Does Your Cyber Insurance Actually Cover What You Think? Questions to Ask Your Broker

A CPA firm in the Midwest got hit with ransomware last year. They had cyber insurance. They filed a claim. The insurer sent an adjuster who asked a series of questions: Was multi-factor authentication enabled on all remote access points? Could the firm provide documentation of its security controls? When was the last vulnerability scan conducted?

The firm had MFA on email but not on their remote desktop connection. They had a WISP, but it hadn't been updated in two years. They couldn't produce a vulnerability scan report because they'd never asked their IT provider to run one.

The claim was denied.

This isn't a rare story. 40% of cyber insurance claims were denied in 2024, and the most common reason wasn't fraud or bad faith. It was that the policyholder couldn't demonstrate that the security controls required by the policy were actually in place. The insurance existed. The coverage didn't.

The Coverage Gap Most Firms Don't Know About

Only 17% of small businesses carry cyber insurance. That number is startlingly low given the risk environment, but here's the part that should concern the 17% who do have it: having a policy doesn't mean you're covered.

Cyber insurance policies are structured around conditions. The insurer agrees to pay claims, but only if you've maintained the security controls described in your application. If you told the underwriter you had MFA deployed across all systems and you didn't, that's a material misrepresentation. If you said you conduct regular vulnerability assessments and you can't produce the reports, that's a gap. If your policy requires you to maintain a documented information security program and yours is sitting in a drawer unchanged since 2023, the insurer has grounds to deny your claim.

80% of insured companies that suffered a data breach did not have sufficient coverage. The average coverage gap was 350%, meaning the actual costs were more than three times what the policy covered. For small businesses with less than $1 million in revenue, uncovered losses represented an average of 90% of annual revenue. That's not insurance. That's an illusion of insurance.

What Underwriters Are Requiring Now

The cyber insurance market has tightened considerably. Insurers lost money on claims for several years running, and they responded by raising their standards. What used to be a simple application with a few yes-or-no questions has become a detailed security assessment.

51% of businesses must now have multi-factor authentication just to qualify for coverage. Not just on email. On remote network access, on privileged accounts, on admin consoles, on cloud platforms. Partial MFA is no longer sufficient. If MFA only protects your inbox but not your remote desktop or your cloud admin panel, insurers may increase your premiums or decline coverage entirely.

Beyond MFA, underwriters are increasingly looking for endpoint detection and response tools on all devices, documented incident response plans, regular backup testing, and evidence of employee security awareness training. 44% of cyber insurance claims are rejected due to inadequate security controls, which means nearly half the time, the insurer is finding that the policyholder didn't maintain the baseline security posture they agreed to.

The positive side of this: businesses with mature, documented security programs can see premiums 15 to 30% lower than those without. The investment in your security program isn't just compliance and protection. It's a direct reduction in your insurance costs.

The Exclusions Nobody Reads

Every cyber insurance policy has exclusions, and most firm owners have never read them. Here are the ones that trip up CPA firms most often.

Failure to maintain security standards. This is the big one. Your policy likely contains language requiring you to maintain security practices "equal or greater to those disclosed in the proposal." If your security posture has degraded since you applied, or if you overstated your controls on the application, the insurer can deny your claim based on failure to maintain standards. This is why documented, ongoing security management matters. Your policy isn't just a contract about the future. It's a contract about what you're doing right now.

Social engineering. Some policies exclude losses from social engineering attacks, like business email compromise schemes where an employee wires money to a fraudulent account. Others include social engineering coverage but with lower sublimits. If your firm handles client funds or makes wire transfers, check whether social engineering is covered and at what limit.

Acts of war. This exclusion made headlines when Merck filed a $1.4 billion claim after the 2017 NotPetya attack and the insurer denied it as an "act of war" because the attack originated from Russian military hackers targeting Ukraine. Merck eventually won in court, but the case took five years. War exclusions in cyber policies are evolving rapidly, and the language varies significantly between insurers.

Unpatched systems. If your systems weren't current on security patches at the time of the incident, some policies exclude coverage. This is another area where your IT provider's maintenance practices directly affect your insurance coverage.

