{"id":4704,"date":"2026-02-12T04:40:48","date_gmt":"2026-02-12T12:40:48","guid":{"rendered":"https:\/\/www.cardonet.com\/news\/?p=4704"},"modified":"2026-02-12T04:53:38","modified_gmt":"2026-02-12T12:53:38","slug":"cyber-insurance-keeps-moving-the-goalposts-business","status":"publish","type":"post","link":"https:\/\/www.cardonet.com\/news\/cyber-insurance-keeps-moving-the-goalposts-business\/","title":{"rendered":"When Cyber Insurance Keeps Moving the Goalposts: Remain Insurable While Expectations Rise"},"content":{"rendered":"\n

Will your policy really pay out?<\/strong><\/h2>\n\n\n\n
\"Will<\/figure>\n\n\n\n

If you had a serious ransomware or payment\u2011fraud incident tomorrow, how confident are you that your cyber insurance would pay out in full and on time? Many mid\u2011market businesses only discover the answer to this very basic question is \u201cno\u201d when their insurer digs up the proposal form and compares it to what is actually happening on their network, in their backups and inside their finance processes.<\/p>\n\n\n\n

The UK Government\u2019s Cyber Security Breaches Survey 2025 shows that 43% of businesses reported a breach or attack in the last 12 months. Admittedly, this is down from 50% in 2024 (following an increased awareness of how cybercriminals can destroy great businesses) but medium and large organisations remain more at risk than small firms. <\/p>\n\n\n\n

Within that statistic, the share of businesses reporting ransomware roughly doubled year\u2011on\u2011year, from under half a percent to around 1% – a material rise even if from a low base. Separate\u00a0government research<\/a>\u00a0estimates the wider annual cost of cyberattacks to the UK economy at about \u00a314.7 billion, roughly 0.5% of GDP, once disruption, recovery and lost business are included.<\/p>\n\n\n\n

In the US, the\u00a0FBI\u2019s 2024 IC3<\/a>\u00a0report records about 16.6 billion dollars in reported cybercrime losses in a single year, with cyber\u2011enabled fraud such as business email compromise responsible for a large share of that amount. The real issue for your business is not whether attacks happen. It is whether your controls, evidence and declarations hold up when the insurer starts asking hard questions.<\/p>\n\n\n\n

Five critical controls insurers now expect to see<\/strong><\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Insurers have moved past simple tick\u2011box questions and now expect to see real, year\u2011on\u2011year improvement in your cyber controls, backed by evidence they can inspect. In both the UK and US, the same weak spots keep coming up in underwriting calls, renewal questionnaires and post\u2011incident reviews.<\/p>\n\n\n\n

1. Effective identity and access management\u00a0<\/strong><\/h3>\n\n\n\n

Underwriters expect strong, enforced multi\u2011factor authentication (MFA) for remote access, admin accounts, cloud email and key business systems, not just for a handful of senior users. In practice, that means conditional access rules, least\u2011privilege permissions and clear ownership for who approves, reviews and revokes access.<\/p>\n\n\n\n

A managed IT partner should be able to show live MFA coverage, highlight legacy VPNs or third\u2011party tools that fall outside those controls and provide a simple plan for closing the gaps. If your answers look good but your logs tell a different story, a claim is likely to be challenged.<\/strong><\/p>\n\n\n\n

Why insurers care: if an attacker walks straight in on a weak password, they will ask why you ever said MFA was \u201cin place\u201d.<\/p>\n\n\n\n

2. Endpoint protection and monitoring, not just antivirus<\/strong><\/h3>\n\n\n\n

Basic antivirus on some laptops does not satisfy most cyber insurers. They want to know how you monitor endpoints across your estate, how quickly you detect suspicious behaviour, and what you do in the first minutes after you spot a problem.<\/p>\n\n\n\n

In a well\u2011run environment, every laptop, desktop and server sits under centrally managed endpoint protection with logging and alerting into a service desk or security function. When an alert fires at night, there is a clear playbook for isolating the device, collecting evidence and starting recovery, so the incident can be documented and, if needed, reported to the insurer and regulators.<\/p>\n\n\n\n

Why insurers care: slow or patchy detection turns a small incident into a big, expensive one.<\/p>\n\n\n\n

