Think You’re Covered? 40% of Cyber Insurance Claims Say Otherwise

Data breaches are a devastating experience for any company – you lose revenue, hundreds of hours of productivity, customer confidence, and sleep, as you try to undo the damage.  One small comfort is that a payout from your cybersecurity insurance will offset some of your lost revenue—or will it?

A recent analysis reveals that 40% of cyber insurance claims are denied, often due to incomplete, inaccurate, or misleading information provided during the application or claims process.

The High Stakes of Checking Boxes

Cyber insurance policies are underwritten based on representations made by the applicant, particularly regarding the organization’s security posture. Insurers want to know what protections are in place: Is multi-factor authentication (MFA) deployed? Are endpoints monitored? Is data encrypted?  What tools and technologies are used to keep you safe?

When applicants check “yes” on those boxes, insurers assume those controls are fully implemented across all systems. But in practice, organizations often interpret those questions loosely. Maybe MFA is used on email accounts, but not on remote desktops or internal admin consoles. Maybe endpoint detection is deployed, but only on laptops, not servers.  This may be shocking, but it’s true: insurance companies don’t generally want to pay out, so they’re going to go over that policy with a fine-tooth comb to make sure what you claimed you had matches what you actually had, and those gaps can come back to haunt you. If an attack exploits an area you didn’t secure — and you claimed it was protected — the insurer may deny your claim for misrepresentation or breach of contract.

It might seem like this is an easy fate to avoid, but even the companies that take security incredibly seriously have fallen prey to leaving some systems exposed.  Take, for example, the Okta hack – the company admitted that it did not have multi-factor authentication turned on for all administrative tasks.  And Microsoft was compromised via a “legacy, non-production test tenant” that was the victim of a simple password spray attack, which means no MFA was enabled.    

Case in Point: Travelers v. ICS

In 2022, International Control Services (ICS) was targeted by a ransomware attack.  Fortunately, only a few weeks prior, they had taken out a cyber insurance policy with the insurance firm Travelers.  To implement this policy, they stated that MFA was in place for all administrative and privileged access.  As they faced millions of dollars in losses, they filed a claim, which was subsequently denied after a forensic investigation discovered that the attack had started on a server that was not protected by multi-factor authentication (MFA).  

Travelers argued that had they known this, they would not have issued the policy or would have charged a different premium. They claimed ICS had made “material misrepresentations” on the application, thus voiding the policy altogether.

The court ruled in favor of Travelers in August of 2022, allowing them to rescind the policy. 

Why This Is More Common Than You Think

It’s easy to see how these misrepresentations happen, especially when security teams are pressured to check all the boxes during the application process. The intent may not be to deceive but rather to reflect “aspirational compliance.” An organization might be planning to implement MFA everywhere and honestly believes it’s “in progress” or “mostly done.”

Unfortunately, insurance contracts are not aspirational documents. If your claim is based on a statement that turns out to be inaccurate, you could find yourself both uninsured and exposed.

Moreover, many applications contain ambiguous questions. For example: “Do you use MFA for all administrative access?” Does that include third-party vendors? Internal systems? Backups? Without clear definitions, organizations may inadvertently overstate their security posture.

Best Practices: How to Protect Your Coverage

To avoid becoming one of the 40% whose claims are denied, organizations should treat cyber insurance applications with the same level of diligence as financial disclosures or compliance audits. Here’s how:

1. Be Precise and Conservative in Your Answers
   If MFA is only used on some systems, don’t say it’s deployed “everywhere.” Add qualifiers or attach documentation outlining the scope of deployment.
2. Document Your Security Controls
   Keep detailed records of which protections are in place, when they were implemented, and what systems they cover. This is invaluable during both underwriting and claims investigations.
3. Review Applications with Legal and IT Teams
   Collaborate across departments to ensure your answers are accurate and complete. Legal counsel can help interpret contractual language, while IT can verify technical implementations.
4. Don’t Rely on Boilerplate Templates
   Customize your responses. Avoid using generic “yes” answers when the real situation is more nuanced.
5. Update Your Insurer if Your Posture Changes
   If you implement major changes (or discover a security gap), notify your insurer. Some policies allow for updates and endorsements to reflect your current environment.

The Bottom Line

Cyber insurance can offer critical protection, but its effectiveness hinges entirely on how accurately you understand your security posture. With nearly 40% of claims being denied, any discrepancies or misrepresentations can jeopardize coverage when it’s needed most. The Travelers v. ICS case serves as a stark reminder: treating the insurance application process as a mere checkbox exercise is a costly mistake. It’s not enough to claim you’re secure — insurers expect verifiable proof. Failing to provide it could leave your organization exposed when a cyber incident strikes.