More and more businesses take out cyber insurance, and that’s sensible. When things go wrong, a data breach, ransomware, a day down, such a policy can soften the financial blow: restoring systems, legal costs, informing customers, lost revenue.
But a policy is no guarantee of a payout. What is and isn’t covered often depends on whether you met the insurer’s expectations before the incident. And that’s exactly where it regularly goes wrong. Not a scare story, just good to know before you need it.
Why claims get rejected
When a claim comes in, insurers look closely at the security as it was at the moment of the incident. A claim often fails for fairly down-to-earth reasons:
- The basic security wasn’t in order (no multi-factor authentication, for instance).
- Systems were outdated or not patched.
- There was no, or insufficient, record of how the management was arranged.
- There was no plan for what to do when things go wrong.
In short: a policy only gets you so far. You have to be able to show that your house was in order before anything happened.
What insurers expect these days
The requirements insurers set are exactly the measures you’d want to have anyway. In practice it comes down to a handful of fundamentals:
- Multi-factor authentication (MFA) and well-arranged access.
- Working, tested backups and protection on your devices.
- Updates and patches that happen on time.
- Recorded agreements and a plan for incidents.
- Ongoing attention: monitoring and awareness among your people.
By coincidence, or actually not by coincidence, this overlaps strongly with what the NIS2 rules ask of businesses. Work on this and you often hit two birds with one stone: you stand stronger with your insurer and you’re better prepared for the duty of care. More on that in NIS2 and SMEs.
It comes down to being able to prove it
This is the heart of it. An insurer doesn’t want to hear it was fine, they want to see it. And that’s exactly where many businesses get stuck: they assume it’s in order, but can’t show it.
That’s also why we put so much weight on provable security. With MIRA we record your IT environment, the risks and the status in a measurable, traceable way. In black and white, in plain language. Not just handy towards an insurer, but just as much towards your customers, who increasingly ask whether your security is in order.
The role of your IT partner
An experienced IT partner helps you close the gaps an insurer looks at: putting the right measures in place, recording them, and making sure it stays that way by keeping an eye on it. That way your IT isn’t a loose cost item, but something that protects your business, and strengthens your position with the insurer.
A few questions we often get
Do I need cyber insurance?
That’s a call for you and your insurance adviser; that’s not our area. What we do help with is making sure your security is at a level where such a policy is actually worth something.
We already have a policy, are we covered then?
Not automatically. The cover stands or falls on whether you meet the conditions. It pays to check which requirements your insurer sets and whether you genuinely meet them now, not only once something happens.
Can you show whether we meet the requirements?
Yes, that’s exactly what the baseline with MIRA is for. We map where you stand against the common requirements, so you know what still needs doing, and can prove it.
Want to know whether your security stands firmly enough, for your insurer and for yourself? Take the free security scan, or book an intro call for an honest picture.