TL;DR
A real estate tech company had cyber insurance. They had a data breach. They filed a claim expecting coverage. The insurer denied it, citing a clause about "failure to maintain minimum security controls." Missing MFA and outdated software voided their coverage. The breach cost $35,000 out of pocket. Insurance the founder had been paying $200/month for covered nothing.
The False Security
When the founder of a growing real estate tech startup bought cyber insurance, he felt responsible. Smart, even. The premium was $200/month, which seemed reasonable for $500,000 in coverage. If anything went wrong, insurance would handle it.
He didn't read the policy carefully. He skimmed it, saw "data breach coverage," and signed. Big mistake.
The Breach
An attacker gained access through a compromised employee password. Without MFA, one stolen credential was enough. They accessed customer data — including property transaction records and client contact details — for about 48 hours before the team detected and stopped it.
The damage was significant:
- Legal consultation: $8,000
- Forensic investigation: $12,000
- Customer notification and credit monitoring: $10,000
- PR and crisis management: $5,000
Total: $35,000. The founder wasn't worried. He had insurance.
The Claim
He filed the claim, confident it would be covered. Three weeks later, he received a letter:
"After review, we have determined that your claim does not meet the conditions for coverage under your policy. Specifically, Section 4.2(c) requires maintenance of 'industry-standard security controls including multi-factor authentication on all administrative access.' Our investigation found that MFA was not enabled on the compromised account. Therefore, this claim is denied."
He read it three times. Then he called his lawyer.
The Policy Fine Print
The lawyer reviewed the policy. The insurer was right. Buried in the terms were requirements the founder had never noticed:
- MFA required on all administrative and privileged accounts
- Software updates must be applied within 30 days of release
- Annual security assessments must be documented
- Employee training must be conducted annually
The company was compliant with none of these. The policy they'd been paying for was essentially void from day one.
The painful truth: Cyber insurance isn't just a financial product. It's a contract with conditions. Those conditions require you to maintain baseline security. Miss them, and your coverage disappears when you need it most.
Why Insurers Include These Clauses
At first, the founder was angry. It felt like the insurer was looking for excuses not to pay.
After talking to a broker, he understood their perspective. Without security requirements:
- Premiums would be much higher (think 10x)
- Anyone could buy insurance and ignore security entirely
- Moral hazard would make breaches more common
The requirements aren't arbitrary. MFA alone would have prevented the breach. The insurer was essentially saying: "We'll cover you if you take basic precautions. If you don't, you're choosing to be vulnerable."
They weren't wrong. The founder just didn't like hearing it.
What Went Wrong
1. Didn't Read the Policy
He signed without understanding the requirements. If he'd read Section 4, he would have known what was expected.
2. Assumed Insurance = Protection
He thought having insurance meant the company could worry less about security. The opposite is true. Insurance requires security.
3. Never Verified Compliance
Even if he'd read the policy, nobody had checked whether the company was actually compliant. No one was tracking their status against the requirements.
What Changed
Actually Read Policies
The founder now reads every insurance policy completely. He highlights the conditions and maintains a checklist of requirements.
Security Requirements First
Before buying any new policy, the team reviews the security requirements and ensures they're already compliant or can become compliant quickly.
Document Everything
The company now documents its security measures: MFA enabled, software update logs, training records. If they ever file another claim, they'll have evidence of compliance.
Regular Compliance Checks
Quarterly reviews of their insurance requirements. Things change. Policies get updated. The team needs to stay aligned.
The $35,000 lesson: Cyber insurance is not a substitute for security. It's a complement to it. If you're not implementing basic security measures, don't expect insurance to save you. The coverage requires the precautions.
What security measures do cyber policies typically require?
Common requirements include: MFA on privileged accounts, regular software updates, endpoint protection, employee security training, regular backups, and documented security policies. Requirements vary by insurer and policy tier.
How can I verify I'm compliant with my policy?
Request the full policy document, not just the summary. Look for sections on "conditions," "requirements," or "warranties." Create a checklist of all requirements and verify your status against each one. Document your compliance.
Can I appeal a denied cyber insurance claim?
Yes, but success depends on the specifics. If you can prove compliance with the cited requirement, or if the requirement was ambiguous, you may have grounds. Consult with a lawyer experienced in insurance disputes.
Is cyber insurance worth it if there are so many conditions?
Yes, if you maintain the required security measures. Those measures would help prevent breaches anyway. Think of insurance as incentive to maintain good security, not as a replacement for it.
Meet Your Requirements
Scan your app to verify you meet common security baselines.