Cyber Insurance Consultancy

Home / Cyber Insurance Consultancy

Over 40% of claims are rejected

One of the most important cyber risk management activities is to obtain cyber security insurance. In risk management terms, having the right cyber security insurance effectively transfers the risk of a successful cyber attack to the insurance company.

However, as with all forms of insurance, be very careful what you purchase and the devil is in the detail of the small print. The latest statistics on cyber insurance are rather revealing.

More than 40% of claims are rejected by the insurer due to the claimant not having accurately stated their true level of security posture. This is often not done deliberately, it’s typically due to a lack of understanding of the insurance prerequisites that are stated in the policy.

Note – we help you validate your policy requirements and implement any services or solutions to fill the gaps.

Why are claims rejected?

Failure to Meet Security Requirements

Many policies require companies to maintain specific cyber security measures (e.g., multi-factor authentication, encryption, endpoint protection). Claims may be denied if:

The company failed to implement required security controls.
Weak password policies or lack of multi-factor authentication (MFA).
Outdated software or unpatched systems were exploited in an attack.

For Example: A company suffers a ransomware attack, but they had not enabled MFA for remote access. The insurer denies the claim because MFA was a policy requirement.

Misrepresentation or Non-Disclosure

If a company misrepresents its cyber security practices or fails to disclose past incidents, insurers may reject claims.

Inaccurate information on security measures in the application.
Hiding past breaches or failing to report vulnerabilities.

For Example: A company claims they have an incident response plan, but in reality, they don’t. When a cyber attack occurs, the insurer denies the claim due to false statements in the policy application.

Excluded Attack Types (Policy Exclusions)

Some policies have exclusions for certain types of attacks, including:

State-sponsored cyber attacks (e.g., nation-state hacking campaigns).
Acts of war or terrorism (cyber warfare-related incidents).
Uninsurable fines and penalties (some regulatory fines are not covered).
Social engineering or phishing scams (if not explicitly covered).

For Example: A company falls victim to a business email compromise (BEC) scam, transferring funds to a fraudulent account. If the policy doesn’t cover social engineering, the claim is denied.

Late or Improper Claim Filing

Claims must be filed within the required timeframe, with proper documentation. Common mistakes:

Delayed reporting of the breach.
Incomplete or missing documentation of the incident.

For Example: A company takes months to report a data breach, preventing the insurer from investigating properly. The claim is rejected for late notification.

Failure to Mitigate Damage

Organisations must take reasonable steps to prevent further losses after an attack. Claims may be denied if:

The company failed to isolate infected systems during a ransomware attack.
No efforts were made to recover lost data or secure backups.

For Example: A company ignores recommendations from cyber security professionals and allows an attack to spread, increasing the damage. The insurer refuses to cover costs due to negligence.

Contractual Liability Issues

Some policies do not cover third-party damages (e.g., if a client sues due to a breach). Claims can be denied if:

The cyber event was caused by a vendor or contractor, not the insured company.
The contract between the company and insurer excludes third-party claims.

For Example: A cloud provider suffers a breach affecting multiple businesses. A company tries to claim under their cyber security policy, but it’s denied because the breach occurred in a third-party system.