Small business owners buy cyber insurance to sleep better at night. But here’s the gut-check: many claims get reduced or denied when basic safeguards aren’t in place—or when policies require controls you haven’t fully implemented. Translation: if ransomware hits tomorrow and your MFA, backups, or endpoint protection aren’t up to snuff, you could be footing the bill yourself.
This post expands on today’s Weekly IT tip and gives you a fast, plain-English playbook to keep both your security and your coverage intact.
Why insurers deny or reduce cyber claims
Insurers increasingly require specific controls as a condition of coverage. If those controls aren’t in place—or aren’t in place everywhere—claims can be rejected or payouts slashed.
- Missing MFA (multi-factor authentication). Real-world breaches—and painful headlines—keep showing that a single system without MFA can trigger a major incident. In 2024, UnitedHealth’s CEO told Congress the Change Healthcare breach began on a server that lacked MFA. That kind of basic gap creates both risk and coverage headaches. (AP News)
- Not meeting required controls. Cyber insurers commonly expect (and verify) things like MFA, user security training, tested backups, and identity/access management as table stakes for coverage. (Coalition)
- Regulatory non-compliance. If you operate in a regulated space (finance, auto dealers, healthcare, payments), rules often mandate specific controls (e.g., MFA, encryption, vendor oversight). Falling short can complicate both incident response and insurability. (Federal Trade Commission)
The controls most policies (and regulators) expect
If you do nothing else this quarter, lock these in:
- MFA everywhere that matters. Email, VPN/remote access, admin accounts, privileged apps, and critical servers. MFA is explicitly required under the FTC Safeguards Rule for systems handling customer information. (Federal Trade Commission)
- Security awareness training + phishing simulations. Human error is still a top breach driver; insurers look for evidence that you’re training staff regularly. (Coalition)
- Backups you can restore quickly (and that are tested). Insurers expect resilient, preferably offline/immutable backups—because fast recovery beats ransom payments. (Coalition)
- Endpoint Detection & Response (EDR) or MDR. Many carriers now list EDR/MDR as a core control alongside patching and vulnerability management. (Aldridge)
- Identity & access management basics. Least-privilege access, rapid account offboarding, and privileged access controls reduce blast radius. (Coalition)
- Patching/vulnerability management. Keep software and firmware current; several frameworks and insurers treat timely patching as non-negotiable. (Aldridge)
Don’t forget the compliance angle (it helps your insurance, too)
Even if you’re not in a heavily regulated industry, using a well-known framework makes your insurer conversations smoother.
- FTC Safeguards Rule (for businesses handling consumer financial info): Requires a written security program, risk assessments, encryption, MFA, vendor oversight, and more. (Federal Trade Commission)
- NYDFS 23 NYCRR 500 (financial services in/serving NY): Updated in late 2023; expects MFA, EDR/monitoring, incident response, and governance updates. (Department of Financial Services)
- PCI DSS 4.0 (card payments): Several “future-dated” requirements became mandatory after March 31, 2025—a gotcha if you process cards and haven’t updated controls. (Linford & Co.)
- NIST Cybersecurity Framework 2.0: Now includes a sixth function—Govern—which helps SMBs show insurers they’re managing cyber risk formally, not informally. (NIST)
A 10-minute self-check (print this)
Accounts & Access
- MFA is on for email, VPN, admin, and any remote access.
- Dormant/old accounts are removed within 24 hours. (Federal Trade Commission)
Endpoints & Servers
- EDR/MDR is deployed and actively monitored.
- Security patches are applied per a schedule, with criticals fast-tracked. (Aldridge)
Backups & Recovery
- Backups are immutable/offline and tested quarterly for restore time. (Coalition)
People & Process
- Employees complete security training and phishing tests at least quarterly.
- You have an incident response plan and know who to call first (internal + external). (Coalition)
Compliance Fit
- If you handle financial, health, or card data, you’ve mapped yourself to the applicable rule(s): FTC Safeguards, HIPAA/NYDFS where applicable, PCI DSS 4.0. (Federal Trade Commission)
How NetConnect helps (so your policy actually helps you)
- Readiness Assessment: We compare your current controls to insurer questionnaires and NIST CSF 2.0, then give you a prioritized fix list. (NIST)
- Close the Gaps: Implement MFA, EDR, backup hardening, patch cadence, and training—aligned to insurer requirements. (Coalition)
- Documentation that carriers love: Policies, evidence screenshots, test logs, and response runbooks—so your application is accurate and your claim documentation is ready on day one.
- Quarterly “trust but verify”: Controls drift; we re-check, re-train, and re-test.
Bottom line
Cyber insurance is not a “set it and forget it” safety net. It’s a contract with conditions—and modern security is part of the bargain. Get the basics right, keep them current, and your policy can do what you bought it to do.
Want a 60-second compliance reality check?
Call Samantha at 973-649-9851 or visit nctny.com. We’ll tell you where you stand—and how to fix what matters most, fast.
Sources
- Associated Press: Change Healthcare breach traced to lack of MFA (U.S. Senate hearing, May 2024). (AP News)
- Coalition: “5 Essential Cyber Insurance Requirements” (MFA, training, backups, IAM, classification). (Coalition)
- FTC: “Safeguards Rule—What Your Business Needs to Know” (MFA and other requirements). (Federal Trade Commission)
- NY Department of Financial Services: Amended Cybersecurity Regulation, 23 NYCRR Part 500 (Nov 2023). (Department of Financial Services)
- PCI DSS v4.0: Mandatory requirements after March 31, 2025. (Linford & Co.)
- NIST: Cybersecurity Framework 2.0 (new “Govern” function and updated guidance). (NIST)
P.S. If you’ve changed systems or added staff recently, it’s worth re-checking MFA and backups. One overlooked mailbox or server is all it takes to both trigger a breach and tangle an insurance claim.
