Your Insurer Isn't Betting On Your Security. They're Betting You Can't Prove It.
Saturday 11 April 2026
I am going to tell you something that will make you angry. Possibly at me. Probably at the insurance industry. Either way, I think you need to hear it.
The cyber insurance industry’s real product is not coverage. It is plausible deniability.
Let me be precise about what I mean, because I am not accusing the industry of fraud. The market pays billions in claims every year. The ABI confirmed that UK insurers paid £197 million in cyber claims in 2024, a 230% increase on 2023. The market absolutely does pay. When everything lines up, it works.
What I am saying is that the incentive structure of the claims investigation process is not designed to find reasons to pay. It is designed to compare what you said with what they find, and every discrepancy discovered is leverage the insurer can use. That is not a conspiracy. That is rational commercial behaviour. But it is very different from what most SMB owners think they bought.
What You Think You Bought
You think you bought a product that says: if a cyber incident happens to my business, the financial consequences will be covered, subject to the usual excess, up to the policy limit.
That is a reasonable description of what a well-structured, properly maintained cyber policy with verified controls will do for you.
What You Actually Bought
You bought a contract. A contract with conditions. Conditions that were assessed on a specific day, probably by someone filling in an online form without full visibility of the technical environment, and that have to remain accurate on every day between that form and the day you claim.
If anything material has changed, or if anything was not quite right on the original form, the insurer’s investigation after a breach will find it. And when they find it, they have legal tools, given to them by the Insurance Act 2015 and sanctioned by the FCA framework, to reduce or refuse your payout.
The forensic team they send in after your breach is not your friend. They are paid by the insurer. Their job is to help with the incident, yes, but also to reconstruct the state of your environment at the time of the attack and compare it to the story that was sold when you bought the policy. Every gap they find is a negotiating point for the insurer.
The Proof Problem
Here is the specific mechanism that generates most of the denied claims.
Coalition’s 2024 data: 82% of denied claims involved organisations without MFA fully implemented. Industry analysis suggests over 40% of claims face denial or significant reduction.
The standard narrative is: businesses that didn’t have security got caught.
The reality is more complicated, and more uncomfortable. Many of the businesses in those statistics had the controls. They just could not prove it under forensic scrutiny. MFA was deployed but the registration logs showed gaps. Backups were running but the restore test was never documented. Patches were applied but the patch reports were overwritten. Incident response plans existed as draft documents in someone’s email but were never formalised.
The bar is not “did you have MFA.” The bar is “can you produce an MFA enforcement policy, an enrollment report showing 100% coverage, and confirmation that enforcement was active on the day of the attack?”
Most UK SMBs cannot. Not because they are fraudulent. Because nobody told them that documentation was the product.
Why the Industry Has Not Fixed This
I have been in this business long enough to be cynical about the incentives here. The insurance industry does well when premiums come in and claims stay manageable. If every SMB in the UK suddenly had perfectly documented security controls, claims would plummet, premiums would have to fall, and underwriters would earn less. There is no incentive structure within the existing market that drives insurers to proactively help their customers understand the documentation gap before a claim, rather than finding it after.
Brokers are getting better at this. The better ones now include a controls audit as part of the renewal process, walk clients through the documentation requirements, and flag gaps before the proposal form is submitted. But this is not universal, and it is not required.
The FCA’s ICOBS 8.1 guidance does constrain the worst behaviour: insurers cannot simply point to any minor policy breach and walk away. The breach has to be connected to the loss. But “connected to the loss” is a legal test, not a moral one. If your MFA gap was the route the attacker used, the connection is made and the argument is live.
What the Insurance Industry Does Well
I should be fair. Cyber insurance, when it works, works well. The incident response support that comes with a well-structured policy, the access to specialist forensic firms, the legal support for regulatory notification, the business interruption coverage that keeps a business alive during recovery: these are genuinely valuable.
The market paid £197 million in UK claims in 2024. That money went to real businesses dealing with real attacks. The industry is not a scam. It is a mature financial product that is becoming more sophisticated, and that sophistication comes with more complex conditions.
The problem is the information asymmetry. The insurer’s forensic team knows exactly what they are looking for. The small business owner filling in the proposal form on a Tuesday afternoon does not.
The Three Things That Actually Protect You
Not three expensive things. Three documentation things.
First: Pull your proposal form right now. Go through every security-related question. For each one, ask whether you can prove the answer is accurate today. Not “roughly accurate.” Specifically accurate, with evidence.
Second: Start keeping the documentation that makes a claim survivable. Dated MFA enrollment reports. Backup completion logs and restore test records. Patch compliance reports. Your incident response document with a version date. Screenshots of policy settings. This is not glamorous. It is the difference between a claim that pays and one that doesn’t.
Third: If there are gaps between your form answers and your actual controls, tell your broker before a breach makes it expensive. Voluntary disclosure at renewal, where you correct an inaccuracy, is survivable. An insurer finding the same gap during a post-breach forensic investigation is categorically different, legally and financially.
The Competitive Advantage Angle
I want to end on something positive, because I am aware this has been a fairly sustained rant.
The businesses that get this right, that treat their cyber insurance compliance as a living thing rather than a box-ticking exercise, are in a genuinely better competitive position. Lower premiums. Faster claim resolution if something does go wrong. A documented security posture that satisfies supplier qualification requirements.
The gap between how most UK SMBs manage their cyber insurance and how it should be managed is large. That gap is also an opportunity. Getting ahead of it is not expensive. It is mostly time, attention, and the discipline to keep a folder of evidence that most of your competitors do not have.
The insurer is betting that you can’t prove your controls under pressure. Prove them wrong before a breach makes the bet relevant.
Listen to Episode 15: The Small Business Cyber Security Guy Podcast
Related Posts:
- You Bought Cyber Insurance. Congratulations. Now Read the Bloody Small Print.
- MFA on the Firewall, Not the Servers: The Case That Shows How UK Cyber Claims Really Die
- Six Controls That Stand Between You and a Denied Cyber Claim
Sources
| Source | Article |
|---|---|
| ABI | Nearly £200 million paid in cyber claims to help UK businesses recover |
| Coalition | Coalition 2024 Cyber Claims Report |
| legislation.gov.uk | Insurance Act 2015 |
| FCA | FCA Handbook ICOBS 8.1 - Claims Handling |
| Marsh McLennan | UK Cyber Insurance Claims Trends Report 2024 |