You're Paying for Cyber Insurance. So Were They. During a Claim, Theirs Was Voided Anyway.
Table of Contents
N.O. IT STRATEGY | Strategic Briefing No. 11
In May 2022, an electronics manufacturer in Decatur, Illinois called International Control Services was hit by ransomware. They had a $1 million cyber insurance policy with Travelers. They filed a claim and Travelers investigated.
What the investigation found was that ICS had checked yes on their application stating they used multi-factor authentication across administrative and privileged access. What Travelers actually found was that MFA was only active on the firewall. Every other system, including the server where the attack originated, had no MFA protection at all.
Travelers denied the claim and filed suit to rescind the policy entirely. In August 2022, the U.S. District Court for the Central District of Illinois entered an order declaring the policy void from inception. Not denied. Not reduced. Void. Every premium paid, every month of coverage ICS believed they had, erased. The policy was treated as if it never existed.
This is a very well documented example, please look up the Federal case number 22-cv-2145.
For a small or mid-sized business facing that outcome without coverage, the math is simple and brutal. The average ransomware loss for an SMB in 2025 was $292,000. Without a policy that pays, most businesses in that position don’t recover, they close.
What You Are Actually Signing
A cyber insurance application is not a questionnaire. It is a sworn statement. When you sign it, you are certifying that every answer reflects the actual, current state of your security environment. Carriers treat it as a material representation, meaning if the answers are wrong and a claim comes in, they have legal grounds to deny the payout or void the policy entirely.
Most business owners don’t realize this when they fill out the application. They hand it to an office manager, answer from memory, or assume their IT vendor handled everything they said yes to. That assumption is how companies end up in federal court with no coverage after a breach.
The controls carriers are asking about are specific. Here is what they mean, what it actually costs to have them in place, and why the answers you give matter as much as the controls themselves.
Multi-Factor Authentication
MFA means that logging into a system requires more than a password. After entering credentials, the user must verify their identity through a second method, typically a code from an authenticator app or a text message. Without it, a stolen or guessed password is all an attacker needs to walk in.
Carriers are asking whether MFA is enforced on remote access, email, administrator accounts, and servers. The word enforced matters. MFA that is available but optional does not satisfy most underwriters. If employees can bypass it, it does not count.
The ICS case turned on exactly this point. MFA was technically in place on the firewall. It was nowhere else. The server that was attacked had none. One checkbox, answered incorrectly, voided a $1 million policy.
The cost to implement MFA across a 20-person organization is low. Microsoft 365 and Google Workspace both include it at no additional charge. The barrier is almost never budget. It is awareness and configuration.
MFA misconfiguration is the single most expensive point of failure in cyber insurance claims, accounting for roughly 26% of all losses
Endpoint Detection and Response
Traditional antivirus compares files against a list of known threats and flags matches. That approach has a fundamental weakness: it only catches what it already knows about.
Endpoint Detection and Response, commonly called EDR, works differently. It monitors behavior across every device in real time, looking for patterns that indicate something malicious is happening even if the specific threat has never been seen before. When ransomware begins moving through a network, it behaves in recognizable ways before it does its damage. It escalates privileges, moves laterally, and starts encrypting files. EDR can detect and interrupt that sequence. Traditional antivirus typically cannot.
Carriers are asking whether EDR is deployed on all endpoints. Not servers only. Not office desktops only. All endpoints. A single unprotected laptop is an entry point.
Platforms like Huntress, SentinelOne, and CrowdStrike are the names you will see most often in this space. True EDR coverage runs roughly $6 to $10 per endpoint per month depending on the platform and whether you are buying direct or through a managed service provider. For a 25-person company with 30 endpoints, that is $180 to $300 per month. One important note: CrowdStrike’s entry-level Falcon Go tier does not include EDR. If your carrier is asking specifically for EDR, the base CrowdStrike package does not satisfy that requirement. Confirm what tier you are on and what it actually covers.
Immutable and Offsite Backups
A backup that can be encrypted or deleted is not a backup in the context of a ransomware attack. Attackers know this. In 72% of ransomware incidents, attackers specifically target backups before triggering encryption. They know that destroying your recovery options forces you to pay.
Most IT professionals follow what is called the 3-2-1 rule as a baseline. Three copies of your data, on two different types of media, with one copy stored offsite. That framework exists because no single backup method protects against every failure scenario. A ransomware attack, a hardware failure, a fire, and a flood each create different risks. A layered backup structure addresses all of them.
Onsite backups give you speed. Restoring from a local device or network-attached storage is fast, which matters when every hour of downtime costs money. The weakness is that onsite backups sit in the same physical environment as your production systems. A ransomware attack that reaches your network can reach them too.
Offsite backups give you separation. A copy stored at a secondary location or in a cloud environment that is logically isolated from your primary infrastructure cannot be touched by an attack on your main environment. The tradeoff is that restoration takes longer depending on data volume and connection speed.
Offline backups, sometimes called air-gapped backups, go one step further. These are copies that are completely disconnected from any network, physically or logically. A drive that is unplugged, a tape that is stored separately, or a cloud vault with immutable retention policies that prevent deletion even by an authenticated administrator. Ransomware cannot encrypt what it cannot reach. Physical offline media should be stored in a fireproof safe or secure offsite location, not in the same room or building as your servers. A fire or flood that destroys your server room will destroy anything stored next to it as well. Physical separation and fireproof storage are not optional extras. They are part of what makes an offline backup actually useful when you need it most.
