I sat across from a business owner last month who looked like he hadn’t slept in three days. His eyes were bloodshot, his tie was loose, and he was staring at a letter from his insurance provider with the same expression you’d have if you opened a glitter bomb in your living room.
"They said I’m not covered," he told me. "I pay them fifty grand a year, and they said I’m not covered because of a checkbox."
He had been hit by ransomware. His files were locked, his operations were halted, and the hackers were demanding a sum that would wipe out his operating capital for the quarter. He thought his cyber insurance policy was his safety net. It turned out to be a sieve.
This is not an isolated incident. In 2024, a staggering 40% of cyber insurance claims were denied. That is almost half. Imagine paying for car insurance for a decade, getting into a wreck, and having the adjuster tell you that because your tires were 2 PSI underinflated, you are on your own. That is the current state of cyber liability.
I am going to walk you through the fine print that most CEOs skip because it is boring. Trust me, it is a lot less boring when it is the only thing standing between you and bankruptcy.
You might think you are just a local manufacturer or a mid-sized law firm in Ohio. Why would you care about cyber warfare? Because insurers are increasingly classifying state-sponsored hacks as "acts of war."
If the malware that hits you can be traced back to a group affiliated with a hostile government, your insurer might wave the "war exclusion" clause. They will argue that this is not a criminal act; it is a geopolitical event, and standard policies do not cover war. It sounds ridiculous until you realize that major insurers like Lloyd's of London have mandated that cyber policies must include specific exclusions for state-backed attacks.
This is the one that got the business owner I mentioned earlier. When you sign up for cyber insurance, you fill out a questionnaire. It asks things like "Do you have Multi-Factor Authentication (MFA) enabled on all remote access?"
If you check "Yes," you better mean "Yes, on literally every single account, without exception."
Insurers are now hiring forensic teams post-breach to verify your application. If they find that you had MFA on 99% of your accounts, but the hackers got in through the one legacy account you forgot about, that is considered "misrepresentation" or "failure to maintain minimum security standards." Claim denied.
Your policy might say it covers up to $5 million in liability. That looks great on the summary page. But if you dig into the endorsements, you might find a specific "sub-limit" for ransomware extortion payments.
I have seen policies with a $5 million aggregate limit but only a $25,000 sub-limit for actual ransom payments. If the hackers want $500,000, you are pulling $475,000 out of your own pocket. It is like having health insurance that covers a heart transplant but caps the anesthesia at fifty bucks.
You do not need to be an insurance expert, but you do need to be a paranoid business owner. Here is your checklist for this week:
First, dig up your policy and look for the specific exclusions regarding "unpatched software" and "end-of-life systems." If you are still running Windows Server 2012 because you didn't want to pay for the upgrade, you are likely uninsurable right now.
Second, audit your own compliance. If you told the insurer you have offline backups, go check them. If those backups are plugged into the network, they are not offline, and they will get encrypted right along with your primary servers. We talk about this constantly in our guide on ransomware recovery because cloud backups are often your last hope when insurance falls through.
Third, call your broker. Ask them specifically: "If we get hit by a state-sponsored Russian ransomware gang, are we covered?" Make them say it in writing.
Insurance is a financial vehicle, not a security strategy. It is there to catch you if you fall, but you shouldn't be jumping off cliffs expecting it to save you every time.
If you are worried that your current IT setup might be voiding your insurance policy, we should talk. As a managed IT services company Cleveland businesses rely on, we act as the bridge between your technology and your coverage requirements. We can audit your security against your insurance application to ensure you aren't inadvertently lying to your provider.
You worked too hard to build your business to lose it because of a checkbox. Let’s make sure you are actually protected.