Introduction:
The 3 clauses most business owners never read, until it is too late.
A manufacturer in Pune paid three years of cyber insurance premiums without missing a single payment. When ransomware locked every computer in the company last November, they filed their claim the next morning. Eleven days later, the insurer sent a letter.
The claim was rejected.
The reason: the company had not enabled two-factor authentication on their email accounts. This was a requirement buried in clause 7.4 of their policy document, a document they had never read past the summary page.
Three years of premiums. Not a single rupee paid out.
This is not a rare story. More than 40 percent of cyber insurance claims filed in 2024 and 2025 were denied. Not because insurers acted in bad faith. Not because the attacks were unusual. But because businesses that filed those claims had never truly understood what their policies required of them.
Here are the three clauses that are ending more claims than any cyberattack ever could.
The Numbers Nobody Puts in the Brochure
- 40% of cyber insurance claims are denied, nearly 1 in 2 businesses get nothing
- 82% of denied claims in 2025 involved companies without full MFA deployment
- 17% of all claim denials in 2025 happened for one reason: the business reported too late
- 72% of small businesses have no cyber insurance at all, and those that do may not be covered
Sources: Coalition Cyber Insurance 2025, Teisoft Industry Analysis 2026, SecurityToday 2026
The 3 Clauses Killing More Claims Than Ransomware
These are not obscure legal technicalities. They are standard clauses in almost every cyber insurance policy sold today. They are also the three things almost no business owner reads, understands, or verifies before something goes wrong.
1. The Security Controls Clause
"Your policy is only valid if you maintained the security controls you declared."
When you applied for cyber insurance, you answered a questionnaire about your security setup. Did you have two-factor authentication? Did you run regular backups? Did you have antivirus on all devices? You answered yes, and the insurer issued your policy based on those answers.
Here is what most business owners do not know: those answers are not just application questions. They are warranties. Legal commitments that your entire policy is contingent upon.
If an attacker gets in and the post-breach investigation reveals that MFA was not fully enabled, not on every account, not on every system, the insurer can and frequently does deny the entire claim. It does not matter that it was switched on for most accounts. One unprotected login path is enough.
In 2025, a municipality had an $18.3 million claim denied because MFA had not been rolled out completely. The insurer had even recommended the rollout two years earlier. The claim was still denied in full.
2. The 72-Hour Notification Clause
"You must notify your insurer within 48 to 72 hours of discovering an incident."
When ransomware hits, the instinct of most business owners is to manage it internally first. Call the IT team. Assess the damage. Try to restore from backups. Figure out what happened before calling the insurer.
That instinct is completely understandable. It is also exactly what voids the claim.
Most cyber insurance policies require notification within 48 to 72 hours of discovery, not 48 hours after you have figured out what happened, but 48 hours after you first suspected something was wrong.
Research shows that 17 percent of all cyber insurance claim denials in 2025 happened for this reason alone. The breach was real. The damage was covered by the policy. But the business waited five days before calling the insurer, and the notification clause was invoked.
TThe moment you suspect a breach, even before you know its scope, call your insurer's claims line. Report first. Investigate at the same time. Document every step with timestamps from the first hour.
3. The Social Engineering Exclusion
"Losses from phishing, invoice fraud, and wire transfer scams are not covered unless you bought the add-on."
A real estate firm lost over one crore rupees when an attacker impersonated their vendor and redirected a wire transfer. They had cyber insurance. The claim was denied.
The reason: their policy did not include a social engineering endorsement. The base policy covered system intrusions malware, ransomware, data breaches. It did not cover losses where an authorised person was tricked into voluntarily transferring money.
Phishing. Invoice fraud. CEO impersonation. Fake vendor payment requests. These are now the most common forms of financial loss from cyber incidents and they are explicitly excluded from most standard policies unless you purchased a separate social engineering or funds transfer fraud rider.
Most business owners assume that if the loss was caused by a cyberattack, the cyber insurance covers it. That assumption is wrong. The type of attack matters. The method of loss matters. And the specific endorsements on your policy determine what you actually receive.
Insurers are not denying claims in bad faith. They are denying them because the business failed to meet exactly what it agreed to in writing.
The Court Case That Changed How Insurers Operate
Real Case - International Control Services Vs Travellers Insurance, 2024
International Control Services filed a ransomware claim under their cyber insurance policy. The insurer, Travelers, denied it.
