Jessica A.,
Too Long; Didn't Read
Cyber insurance does not protect you; it pays you money. And even that only if you know the exclusions, answer the questionnaire honestly, and your security posture matches what you told the insurer. Read the exclusions before coverage begins, technically verify your information, and build the foundation first before signing the policy.
You took out cyber insurance. You pay your premium. You feel safe.
That is exactly the problem.
Because cyber insurance does not protect you. It pays you money after something has happened. And even then, only if you meet a long list of conditions that you have probably never fully read. We support companies through cyber incidents. Some get their money. Many do not. The difference is rarely the attack itself, but almost always the fine print.
What your policy does not cover
Let’s start with what most people skip: exclusions. Not coverage. Exclusions.
Known vulnerabilities. If the attacker got in through a CVE that has been publicly known for months and was on your patch list, your insurer will argue that you should have known. And they are right.
Negligence. Defined more broadly than you think. A system with a critical gap that you consciously did not patch? That is enough. No intent required, just inaction.
State actors. Since NotPetya, insurers have significantly expanded their war-exclusion clauses. If an attack is attributed to a state actor, coverage can be denied entirely. And that attribution is not up to you.
Your cloud provider goes down. Your SaaS provider is hacked, your operations come to a standstill. But you were not directly attacked. Depending on the wording: not covered. That is one of the reasons why we always examine third-party dependencies for clients. Not just because of security, but because insurance gaps start exactly there.
Insider threats. Damage caused by your own employees? Partly covered, often not at all. In cases of targeted internal fraud, it gets really complicated.
The questionnaire that can ruin you in an emergency
When you sign the policy, you receive a long questionnaire. Security controls, infrastructure, processes. Most people answer it to the best of their knowledge.
Here is the thing: “to the best of your knowledge” does not protect you.
You state that you have MFA on all remote access points. During the incident, it turns out that an old VPN without MFA was still active. Not because you lied. But the statement was incorrect. And the insurer refuses payment.
This happens all the time. Not out of malice, but because reality in IT changes faster than forms. What was true in January is no longer true in September. But the policy continues.
Therefore: before you fill out a questionnaire, conduct an honest technical review. What do we actually have? Not what is written in the documentation, but what is actually configured? Where do intention and reality diverge? We wrote more about this in our article on why most risk analyses fail.
Why you still pay too much
The premium is not random. It is based on what the insurer knows about your risk profile. And in most cases, they know more than you think.
Missing MFA drives premiums up. By now, this is the smoke detector of cyber insurance. Those who do not apply MFA consistently pay noticeably more.
Backups that are reachable through the same network as production systems are considered worthless. Insurers want to see offline or immutable backups.
Legacy systems without vendor support are red flags. Still running Windows Server 2012 on your network? The premium goes up.
And then there is the industry. Healthcare, financial services, critical infrastructure: higher premiums, tighter exclusions. Not arbitrarily, but because attack rates there are actually higher.
Anyone who has already had an incident in the last three to five years pays significantly more. Or gets no policy at all. Transparency when signing is crucial, because anyone who conceals something risks denial in the event of a claim.
The uncomfortable truth about lowering premiums
Insurers want to insure. They want predictability. The more controllable your risk appears, the better terms you get. But that requires real work, not just a PDF of security policies.
What actually works: documented controls. Not marketing text, but real configurations and verifiable tests. If you can show that MFA is active everywhere and backups are tested regularly, the conversation with the insurer changes.
Ongoing security operations also help. A SIEM or SOC connection signals that anomalies are detected before they escalate. Not cheap, but the premium difference is often clearly noticeable.
Regular awareness training makes a difference. Phishing remains the most common entry vector, and insurers reward documented phishing simulations.
And an incident response plan. Not a document sitting in a drawer, but a tested procedure. That reduces the scale of damage in an emergency, and insurers know this statistically.
We have seen with clients that a structured improvement plan before signing has led to premiums that were sixteen to twenty percent lower. That pays off, even if the assessment costs money. (In our post about allocating security budgets correctly, we show which measures have the greatest leverage on insurance costs.)
What does this mean for you?
Cyber insurance is a safety net, not a shield. It pays for losses; it does not prevent attacks, keep operations running, or save your reputation. And it pays most reliably when you need it the least, because your setup is solid. The fundamental controls come first: MFA, patching, backups, access management. Then the processes: incident response, awareness, monitoring. And then the policy that absorbs the remaining residual risk. We also see this as a core idea behind pragmatic cybersecurity: fewer tools, a solid foundation, and insurance as a safety net. If you are unsure where your security posture stands and what that means for your insurance application, we would be happy to talk about it.
