Fresh Thoughts #39: The #1 Reason Cyber Insurers Don't Pay

Nope written on a board

In short...

...because your infrastructure and security measures differ from what was claimed on the cyber insurance questionnaire.

Why is there a difference?

It's bad enough to be a victim of a cyber attack. But to find your insurance won't pay out because you didn't follow the security procedures you stated on the cyber insurance questionnaire is very difficult for any business.

The difference can be for two reasons:

  1. What was claimed on the insurance questionnaire was not true. This could be a little massaging of the truth or a flat-out lie. In either case… this isn't good. An insurance policy is a contract, and the law is clear - if you breach the agreement, you can't expect a payout.
  2. Your infrastructure has changed over time… It was accurate, but life and business happened. And resulted in unintended consequences.

But how can an insurer know?

The state of your infrastructure only matters when you want to make an insurance claim. This will inevitably be when you're having problems. You've just been breached, fallen victim to a ransomware attack, or transferred money to a scammer's account.

Your incident response process should kick in whenever you have a security incident. And the main focus of this process is to understand the following:

  1. the root cause of the incident
  2. how to contain the incident
  3. how to fix the problem

So if the security incident was caused by a leaked password and you claimed to only use 2FA...

Or a known vulnerability was exploited while you claimed to have an automatic patching process...

Your insurance company will find out and spot the difference.

Why is this important now?

When the economy gets tight, justifying IT and security costs is essential. Cut what can be cut, but leave what is critical.

It's to be expected that we're working under more pressure. Shorter timelines, fewer people, less service per $£¥. So it's natural to look everywhere to cut corners. But...

Cybersecurity is a process.

You will need to take action tomorrow, next month, and next year. It's a cost of doing business - just like HR, legal advice, and finance.

Cutting a corner today incurs a debt - that you will need to pay down in the future. The sooner you pay the debt, the less compound interest you pay.

How do changes get introduced?

Some changes are easy - and within your control.

When someone joins your team or leaves. Having a Joiners and Leavers process to create and delete access in a structured way means there aren't dormant accounts waiting for a hacker to find and exploit.

When your team trials a new approach or a new service. There are two key areas to check:

  • Does the new service have the required baseline security measures? And are they configured?
  • Once you've reviewed the new service - clean up. If the approach doesn't work out, the trial service shouldn't have access to any confidential or personal information. If the new process does work out - remove the old way of working and fully migrate. Fewer IT systems are better. They're less of a headache.

But some changes are outside of your control. A security researcher discovers a new method to exploit an application. The app developer publishes a patch.

If you don't apply the patch promptly - the risk of exploitation increases. And your claim of running a patch management process comes into doubt.

What can be done about this?

Firstly, ensure your team doesn't massage the truth on cyber insurance questionnaires. While it can be tempting for short-term gain, no other type of insurance has the level of audit cyber insurance has. Every decision, mistake, and misconfiguration before the incident is logged and available for review.

Secondly, don't commit to policies and procedures you don't have the time and people to sustain. It's tempting to download policies from the internet. But if they're designed for companies with different staffing and investment levels to yours, they will not be sustainable. Simply put, you must fully implement your policies to ensure your insurance pays.

Thirdly, many areas of cybersecurity are "configure once and stay secure". But it's always worth monitoring and where possible enforcing the fundamentals:

  • Passwords, 2FA, access controls
  • Software patching and support
  • Firewalls
  • Maintaining backups of personal and sensitive data

Mobile Device Managers (MDM) can help consistently monitor endpoints. If you're using Microsoft 365, depending on your subscription, you may have one bundled with your plan. It can save you a considerable amount of time and effort.

Finally, schedule a monthly review point. Corners will inevitably be cut at some point. But what's changed? What security debt have you incurred and need to pay - before it becomes a problem?

Cybersecurity is a process.

Trim costs and become more efficient, but please don't remove the time it takes to complete the process.

November 1, 2022
4 Minutes Read

Related Reads

old map

Fresh Thoughts #31: The State of Cyber Insurance - September 2022

In March we made predictions about the cyber insurance industry. Were we right?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868