Immutability adds a final layer of protection on top of all of this. Immutable backups are write-protected for a defined retention period. Once data is written, it cannot be modified or deleted by ransomware, by a compromised administrator account, or by anything else until the retention window expires.
Carriers are asking whether your backups are immutable, whether they are stored offsite or in an air-gapped environment, whether backup credentials are separated from your primary admin accounts, and whether you have tested a restore in the last 90 days. That last point matters more than most organizations realize. A backup you have never tested is a backup you cannot count on.
One copy of your data is not a backup strategy. It is a single point of failure with extra steps. Cloud backup services that meet carrier requirements typically run between $50 and $200 per month for a small business depending on data volume. The cost of not having them, if a claim is denied because your backups did not qualify, is the entire recovery bill out of pocket.
Security Awareness Training
In technology, we love to rely on tools and the controls within do stop a lot of attacks. However, they do not stop an employee who clicks a malicious link, hands over their credentials on a spoofed login page, or wires money because an email looked like it came from the CEO. Human error remains the starting point for the majority of successful breaches, and carriers know it.
Security awareness training, commonly called SAT, is now a formal requirement with a growing number of carriers. They are not asking whether you have ever sent your team a cybersecurity reminder. They are asking whether you have a documented, recurring training program with completion records, and in many cases whether you conduct regular phishing simulations to test whether that training is actually working.
The distinction matters at claim time. A one-time training session from three years ago does not satisfy an underwriter asking about an active program. Completion records that show only half your staff finished the last training create a coverage gap. A phishing simulation program that generates reporting metrics gives you something concrete to show an investigator. A checkbox with no documentation behind it gives you nothing.
The cost of a managed security awareness training program for a small business typically runs between $10 and $25 per user per month depending on the platform and whether phishing simulations are included. For a 20-person organization that is $200 to $500 per month. Compare that to the average ransomware loss of $292,000 and the math is not complicated.
A Note on Carrier Requirements
The controls covered in this briefing represent the most common requirements across major carriers today. They are not exhaustive. Depending on your carrier and your industry, you may face additional requirements. Password complexity standards and minimum password length policies are a common example. Some carriers require documented patch management schedules, formal vulnerability assessment programs, employee security awareness training with completion records, or restrictions on privileged access accounts. Tokio Marine, Chubb, Travelers, and others have each asked for different combinations of controls at different points in time, and those requirements evolve at every renewal cycle. The only way to know exactly what your carrier requires is to read your specific policy and application carefully, and ideally have someone technically qualified review it with you before you sign.
What Verification Actually Looks Like
Knowing you have these controls is not the same as being able to prove you have them. When a claim comes in, the carrier sends auditors, they do not take your word for it. They pull logs, review configurations, and verify that what your application described matches what was actually deployed on the day the policy was issued.
That means documentation matters as much as the controls themselves. You need to be able to show when MFA was enabled and which systems it covers, when EDR was deployed and which devices are enrolled, when your last backup restore test was conducted and who verified it, and whether your training program has current completion records across your entire staff.
Organizations that cannot produce this documentation at claim time face the same exposure as organizations that never had the controls in place. The burden of proof is on you, not the carrier.
Building a verification package means conducting an honest audit of your environment before you complete your application, documenting every control with timestamps and scope, and reviewing that documentation at every renewal to confirm it still reflects reality. Security environments change. Devices get added. Accounts get created. Staff turns over. A control that covered everything at last renewal may have gaps today.
What to Do Before Your Next Renewal
You do not need to figure this out alone, and you do not need to be an existing client of ours to get help with it.
N.O. IT Strategy offers Cyber Insurance Readiness as a standalone engagement with two tiers depending on where your organization is starting from.
The Readiness Review is a focused assessment for organizations that want to know where they stand before their renewal. We compare your actual security environment against the controls your current policy requires, identify the gaps that put your claim at risk, and deliver a clear findings report you can act on. You walk away knowing exactly what needs to be addressed and in what order. What you do with that information is up to you. Some clients hand it to their existing IT vendor to remediate. That works. The goal is making sure the honest audit gets done before the renewal date, not after an incident forces the question.
The Readiness Engagement goes further. In addition to the full assessment, we examine whether your coverage amount reflects your actual risk exposure. Most small businesses select a policy limit based on what seemed reasonable at the time, not based on what a real incident would actually cost them. When you factor in recovery costs, business interruption, legal fees, regulatory notifications, and potential third-party liability, the gap between what a policy covers and what a breach actually costs can be significant. The Readiness Engagement also includes development of an Incident Response Plan, a documented playbook your organization follows when something goes wrong. Carriers are increasingly asking for it. More importantly, having one before an incident means your team is not making critical decisions under pressure with no guidance. We also build the complete documentation package your carrier will expect if you ever need to file a claim, covering every control with timestamps, scope, and verification records.
For organizations that need to close a training gap before renewal, we offer security awareness training as a standalone service regardless of which tier you choose. That includes a managed training program with documented completion records, email phishing simulations tailored to your organization, and reporting metrics that demonstrate an active and ongoing program to your carrier.
If your renewal is coming up, or if you have never had someone independently verify that your answers reflect your actual environment, that conversation is worth having now.
N.O. IT Strategy LLC provides fractional IT leadership and strategic technology guidance to small and mid-sized businesses. Service fees vary based on scope and engagement type. This briefing is for informational purposes and does not constitute legal or insurance advice. Consult your insurance broker and legal counsel regarding your specific policy requirements.