← Back to Blog
June 2026 Adjuster Secrets

Why Cyber Insurance Claims Get Denied
And What Adjusters Are Actually Looking For

Most small business owners assume their cyber insurance will pay out after a breach. They bought a policy, they paid their premiums, they did everything right — so when something goes wrong, they expect to be covered.

But after years inside a carrier evaluating cyber claims, I can tell you: buying a policy and surviving a claim investigation are two very different things. The gap between them is where a lot of small businesses get hurt.

Here's what I actually looked for when a claim came across my desk — and what you can do now to make sure the answer works in your favor.

The Application Is a Sworn Statement

When your business fills out a cyber insurance application, you're not just providing information to get a quote. You're making representations that the carrier will hold you to when a loss occurs. If what you said on the application doesn't match what was actually in place at the time of the incident, that discrepancy becomes a reason to reduce or deny the claim.

The most common example: an application checks "yes" to multi-factor authentication being in place, but when the breach happens, MFA was only active on some systems — not the email account that got compromised. That gap matters enormously to an adjuster.

Adjuster's perspective: We're not trying to catch businesses in a lie. But when controls aren't documented or consistently applied, it creates a genuine coverage question that has to be investigated — and that investigation takes time and creates uncertainty precisely when you need certainty most.

The Five Things Adjusters Look for First

1. Multi-Factor Authentication

MFA is the single most scrutinized control in a cyber claim. Adjusters look at whether it was enabled, on which systems, for which users, and whether there were exceptions. A policy that says "MFA is required for all remote access" but has five admin accounts without it is a documented gap.

2. A Written Incident Response Plan

Not just any plan — one that was actually in place before the incident, not drafted after the fact. Adjusters look for version dates, who was assigned to the plan, and whether any tabletop exercises were conducted. A plan created the week after a breach carries very little weight.

3. Backup Integrity and Testing

Backups that exist but have never been tested for restoration are a significant red flag. Adjusters want to see evidence that recovery procedures were actually verified — not just that a backup service was running in the background.

4. Security Awareness Training Records

If a phishing email triggered the incident (which is extremely common), the first question is whether employees were trained to recognize and report suspicious messages. Carriers want records: who was trained, when, and what the training covered. "We talked about it in a meeting" is not a record.

5. Notification Timeliness

Most cyber policies require you to notify the carrier within a defined window — often 24 to 72 hours of discovering an incident. Waiting until you've "figured out what happened" before calling your insurer is one of the most common and costly mistakes. Carriers have their own forensic vendors, and they expect to be involved from the start.

Most important thing I can tell you: Call your insurer before you call anyone else — before outside IT vendors, before a public statement, before anything. Your policy almost certainly requires it, and failing to do so can create coverage complications that are very difficult to undo.

What "Well Documented" Actually Means

Adjusters aren't just verifying that controls exist — they're verifying that controls were consistently applied and that someone in your organization was accountable for them. That means written policies with version dates, named owners, and employee acknowledgment records carry far more weight than verbal procedures or informal practices.

A written Acceptable Use Policy that employees signed is evidence. A shared understanding that employees "know not to click suspicious links" is not.

The Good News for Small Businesses

None of this requires an enterprise security budget. The controls that matter most to cyber insurers — MFA, a written incident response plan, tested backups, documented training, and consistent policy enforcement — are achievable for any business with 10 to 50 employees. The gap for most small businesses isn't capability, it's documentation.

Getting those documents in order before you need them is exactly what a readiness engagement is designed to do. And doing it before a claim means you're preparing from a position of strength, not scrambling to explain gaps to an adjuster after the fact.

Want to Know Where You Stand?

A Readiness Audit gives you a written gap analysis against the exact controls cyber insurance underwriters look for — with a prioritized action list and a debrief call to walk through it together. Starting at $500.

Book a Free Discovery Call
← Back to all posts