← Back to the blog

May 6, 2026 · 3 min read

When Cyber Insurance Won't Pay

Whether cyber insurance pays after an incident is decided months earlier, in the application. Why that questionnaire is really your security to-do list.

AA
Anton Anders
IT consultant & developer

Quick answer up front: a cyber insurance policy won’t pay when the application promised security measures that weren’t actually in place when it mattered — multi-factor login everywhere, tested backups, a patch cadence that deserves the name. The questionnaire you fill in at signup isn’t a formality. It’s the actual contract. And if you’re honest, it’s a pretty good security checklist.

Why is the questionnaire the actual contract?

When you take out a cyber policy, the insurer asks about your security posture: Do you have MFA on all remote access? How often do you apply updates? Are there tested backups kept offline? These boxes get ticked “yes” quickly, because it lowers the premium and because you meant to do it anyway.

Every one of those answers is a contractual assurance. Say “yes, MFA everywhere” and the attacker later walks in through the one RDP connection that didn’t have MFA, and you’ve breached a duty of care. The insurer is allowed to cut the payout: partially for gross negligence, entirely for intent.

So you pay premiums for years for cover you don’t get at the one moment you need it. That’s the most expensive way to hold an insurance policy.

When won’t cyber insurance pay?

Most reductions and refusals come down to the same handful of points:

ReasonWhat’s behind it
False statements in the application”MFA everywhere” ticked, but there were gaps. The single most common cause.
Outdated softwareA known hole, patched months ago, left open. Negligent, so the payout is cut.
No tested backupThe backup existed but wouldn’t restore, or sat on the same network.
Reported too lateContractual notification windows (often only a few days) allowed to lapse.
Provider without approvalHiring an incident responder the insurer doesn’t cover.
Ransom paid unilaterallyPaying without coordination, and sanction or war exclusions often apply regardless.

None of these are exotic. They’re exactly the things you put off until “later.”

Reverse the order

The usual sequence is: sign the policy, click through the questionnaire, hope. It works better the other way around. Take the application questionnaire before you sign, and treat every question as a task:

  • Is MFA really on every remote access point — VPN, RDP, webmail, admin panels?
  • When did you last actually restore a backup, not just create one?
  • Does at least one copy sit out of an attacker’s reach, meaning offline or immutable?
  • Do you know which systems are running unpatched, and why?

Answer those four honestly with “yes” and you get two things at once: a policy that holds when it counts, and a security level that clears most attacks before they land. The insurance is then the safety net and not the plan. As a bonus, the premium drops, because honest “yes” answers save real money. And if you’re currently checking whether NIS2 applies to you anyway: the homework overlaps almost entirely — do it properly once, use it twice.


Want to walk through the application questionnaire honestly before you sign? Get in touch — in an independent consultation we’ll find where the assurances and the reality still diverge.

Frequently asked questions

When does cyber insurance refuse to pay? +

Most often over false statements in the application: MFA or tested backups were promised but didn't exist. Outdated software, late notification and unilaterally paid ransoms also lead to reduced or refused payouts.

What is the application questionnaire, legally? +

A contractual assurance, not a formality. Tick boxes for measures you don't have and you've breached a duty of care — the insurer may cut the payout partially for gross negligence and refuse it entirely for intent.

What should I document for an insurance claim? +

Everything that proves the measures you promised: MFA coverage, patch status, documented restore tests and the notification paths with their deadlines. In a claim, what counts is what you can prove, not what you meant.

Does an honest questionnaire lower the premium? +

Yes. If you've actually implemented the measures being asked about, you can promise them truthfully and get better terms. More importantly, the policy then holds in an incident instead of failing on a breached assurance.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.