Your Cyber Insurance Policy Is Only as Good as the Controls Behind It

Most professional services firms that carry cyber insurance bought the policy the same way they bought their general liability policy: they answered the questions, paid the premium, and filed it away.

That's fine until you need to file a claim. Then the application and the policy wording start to matter a lot more than most firms expect. Cyber policies are heavily customized, and the answers given during underwriting can become very important if a claim later turns on whether the controls you described were actually in place.

The point isn't that every disputed claim gets denied. It's that a lot of firms have never compared their policy language, underwriting answers, and actual operating environment closely enough to know where a dispute could start.

The coverage question first, because it's worth understanding what you're actually buying.

Cyber policies often include a mix of first-party and third-party coverage. Common buckets can include forensic investigation, breach response costs, legal defense, certain regulatory expenses, cyber extortion coverage, and some form of business interruption. But "often" is the key word. Coverage structure, exclusions, waiting periods, and sublimits vary substantially by policy and carrier.

Sublimits are common, including for cyber-crime losses and business interruption caused by a dependent third party. The headline policy limit is less meaningful than the sublimits for the scenarios most likely to affect you, and most firms haven't read that section carefully.

Social engineering and funds transfer fraud deserve special attention because policy language in that area varies widely. In some programs, coverage may require an endorsement or may be subject to narrow wording or low sublimits. That's the kind of detail worth reviewing before a loss, not during one.

The application is where this gets operationally relevant.

When you applied for your policy, you were asked about MFA, endpoint protection, backups, incident response, and likely several other controls. The answers you gave are now part of the underwriting record. If a claim later implicates a control you represented on that application, and the investigation reveals the control wasn't in place or wasn't functioning the way you described, you may have a coverage problem, and in the worst cases, a serious dispute over the validity or scope of coverage.

The Travelers v. ICS case is the cautionary example. The dispute centered on alleged misrepresentations about MFA in the application. The policy was ultimately rescinded by stipulation. That's not a fine-print technicality. It's the practical consequence of an application answer that didn't reflect operational reality.

Underwriting has also become more exacting. The safer operating assumption is that you should be able to support your application answers with actual evidence, not just a good-faith belief that the controls exist.

The practical things to do before your next renewal.

Pull the policy, the declarations, any endorsements, and your most recent application or renewal questionnaire. Read them together. The gaps between what you said you have and what you actually have are worth finding now rather than later.

Compare your answers to actual controls: MFA enforcement, backup testing, EDR deployment, vendor access management, incident response documentation. Not intended controls. Current, verified ones.

Identify what evidence you could produce quickly if asked: restore test records, access review exports, security configuration screenshots, policy acknowledgments. If you can't produce that evidence within 72 hours, that's a gap.

Check for sublimits and any separate treatment of social engineering and funds transfer fraud. Know what those limits are before you're in a situation that triggers them.

And involve your broker, IT or security lead, and legal counsel together — not in separate conversations. The policy, the controls, and the documentation need to be reviewed as a system.

The connection to your managed IT setup is direct. If your Athencia One environment is configured correctly — MFA enforced, Huntress running and monitored, Dropsuite and Slide backups tested regularly — you're not just more secure, you're in a better position to support the representations you made when you bought the policy.

Cyber insurance works best when it's backed by the controls it assumes you have. The firms that discover a gap usually discover it at the worst possible time.