Blog

Think You’re Covered by Cyber Insurance? How One Missing Security Measure Could Sink Your Claim

Published on August 12, 2025

Cyber insurance only works if you meet its security requirements. See how one missing control—MFA—voided a $5M claim and what you can do to avoid the same fate.

Cyber insurance claims can be denied if security controls are not maintainedCyber insurance can be a financial lifesaver after a cyberattack – but only if you actually meet the policy’s security requirements. It’s not enough to check a box on an application; the controls you attest to must be in place, enforced, and verifiable.

The City of Hamilton, Ontario, was hit by a crippling ransomware attack in February 2024, knocking out critical services, and eventually racking up an $18.3 million recovery bill. It was some consolation that they had cyber insurance – until their $5 million claim was denied due to one missing security control.

Read on to learn what led to the denial, and how your organization can avoid making the same costly mistake. 

 

A Cyber Insurance Cautionary Tale from Hamilton, Ontario

 

In February 2024, Hamilton, Ontario, was struck by a devastating ransomware attack that disabled approximately 80% of the city’s network, affecting essential services such as business licensing, property tax processing, transit planning, and the fire department’s record systems. The attackers demanded an $18.5 million ransom, which the city declined to pay, opting instead to focus on containment and recovery rather than risking further interaction with cyber criminals.

The total recovery cost to date has reached $18.3 million, covering emergency response, system recovery, third-party expertise, and infrastructure upgrades. But an additional blow came in July 2025 when Hamilton learned their insurer was denying the $5 million claim they submitted. The reason? Multi Factor Authentication (MFA) had not been fully implemented across all required systems, as stipulated by the policy.

A city staff report stated that “according to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach.” Unfortunately, while city staff were aware of this insurance requirement as early as 2022, the MFA rollout only reached a few departments—leaving a costly gap that ultimately voided coverage. 

 

Why Your Cyber Insurance Application Needs to Match Reality

 

Before coverage is approved, most cyber insurance providers require applicants to complete a detailed questionnaire. This isn’t just a formality—it’s a binding statement about the security measures your organization has in place. These questions often cover:

  • Whether Multi-Factor Authentication (MFA) is enabled for critical systems
  • How often software patches are applied
  • Whether backups are in place and tested
  • How access to sensitive data is controlled

The answers you provide are essentially a contractual attestation. By signing, you’re confirming that your organization meets these requirements—not just in theory, but in practice, every day.

Cyber Insurance requires consistent enforcement of security controlsCyber Insurance Isn’t Like Life Insurance 

With life insurance, you typically pass a medical exam once to qualify for your policy. After that, the insurer doesn’t check whether you’ve started eating fast food for every meal or stopped exercising. Your coverage continues as long as you keep paying premiums.

Cyber insurance is different. It’s more like having a policy that requires you to keep passing that medical exam every month. If your security practices slip you might suddenly find yourself uninsurable when you need the coverage most.

If a breach occurs, insurers will often conduct a post-incident investigation. If they find that a stated control wasn’t actually in place or wasn’t applied consistently, they may deny the claim. As in Hamilton’s case, this is especially true when the missing control was directly involved in the breach. 

The Importance of Being Earnest

When applying for cyber insurance your answers on an application questionnaire really matter.  It’s vital to give earnest, forthright answers instead of “aspirational answers” where you intend to meet a requirement in the future. It would also be a mistake to think that partial compliance is “good enough”. For the city of Hamilton, MFA had been identified as a requirement years earlier, but partial implementation still resulted in a denied claim.

Bottom line: Cyber insurance doesn’t just protect you – it tests you. Your security controls must be implemented, enforced, and verifiable at all times to ensure your policy remains valid when you need it most.

Icon Cursor OrangeTip: Applying for cyber insurance can be overwhelming. Did you know a qualified IT partner can help? Check out our Cyber Insurance Requirements page, where you’ll find downloadable checklists of coverage requirements and learn how we can help you prepare and qualify for coverage.

