools miss.
Tested backups. Backups that are automated, encrypted, offsite, and regularly tested. Because a backup you haven’t tested is a backup that might not work. We’ve seen businesses discover their backups were failing silently for months. Don’t let that be you.
Employee security training. Regular, ongoing training that teaches your team to recognize phishing, social engineering, and suspicious activity. This isn’t a one-time lunch-and-learn. It’s a continuous program with simulated phishing tests to keep people sharp.
Documented incident response. A clear, tested plan that everyone knows. When something happens, there’s no scrambling. Everyone knows their role, who to call, and what steps to take in the first 30 minutes.
I’m not saying don’t get cyber insurance. You should have it. But treat it like car insurance: you still wear the seatbelt, you still drive carefully, and you still maintain your brakes.
The businesses that are best protected are the ones that invest in prevention and carry insurance for the scenarios that prevention can’t fully cover. A zero-day exploit. A sophisticated nation-state attack. A freak incident that nobody could have predicted.
If your current approach to cybersecurity is “we have insurance,” you’re one incident away from finding out how little that actually covers.
Pull out your cyber insurance policy. Read the requirements section. Then honestly assess whether you’re meeting every single one of them.
If you’re not sure, or if the answer is no, that’s the conversation we need to have. We help businesses build the security posture that both protects them and satisfies their insurance requirements. Not because we’re trying to sell you something, but because we’ve seen what happens when businesses skip this step.
To learn more about protecting your business, explore our guides on how to prevent data breaches and what to include in your incident response protocol.
Related: Learn more about how to prevent data breaches and what to include in your incident response protocol.
We’re here for you every step of the way, ready to guide, connect, and protect your IT ecosystem. Get in touch with us today, and let us help you thrive in the digital landscape.