Many policies require companies to maintain specific cyber security measures (e.g., multi-factor authentication, encryption, endpoint protection). Claims may be denied if:

• The company failed to implement required security controls.
• Weak password policies or lack of multi-factor authentication (MFA).
• Outdated software or unpatched systems were exploited in an attack.

For Example: A company suffers a ransomware attack, but they had not enabled MFA for remote access. The insurer denies the claim because MFA was a policy requirement.

If a company misrepresents its cyber security practices or fails to disclose past incidents, insurers may reject claims.

• Inaccurate information on security measures in the application.
• Hiding past breaches or failing to report vulnerabilities.

For Example: A company claims they have an incident response plan but in reality, they don’t. When a cyber attack occurs, the insurer denies the claim due to false statements in the policy application.

Some policies have exclusions for certain types of attacks, including:

• State-sponsored cyber attacks (e.g., nation-state hacking campaigns).
• Acts of war or terrorism (cyber warfare-related incidents).
• Uninsurable fines and penalties (some regulatory fines are not covered).
• Social engineering or phishing scams (if not explicitly covered).

For Example: A company falls victim to a business email compromise (BEC) scam, transferring funds to a fraudulent account. If the policy doesn’t cover social engineering, the claim is denied.

Claims must be filed within the required timeframe, with proper documentation. Common mistakes:

• Delayed reporting of the breach.
• Incomplete or missing documentation of the incident.

For Example: A company takes months to report a data breach, preventing the insurer from investigating properly. The claim is rejected for late notification.

Organisations must take reasonable steps to prevent further losses after an attack. Claims may be denied if:

• The company failed to isolate infected systems during a ransomware attack.
• No efforts were made to recover lost data or secure backups.

For Example: A company ignores recommendations from cyber security professionals and allows an attack to spread, increasing the damage. The insurer refuses to cover costs due to negligence.

Some policies do not cover third-party damages (e.g., if a client sues due to a breach). Claims can be denied if:

• The cyber event was caused by a vendor or contractor, not the insured company.
• The contract between the company and insurer excludes third-party claims.

For Example: A cloud provider suffers a breach affecting multiple businesses. A company tries to claim under their cyber security policy, but it’s denied because the breach occurred in a third-party system.