TL;DR
We had cyber insurance. We had a data breach. We filed a claim expecting coverage. The insurer denied it, citing a clause about "failure to maintain minimum security controls." Our missing MFA and outdated software voided our coverage. The breach cost us $35,000 out of pocket. Insurance I'd been paying $200/month for covered nothing.
The False Security
When I bought cyber insurance, I felt responsible. Smart, even. The premium was $200/month, which seemed reasonable for $500,000 in coverage. If anything went wrong, insurance would handle it.
I didn't read the policy carefully. I skimmed it, saw "data breach coverage," and signed. Big mistake.
The Breach
An attacker gained access through a compromised employee password. Without MFA, one stolen credential was enough. They accessed customer data for about 48 hours before we detected and stopped it.
The damage was significant:
- Legal consultation: $8,000
- Forensic investigation: $12,000
- Customer notification and credit monitoring: $10,000
- PR and crisis management: $5,000
Total: $35,000. I wasn't worried. I had insurance.
The Claim
I filed the claim, confident it would be covered. Three weeks later, I received a letter:
"After review, we have determined that your claim does not meet the conditions for coverage under your policy. Specifically, Section 4.2(c) requires maintenance of 'industry-standard security controls including multi-factor authentication on all administrative access.' Our investigation found that MFA was not enabled on the compromised account. Therefore, this claim is denied."
I read it three times. Then I called my lawyer.
The Policy Fine Print
My lawyer reviewed the policy. The insurer was right. Buried in the terms were requirements I'd never noticed:
- MFA required on all administrative and privileged accounts
- Software updates must be applied within 30 days of release
- Annual security assessments must be documented
- Employee training must be conducted annually
I was compliant with none of these. The policy I'd been paying for was essentially void from day one.
The painful truth: Cyber insurance isn't just a financial product. It's a contract with conditions. Those conditions require you to maintain baseline security. Miss them, and your coverage disappears when you need it most.
Why Insurers Include These Clauses
At first, I was angry. It felt like the insurer was looking for excuses not to pay.
After talking to a broker, I understood their perspective. Without security requirements:
- Premiums would be much higher (think 10x)
- Anyone could buy insurance and ignore security entirely
- Moral hazard would make breaches more common
The requirements aren't arbitrary. MFA alone would have prevented our breach. The insurer was essentially saying: "We'll cover you if you take basic precautions. If you don't, you're choosing to be vulnerable."
They weren't wrong. I just didn't like hearing it.
What I Did Wrong
1. Didn't Read the Policy
I signed without understanding the requirements. If I'd read Section 4, I would have known what was expected.
2. Assumed Insurance = Protection
I thought having insurance meant I could worry less about security. The opposite is true. Insurance requires security.
3. Never Verified Compliance
Even if I'd read the policy, I never checked whether we were actually compliant. No one was tracking our status against the requirements.
What Changed
Actually Read Policies
I now read every insurance policy completely. I highlight the conditions and maintain a checklist of requirements.
Security Requirements First
Before buying any new policy, I review the security requirements and ensure we're already compliant or can become compliant quickly.
Document Everything
We now document our security measures: MFA enabled, software update logs, training records. If we ever file another claim, we'll have evidence of compliance.
Regular Compliance Checks
Quarterly reviews of our insurance requirements. Things change. Policies get updated. We need to stay aligned.
The $35,000 lesson: Cyber insurance is not a substitute for security. It's a complement to it. If you're not implementing basic security measures, don't expect insurance to save you. The coverage requires the precautions.
What security measures do cyber policies typically require?
Common requirements include: MFA on privileged accounts, regular software updates, endpoint protection, employee security training, regular backups, and documented security policies. Requirements vary by insurer and policy tier.
How can I verify I'm compliant with my policy?
Request the full policy document, not just the summary. Look for sections on "conditions," "requirements," or "warranties." Create a checklist of all requirements and verify your status against each one. Document your compliance.
Can I appeal a denied cyber insurance claim?
Yes, but success depends on the specifics. If you can prove compliance with the cited requirement, or if the requirement was ambiguous, you may have grounds. Consult with a lawyer experienced in insurance disputes.
Is cyber insurance worth it if there are so many conditions?
Yes, if you maintain the required security measures. Those measures would help prevent breaches anyway. Think of insurance as incentive to maintain good security, not as a replacement for it.