The Questions to Ask Your Broker

Most firm owners treat their cyber insurance renewal the way they treat their auto insurance renewal: skim the summary, confirm the premium, sign the paperwork. That approach doesn't work when 40% of claims are being denied.

Before your next renewal, schedule a 30-minute call with your broker and ask these questions:

1. What specific security controls does this policy require me to maintain? Don't accept vague answers. Get the list. MFA, endpoint protection, patching cadence, training requirements, documentation requirements. Write them down. These are conditions of your coverage, and you need to know what they are.

2. What are the exclusions in our policy? Ask for the full list, not the summary. Ask specifically about social engineering, acts of war, regulatory fines, and failure to maintain controls. If your broker can't walk you through the exclusions in plain language, you need a different broker.

3. What happens if we can't demonstrate that our security controls were in place at the time of a claim? The answer to this question reveals how much documentation matters. If the insurer can deny your claim because you can't produce evidence of your security practices, you need to start building that evidence now.

4. What documentation should we maintain to support a claim? Ask what the insurer would want to see during an investigation. Typically: vulnerability scan reports, training records, access review logs, incident response plan documentation, and evidence that your WISP has been reviewed and updated. Start collecting these artifacts now, not after an incident.

5. Is our coverage limit adequate for our risk profile? The average data breach in financial services costs $6.08 million. Your policy probably covers $1 million to $3 million. Ask your broker to help you model a realistic breach scenario for your firm size and client base, then compare that to your current coverage. The average cyber insurance claim payout is around $600,000, which means most policies are leaving significant costs uncovered.

6. How will filing a claim affect our renewal? Claims severity increased 17% in 2024, and firms that file claims often see their premiums increase substantially at renewal. Some have difficulty renewing at all. Understanding the post-claim impact helps you weigh the decision to file and reinforces the value of prevention.

7. What would reduce our premium? Ask your broker what specific security improvements would lower your renewal cost. Documented MFA deployment, endpoint detection tools, tested backups, a documented incident response plan, and encryption all commonly qualify for premium reductions. If you're already doing these things but can't prove it, the investment in documentation pays for itself through lower premiums.

8. Does our policy cover regulatory fines and penalties? Under the FTC Safeguards Rule, CPA firms face penalties of up to $50,120 per violation per day. Some policies cover regulatory defense costs but not the fines themselves. Some cover both. Some cover neither. Know where your policy stands.

What You Can Do Today

1. Pull out your policy and read the conditions section. Not the declarations page. The conditions. Find the section that describes what security controls you're required to maintain. Compare that list to what you actually have in place today.

2. Ask your IT provider for documentation. Request copies of your most recent vulnerability scan reports, endpoint protection deployment records, and patch management logs. If these don't exist, work with your IT provider to start producing them. They're not just good security practice. They're evidence that supports your insurance coverage.

3. Schedule the broker call. Put it on the calendar this week. Use the eight questions above. Record the answers and file them with your policy documents.

4. Update your application honestly. When your renewal comes around, answer every question accurately. Overstating your security posture might get you a lower premium, but it gives the insurer the ammunition to deny your claim when you need coverage most.

5. Close the gaps. If you discover that your policy requires controls you don't have, close those gaps before your next renewal. The cost of implementing MFA, running vulnerability scans, or documenting your security program is a fraction of the cost of a denied claim.

The Bottom Line

Cyber insurance is a valuable layer of protection, but it's not a substitute for a security program. It's a complement to one. The firms that benefit most from their coverage are the ones that can demonstrate they were doing the work before the incident occurred.

The firms that get burned are the ones who assumed the policy was enough. It isn't. The policy is a promise from the insurer, conditioned on a promise from you. If you can't keep your end of the bargain, they won't keep theirs.

If you want help aligning your security program with your insurance requirements so that both actually work when you need them, Kompflow can help. We build the documentation, track the controls, and coordinate with your IT provider so that when your broker asks "can you prove it," the answer is always yes.

Your policy is only as good as the program behind it.