6 min read
THE GAP BETWEEN WHEN YOUR POLICY SAYS AND WHAT IT ACTUALLY PAYS IS ALMOST ALWAYS TECHNICAL.
It was a Wednesday afternoon in early spring when the call came in.
A manufacturing operation in central Wisconsin, one that had been running the same line for 26 years, had a problem. Their systems were encrypted. Production was stopped. Someone on their team had clicked a link in an email that looked like it came from their freight carrier, and by the time anyone realized what had happened, ransomware had moved laterally through the network and locked nearly everything.
They had cyber insurance. They had carried it for two years, renewing it without much thought because their bank had started requiring it, and the premium seemed reasonable. When they called their insurer to file a claim, they felt a moment of relief. They were covered. This was going to be okay.
The adjuster's questions started almost immediately.
Were multi-factor authentication controls in place on remote access systems? Was endpoint detection and response software deployed across all devices? Could they produce documentation of a tested backup and recovery process from the last 90 days? Did they have a written incident response plan?
The answers were mostly no. Their IT setup was functional. It had never caused serious problems before. But it didn't meet the technical controls their policy required, controls buried in language most business owners never read carefully when they signed up.
The claim was significantly reduced. Some of it was denied outright.
They were not unusual. They were typical.
What Is Cyber Insurance, and What Does It Actually Cover?
Cyber insurance, also called cyber liability insurance, is a policy designed to help businesses recover from the financial consequences of a cyberattack or data breach. At its core, it addresses costs that general business insurance does not: ransom payments, data recovery, business interruption losses, notification costs when customer data is exposed, legal fees, and regulatory fines.
For a mid-market manufacturing or agriculture business, those numbers can be significant. The average cost of a ransomware incident for a small to mid-sized business, when you account for downtime, recovery, and reputational damage, routinely reaches six figures. For an operation where every hour of downtime has a direct production cost, the exposure is real. (Find your plant's downtime risk with just 5 quick questions here).
Cyber insurance exists to absorb some of that exposure. The problem is that what the policy says it covers and what it actually pays out are two different things, and the gap between them is almost always technical.
Why Cyber Insurance Claims Get Denied
Insurers have learned from paying out large claims. Over the last several years, the cyber insurance market has tightened significantly. Premiums have increased. Coverage limits have tightened. And the technical prerequisites baked into policies have become more specific and more strictly enforced.
Most business owners don't know this has happened because their broker renewed the policy and the premium went up, but nobody sat down to walk through what the new requirements actually meant for their IT environment.
Here are the controls that appear most frequently in cyber insurance policies and that most commonly cause claims to be reduced or denied when they're not in place.
Multi-factor authentication on remote access. If your team accesses business systems remotely, whether through a VPN, a remote desktop tool, or a cloud application, and MFA is not enabled, many insurers will consider that a material failure of basic controls. Remote access without MFA is one of the most common entry points for ransomware attacks, and insurers know it.
Endpoint detection and response. Standard antivirus software is no longer considered sufficient. EDR tools monitor device behavior in real time and can detect threats that signature-based antivirus misses. Most enterprise-grade cyber policies require EDR across all managed endpoints. If you're running basic antivirus on half your devices and nothing on the rest, that's a gap.
Tested, offsite backups. Having backups is not the same as having backups that work. Insurers increasingly require documented evidence that backups exist, that they are stored separately from the primary network, and that they have been tested for recovery within a recent timeframe. An untested backup is not a backup. It's an assumption.
A written incident response plan. When an incident happens, the speed and quality of the response directly affects how much damage occurs. Insurers want to see that you have a documented plan for what happens in the first hours of an attack. Who gets called. What gets isolated. Who has the authority to make decisions. Most small and mid-sized businesses do not have this documented anywhere.
Patch management. Systems running known, unpatched vulnerabilities are a signal to insurers that basic security hygiene is not being maintained. Some policies include language that can void or reduce coverage if an attack exploits a vulnerability for which a patch was available and not applied within a reasonable timeframe.
What Cyber Insurance Does Not Cover
Understanding the exclusions is as important as understanding what's included.
Most policies do not cover losses from social engineering fraud where an employee is deceived into authorizing a wire transfer. This is one of the most common attack types targeting mid-market businesses, and many assume it falls under cyber coverage. It often doesn't, or requires a specific rider.
Policies generally do not cover the cost of improving your security posture after an incident. If an attack exposes that your network lacked segmentation, your insurance will not pay for the segmentation project. It may cover the recovery costs from this incident, but the work required to prevent the next one is on you.
Physical damage caused by a cyberattack, a scenario increasingly relevant as operational technology and IT networks converge on manufacturing floors, often falls into a coverage gray zone that requires specific policy language to address.
And if your policy application contained inaccuracies, even unintentional ones, about the security controls you had in place, insurers can use that as grounds to contest a claim.
The Gap Most Mid-Market Businesses Don't Know They Have
Here's the uncomfortable reality. A business can carry cyber insurance in good faith, pay premiums for years, and still find that their policy won't perform the way they expected when they need it most.
Not because they lied. Not because they were negligent in any obvious way. But because the technical requirements of the policy outpaced the technical reality of their IT environment, and nobody closed that gap.
This is where the relationship between cyber insurance and your IT partner matters more than most people realize.
Your insurer tells you what controls are required. Your IT partner is responsible for making sure those controls are actually in place, documented, and maintained. If those two conversations are happening in separate rooms and never connecting, you have a coverage gap whether your policy says you're covered or not.
We have that conversation with every client we work with. Not because we're trying to upsell a security stack, but because discovering the gap after a claim is denied is a terrible time to learn about it.
When we do a cybersecurity assessment, one of the things we look at specifically is how your current environment maps to your insurance carrier's technical requirements. We identify where you're covered in practice, where you're exposed on paper, and what it takes to close the distance. That conversation is sometimes uncomfortable. We'd rather have it now than after an incident.
What to Do Before Your Next Renewal
If your cyber insurance renewal is coming up in the next six months, here are four things worth doing before you sign.
1. Read the technical requirements section of your policy. It will likely be in the application or a separate addendum. Look specifically for language about MFA, EDR, backup frequency and testing, and incident response planning. If you find requirements you can't confidently say you meet, that's the conversation to have with your IT partner before you renew, not after.
2. Ask your IT provider to map your environment against those requirements. This doesn't have to be a formal project. It starts with a conversation. Bring the policy language and ask directly: do we meet this? The answer should be specific, not general.
3. Get your backup tested. If you don't know when your last successful recovery test was, find out. If the answer is "we've never tested it," that needs to change before you represent to an insurer that you have tested backup and recovery processes.
4. Document your incident response plan. Even a basic, one-page document that names who gets called, what gets isolated, and who has authority to authorize recovery spending is better than nothing. Your insurer wants to see that someone has thought through the first four hours of an incident before it happens.
Cyber Insurance Is the Safety Net. Your IT Environment Is the Net Worth Protecting.
A good cyber insurance policy is worth having. It's not a substitute for the controls that make an attack less likely and a recovery faster. It's what you fall back on when, despite those controls, something still goes wrong.
The businesses that come through incidents best are the ones where the insurance pays out because the controls were in place, and the recovery is faster because the IT environment was built to recover. Those two things work together. One without the other leaves you exposed in ways a policy won't fix.
If you're not sure where your environment stands relative to your coverage requirements, that's the right starting point. Not a sales process. Just an honest look at what you have, what your policy requires, and what it takes to bring those two things into alignment.
That's a conversation we're ready to have.
READY FOR YOUR CYBERSECURITY ASSESSMENT?
