Cyber insurance is becoming a must-have for small businesses. But just because you have a policy doesn’t mean your claim will be accepted. More and more companies are finding out the hard way that insurers expect certain IT protections to already be in place.

The truth is, cyber insurance is there to help if something slips through the net. But if your systems are full of gaps or missing the basics, the insurer may decide that the damage could have been avoided. That can leave you without a payout, even when you’ve done what you thought was enough.

At Three Cherries, we work with businesses to make sure their IT is not just secure, but also in line with what insurers now expect. Here are some common areas where businesses fall short.

Weak Passwords and Missing MFA

Multi-factor authentication (MFA) is no longer a nice to have. It’s a basic expectation for most insurers. If your team gets hacked and MFA wasn’t turned on, the insurer might reject your claim on the basis that better protection should have been in place.

The same goes for passwords. Reusing passwords across accounts or sticking with weak combinations like “Bristol123” puts your business at risk. If the worst happens, it becomes very hard to prove you did everything you could to stay safe.

Using Outdated Software

If you’re still running unsupported systems like Windows 7 or older versions of Office, that could be a problem. These systems no longer get the security updates they need, which makes them easier for attackers to exploit.

If a breach happens because of an unpatched or outdated system, your insurer might say the risk was known and avoidable. That gives them a reason to reject your claim. Keeping your software up to date is one of the simplest ways to stay protected and stay insurable.

No Proper Backups In Place

Most cyber insurance policies require regular, secure backups of your data. But this doesn’t mean plugging in a hard drive once a week and hoping for the best. Insurers want to see reliable, cloud-based, automated backups that are tested regularly. If your data is lost in a ransomware attack and you can’t recover it, you’ll struggle to get a full payout if you can’t prove your backups were working before the incident.

Lack of Cyber Awareness Training

People are often the weakest link in security. A member of staff clicking a fake invoice or entering details on a phishing site is how a lot of breaches begin.

Many insurers now expect you to train your staff in the basics of cyber safety. If you can’t show that training has happened, and something goes wrong, the claim might not go your way. Even a short session or regular phishing simulations can make a difference. If you want any more information on how training sessions work, get in touch today.

Is Your Business Actually Covered?

A cyber insurance policy is only part of the protection. Insurers will check whether you’ve taken reasonable steps to secure your systems. If they find gaps, they might avoid paying out at the exact moment you need support. It’s vital you make sure that you have sufficient cybersecurity measures which reflect your insurance policy. Need help with this? Get in touch with the team at Three Cherries. We take the gamble out of business technology.