3. Backups, recovery and continuity that survive ransomware<\/strong><\/h3>\n\n\n\n

For insurers, the real test is not whether you have backups but whether you can recover quickly when everything looks encrypted or offline. The UK survey confirms that ransomware remains a persistent threat, even though it still affects a relatively small proportion of businesses overall.<\/a><\/a><\/p>\n\n\n\n

That means multiple backup layers, including at least one offline or immutable copy, clear recovery time objectives for critical systems and documented test restores on a regular schedule. Your managed IT provider should be able to show when you last tested recovery for your finance system, how long it took and what you changed afterwards to make the next recovery smoother.<\/p>\n\n\n\n

Why insurers care: strong, tested recovery is what stops a ransom demand turning into weeks of downtime and a huge claim<\/strong>.<\/p>\n\n\n\n

4. Patch and vulnerability management with real follow\u2011through<\/strong><\/h3>\n\n\n\n

Insurers do not take your word for patching anymore. External scans give them a direct view of unpatched internet\u2011facing systems, and if those scans do not match your answers about \u201cregular patching\u201d, confidence drops fast.<\/p>\n\n\n\n

A mature patch process covers operating systems, key applications, network devices and cloud services, with a clear timetable for testing, deploying and documenting exceptions. Your IT partner should be able to produce straightforward reports showing outstanding critical vulnerabilities, how long they have been open and when they are due to be fixed, instead of vague statements about \u201ckeeping things up to date\u201d.<\/p>\n\n\n\n

Why insurers care: known, unpatched holes look like negligence, not bad luck.<\/p>\n\n\n\n

5. Email, finance and payment verification that stops fraud<\/strong><\/h3>\n\n\n\n

In both the UK and US, insurers are seeing more business email compromise and payment\u2011redirection fraud, often powered by AI\u2011generated messages that look and feel authentic. The IC3 report shows that business email compromise alone has driven multi\u2011billion\u2011dollar losses over recent years, making it one of the most expensive cyber\u2011enabled fraud types.<\/a><\/a><\/a><\/p>\n\n\n\n

Underwriters now probe your payment\u2011approval processes, vendor\u2011bank\u2011detail changes and how you verify unusual instructions. Robust controls include dual approvals for sensitive payments, mandatory call\u2011backs to trusted numbers for bank\u2011detail changes and strict rules for creating new beneficiaries, backed by regular awareness training and realistic phishing simulations. The key is consistency under pressure: controls that colleagues bypass during busy periods will not impress an insurer after a loss.<\/p>\n\n\n\n

Why insurers care: most of the really painful cheques they write now involve money leaving through email and payment fraud.<\/p>\n\n\n\n

6. Incident response readiness that has been tested<\/strong><\/h3>\n\n\n\n

Insurers increasingly ask whether you have an incident response (IR) plan, who leads it and when you last tested it. They also want to know how quickly you can identify, contain and report incidents, both to them and to regulators.<\/p>\n\n\n\n

A good IR setup defines roles, escalation paths, decision\u2011making criteria and draft messages for customers and colleagues. In the UK, that sits alongside ICO expectations when personal data is involved, with the regulator\u2019s own statistics showing regular data\u2011security incident reporting across sectors. In the US, differing state breach\u2011notification laws and sector rules add their own timelines, so you need a process your IT and legal advisers can follow even on a bad day.<\/a>[9]<\/sup><\/a><\/p>\n\n\n\n

Why insurers care: a rehearsed response means fewer surprises, fewer mistakes and usually a smaller, cleaner claim.<\/p>\n\n\n\n

How cyber insurers are changing the rules every year<\/strong><\/h2>\n\n\n\n

Cyber insurance used to be a short form and a quick chat about limits and price. That world has gone. In both the UK and US, insurers now price you on how risky you look in practice, not on how tidy your proposal form seems.<\/a><\/p>\n\n\n\n

In the UK, official surveys confirm that a substantial minority of organisations are still experiencing attacks, and government analysis highlights the wider economic cost of those incidents across sectors. In the US, the FBI\u2019s IC3 report records 16.6 billion dollars in reported losses for 2024, with cyber\u2011enabled fraud such as business email compromise taking the largest share by value and other attack types like ransomware battering critical infrastructure and operations.<\/a><\/a><\/a><\/a><\/a><\/p>\n\n\n\n

That has turned renewals into something closer to a mini audit:<\/p>\n\n\n\n