The reason: during the post-breach investigation, Travelers discovered that the company had stated on their policy application that multi-factor authentication was deployed across all systems. It was not -- not fully.
Travelers argued this constituted misrepresentation, even though it was likely unintentional. The court agreed. The claim was denied not because MFA caused the breach, but because the company had declared it was in place when it was not.
This case set a pattern that insurers across the industry have followed since. Insurers now conduct technical audits of your actual security environment after a breach and compare it to what you claimed on your application. Any gap even an accidental one is grounds for denial.
5 Questions That Decide If Your Policy Will Pay
Answer these five questions honestly, right now. If you cannot answer yes to all five with documented evidence, your policy may not pay out when you need it.
| Question Your Insurer Will Ask | Your Current Answer | Claim Risk |
| Is MFA enabled for every email account, every remote login, and every cloud tool your team uses? | No / Not checked | HIGH RISK |
| Does your incident response plan include notifying your insurer within 48 hours of discovery? | No plan / Unsure | HIGH RISK |
| Does your policy include a social engineering or funds transfer fraud endorsement? | Not sure | MEDIUM RISK |
| Have you tested and documented a successful backup restore in the last 6 months? | No / Never tested | HIGH RISK |
| Do your current security controls match exactly what you declared on your policy application? | Never verified | MEDIUM RISK |
If you answered 'not sure' or 'no' to two or more of these, your policy has conditions you may not currently satisfy. The good news is every one of these can be corrected before your next renewal, often faster than you expect.
3 Actions Before Your Next Renewal
You do not need to become a security expert. You need three specific conversations and one document.
1. Read clauses 5 to 9 of your current policy document tonight
Pull out your existing cyber insurance policy. Turn to the section labelled Conditions, Warranties, or Security Requirements. Read it. Every requirement in that section is something your insurer can use to deny a claim if you fall short. If the language is unclear, email your broker and ask them to explain in plain English exactly what security controls the policy requires you to maintain and what happens to a claim if those controls are not fully in place.
2. Ask your IT team one specific question this week
Ask: 'Is two-factor authentication switched on for every single account in this company, email, cloud tools, remote access, banking, accounting software?' Not most accounts. Every account. The insurer will look for the one account that was not protected and use it as the basis for denial. Ask for a written list of every account and which ones require a second login step. Gaps on that list are gaps in your coverage.
3. Call your broker and ask about social engineering cover
Ask this exact question: 'Does my current policy cover losses from phishing attacks, invoice fraud, and fake payment requests? If not, what does it cost to add that cover?' Social engineering endorsements typically add 5 to 15 percent to the annual premium. The alternative, finding out it was excluded after a fifty-lakh rupee wire transfer disappears, costs considerably more. Get the answer in writing.
Conclusion - Insurance Is Not a Substitute for Security
The companies whose cyber insurance claims get paid are not the ones with the most expensive policies. They are the ones who understood exactly what their policy required, implemented every control it listed, and called their insurer the moment something went wrong.
Cyber insurance done right is one of the most valuable things a business can have. A data breach costs an average of four crore rupees for a small business. A good policy can absorb most of that. But a policy with unfulfilled conditions, missing endorsements, and a 96-hour notification delay is just an annual expense that pays nothing when the moment arrives.
Read the policy. Verify the controls. Know what you have actually bought.
That is the difference between a financial safety net and expensive fiction.
FAQ:
1. Why do cyber insurance claims get rejected?
Cyber insurance claims are often rejected because businesses fail to meet policy conditions such as enabling required security controls reporting incidents on time or having the right coverage add ons. Most rejections happen due to overlooked clauses not the attack itself.
2. What is the most common reason for claim denial?
One of the most common reasons is the Security Controls Clause. If controls like multi factor authentication are not fully implemented as declared in the policy insurers can deny the entire claim.
3. What is the 72 hour notification clause in cyber insurance?
This clause requires businesses to notify their insurer within 48 to 72 hours of discovering an incident. Delays in reporting even while investigating can result in claim rejection.
4. Does cyber insurance cover phishing and social engineering attacks?
Not always. Losses from phishing invoice fraud or wire transfer scams are typically excluded by default unless a separate social engineering or fraud endorsement is added to the policy.
5. How can businesses avoid cyber insurance claim rejection?
Businesses should ensure all declared security controls are fully implemented report incidents immediately within the required timeframe review policy clauses carefully add necessary coverage like social engineering protection and regularly verify and document their security posture.