 

 

Why MFA Tops the List of Cyber Insurance Requirements

 

Multi-Factor Authentication (MFA) is one of the simplest and most effective tools for preventing unauthorized access. For that reason, it is prominent among the security measures insurers are looking for when evaluating applications for cyber coverage.

MFA works by requiring users to provide additional verification of their identity beyond just a password before gaining access to a system or account. This verification falls into three main categories:

  1. Something you know – like a password or PIN.
  2. Something you have – such as a mobile device, hardware token, or authenticator app.
  3. Something you are – biometrics like a fingerprint or facial recognition.

The authentication flow goes something like this:

  1. A login screen to submit a user-name and password.
  2. The user is prompted to provide a second factor of verification (such as a code generated by an authenticator app on the individual’s mobile device).
  3. Access is granted. 

The value is obvious. Even if an attacker steals or guesses a password, he won’t gain access without that second validation which is incredibly difficult to steal. According to Microsoft, more than 99.9% of compromised accounts did not have MFA enabled. This statistic clearly shows why insurers treat it as a baseline requirement.

For a more comprehensive look at MFA check out our blog post here.

Types of MFA Outlined

Why MFA Still Gets Overlooked

Despite its importance, MFA is often skipped or implemented inconsistently. Common reasons include:

  • Incomplete Implementation: MFA is enabled for some systems (like email) but not for others (like remote access or privileged accounts).
  • User Pushback: Some employees resist the extra step, leading to exceptions that weaken security.
  • Complex Systems: Legacy applications may not support MFA without upgrades or workarounds.
  • Lack of Enforcement: MFA policies exist on paper but aren’t enforced across all accounts.

In the Hamilton case, MFA had been identified as a requirement years earlier, yet only a few departments had it in place—leaving the city non-compliant with its insurance policy when the ransomware attack occurred.

MFA Is No Longer Optional

20240627 085104

Insurers increasingly require MFA for:

  • Email accounts (especially those with administrative privileges)
  • Remote access systems like VPNs or Remote Desktop
  • Critical cloud applications such as M365, Google Workspace, and CRM systems
  • Privileged accounts with elevated access to networks and data

Failing to meet these requirements doesn’t just increase your risk of a breach—it can also nullify your cyber insurance coverage, as Hamilton learned the hard way.

 

 

 

Key Takeaways & What to Do Next

 

  1. Be Honest on Insurance Applications and Stay Current
    Your cyber insurance policy is only as good as the controls you actually have in place. Don’t rely on intentions or partial implementations; insurers may deny claims if required measures like MFA aren’t fully enforced.
  2. MFA Is Essential - Implement It Everywhere
    Multi-Factor Authentication remains one of the strongest defenses against unauthorized access. It’s a non-negotiable requirement for cyber insurers. Ensure it's enabled across all critical systems, not just email.
  3. Cyber Insurance Requires Ongoing Qualification
    Think of it like a life insurance policy that demands you stay healthy—not just pass a one-time exam. Regular audits and consistent enforcement of security measures are vital to keeping your coverage valid.
  4. Learn from Hamilton’s Example
    Hamilton’s experience is a stark reminder that gaps or delays in compliance—even when a requirement is known—can leave organizations exposed both technically and financially.

 

Need Help Prepping for Cyber Insurance?

 

Icon Umbrella OrangeCheck out our blog post “Basic Cybersecurity Requirements for Small Businesses”, which lays out the foundational controls insurers look for when qualifying applicants. You’ll find it helpful if you're starting from scratch or want a clear, actionable guide.

 

Icon HealthyFor a deeper dive, our Cyber Insurance Requirements page offers free downloadable checklists tailored to both basic and expanded coverage needs. It’s the perfect tool to help you align your security posture with insurer expectations and avoid falling into the same trap Hamilton did. 

 

Don't wait till it's too late! Let allCare IT be your audit and assurance partner—we can help you implement MFA across all systems, verify your controls, and ensure your cyber insurance policy delivers when you need it. Contact us for a free consultation.