Cyber insurance claims are being quietly denied — here’s why

You’ve bought cyber insurance, you’re paying the premium each month, and it feels like a sensible precaution. The uncomfortable reality is that according to recent industry analysis, over 40 percent of UK cyber insurance claims are rejected at some stage — mostly because the business couldn’t prove it had the IT controls the policy demanded.

Those rejections don’t happen at signup. They happen at claim time, when a breach has already occurred and you actually need the money. By then, the insurer’s forensic team has found the gap: multi-factor authentication wasn’t enforced, patches weren’t applied on schedule, or the business took too long to report the incident. The claim is denied. The loss sits with you.

Why insurers are getting stricter

UK insurers paid out £197 million in cyber claims in 2024 — more than three times the £59 million paid the year before. When payouts climb that fast, underwriters tighten the rules. They’ve moved from taking your word for it on a questionnaire to verifying answers against external data before the policy is even issued. At claim time, they’re thorough.

The most common rejection triggers are pretty consistent:

• Multi-factor authentication not enforced. Almost every modern policy requires MFA — the second login step, usually a code on your phone — across email, remote access, and admin accounts. Having it available but not switched on counts as a policy violation. Nearly 82 percent of denied claims involved businesses without active MFA.
• No patching records. Insurers want written evidence that security updates were applied within agreed timeframes. If the records don’t exist, it’s treated the same as the patching not happening.
• Late incident reporting. Many policies require you to notify the insurer within 48 to 72 hours of detecting a problem. If nobody spots the issue until something goes wrong on a Monday morning, you’re already outside the window.

The numbers that put it in context

The UK government’s 2025 cyber security survey found that 43 percent of businesses experienced a breach or attack in the past year. Ransomware cases roughly doubled. The average cost of a serious, disruptive breach is now £8,260 — enough to cause real damage to a small business in Ruthin, Denbigh, or anywhere else without a finance team large enough to absorb it.

Put the two figures together: 43 percent breach rate, 40 percent claim denial rate. A lot of businesses are experiencing breaches and finding the insurance won’t pay because the IT setup silently didn’t match what the policy required.

What this means for your IT provider relationship

Your IT contract and your insurance contract are more connected than most businesses realise. MFA enforcement, documented patch management, incident detection within defined timeframes — these are all operational requirements that only your IT setup can deliver and evidence. If nobody has ever sat down and aligned the two documents, your business could be in continuous breach of its own policy without knowing it.

The pattern that ends in a rejected claim tends to look the same: the IT provider was never shown the insurance policy, and when asked whether the business meets the security requirements, the answer was general reassurance rather than documented proof.

What to do about it

Get a copy of your insurance policy and read the control requirements — specifically the sections covering MFA, patching, endpoint protection (that’s antivirus and device management), and incident reporting. Then:

1. Ask for written confirmation, with evidence, that each requirement is currently being met.
2. Request a recent patching report.
3. Check that MFA is actually enforced across email, remote access, and admin accounts — not just available.
4. Map out your incident reporting process: who notices a problem, who decides it’s reportable, who calls the broker, and within what timeframe. Five pages of documented controls that match the policy could be the difference between a claim being paid and a claim being denied.

The good news is this is all fixable before anything goes wrong. Dragon Digital audits this kind of IT-to-insurance alignment for local businesses across North Wales and can walk through what your policy actually demands and whether your current setup ticks those boxes — a straightforward conversation that’s genuinely worth having before a breach forces it.