Avoiding Cyber Insurance Claim Denials

ICS, an Illinois manufacturing firm, was likely relieved to have cyber insurance with Travelers Insurance following a 2022 data breach. However, investigators found that ICS hadn’t implemented multi-factor authentication (MFA) on all digital assets as agreed in their policy.

Travelers sued ICS and won.

The policy was rescinded, and so were ICS’s feelings of gratitude, which likely evolved into worried whispers of “Oh, crap.”

Smart businesses like yours are adding cyber insurance to their policies because they know good security hygiene is just as much a competitive advantage as a way to reduce business risk. But as cyber insurance premiums steadily increase – they rose 62% last year alone – you want to ensure they pay your claim when you need it most.

Why Claims Get Denied

“Most claims that get denied are self-inflicted wounds,” says Rusty Goodwin, the Organized Efficiency Consultant at Mid-State Group, an independent insurance agency in Virginia.

Though we like to paint insurance companies as malicious money-grubbers hovering oversize “DENIED” stamps over claims, denials are usually the result of an accidental but fatal misrepresentation or omission by businesses or simply not letting an insurer know about changes in their security practices. However, there are simple steps you can take to prevent a claim-denial doomsday.

4 Ways To Make Sure Your Claim Doesn’t Get Denied

1. Find a broker to help you understand your policy.

There’s no doubt that insurance policies are tedious, filled with legal lingo that makes even the Aflac Duck sweat. Nevertheless, there are several parts to an insurance contract you must understand, including the deck pages (the first pages that talk about your deductible, total costs and the limits of liability), the insuring agreements (a list of all the promises the insurance company is making to you) and the conditions (what you are promising to do).

Goodwin says, “If you understand the contract’s conditions and govern yourself accordingly with your broker’s help, you will never encounter problems getting a claim paid.”

Some brokers don’t specialize in cyber insurance but will take your money anyway. Be wary of those, Goodwin warns. “If an agent doesn’t want to talk about cyber liability, then they either don’t know anything about it or they don’t care because they won’t make a lot of money off it.” If that’s the case, he says, “take all your business elsewhere.”

2. Understand the conditions.

If you’re breached, insurance companies will happily write a check, but only if you fulfill certain promises. We refer to these promises as the conditions of the contract. Today, insurers expect commitments to MFA and password managers, routine data backups, and staff phishing simulations and cyber security training.

Understanding the conditions is critical, but this is where most companies go wrong and wind up with a denied claim.

3. Make good on the promises.

Filling out a homeowners insurance application can get you a discount if you have a security alarm. If not, you may plan to install one. You enjoy your cheaper premium but are busy and forget to install the alarm (nobody comes around to check anyway).

Then, someone breaks into your home. Goodwin says, “Guess whose insurance claim we’re not going to pay? We have the power to ensure that we pay our claim.” There’s really nothing to be afraid of as long as you understand the promises that you’re making.”

This happens all the time in cyber insurance. Businesses promise to use MFA or host training but don’t enforce it. As in the case of ICS, this is how claims get denied.

4. Don’t assume the right hand knows what the left hand is doing.

Goodwin sees companies make one big mistake with their insurance policies: making assumptions. “I see CFOs, CEOs or businessowners assume their MSP is keeping all these promises they’ve just made, even though they never told their MSP about the policy,” he says. MSPs are good at what they do, “but they aren’t mind readers,” Goodwin points out.

Regularly review your policy and have an open and transparent line of communication with your IT department or MSP so they can help you keep those promises.

“We’re the architect of our own problems” Goodwin says. If we’re prepared to work with a quality broker and fulfill our promises, we can become the agents of our own salvation.