Cyber Insurance: What Insurers Now Expect You to Have in Place Before They Will Pay Out.

A Donegal manufacturing company submitted a ransomware claim to their cyber insurer. The insurer's forensic investigators found that the attack had entered through a Microsoft 365 account with no MFA enabled. The policy had a condition requiring multi-factor authentication on all remote access and email accounts. The claim was declined.

The company had paid three years of premiums and received nothing in return — not because they had been dishonest, but because they had not read their policy carefully and had not implemented the controls it required.

Cyber insurance has changed fundamentally in the past three years. The era of broad policies with minimal requirements is over. Underwriters, responding to sustained claims losses, have introduced specific technical requirements that must be in place for coverage to apply. Irish SMEs that purchased policies without reading the conditions closely may be materially underinsured.

What Is the Current State of Cyber Insurance for Irish SMEs?

Cyber insurance in 2026 is characterised by increasingly specific technical requirements, higher premiums relative to 2020–2022, stricter claims investigation, and a growing number of policy exclusions that reduce effective coverage.

The market has responded rationally to the claims experience of the pandemic years, during which ransomware losses accelerated dramatically and many insurers paid claims on policies that had been underwritten on the assumption of lower attack volumes. The result is policies that are more expensive, more conditional, and more thoroughly investigated when a claim is made.

What Insurers Now Commonly Require

The specific requirements vary by insurer and policy, but the following are the controls most commonly mandated or asked about during underwriting and most commonly cited in declined claims:

Multi-factor authentication. The requirement is typically stated broadly: MFA on all remote access methods, all email accounts, all cloud services, and all administrative accounts. Some policies extend this to all user accounts. This is the most common cited reason for claim denial in Irish incidents — a policy requiring MFA and an account without it.

Tested, isolated backups. Insurers increasingly ask not only whether backups exist, but whether they have been tested in the past 90 days, whether they are stored in a location that ransomware cannot reach, and what the recovery time objective is. A backup that has never been tested is increasingly treated as equivalent to no backup for underwriting purposes.

Endpoint protection. Managed endpoint detection and response on all devices accessing business systems, centrally monitored. Basic antivirus is no longer considered sufficient by most cyber insurers for policies above certain coverage thresholds.

Patch management. Evidence of a consistent patching process, with critical patches applied within a defined timeframe — typically 30 days for most software, 14 days for internet-facing systems.

Incident response planning. A documented incident response plan, including regulatory notification procedures. Some insurers now require a tabletop exercise to have been completed within the past 12 months.

Have you read your cyber insurance policy closely enough to confirm what controls it requires — and can you demonstrate those controls are in place? Most business owners we speak to in Donegal and Sligo cannot. Book a free 20-minute strategy call — a policy review is one of the fastest resilience checks available.

The Claims Process Has Changed Too

The investigation of cyber insurance claims has become significantly more thorough. Insurers now routinely engage forensic investigators to review the circumstances of an incident before authorising payment. These investigations look specifically for evidence that the controls required by the policy were in place at the time of the incident.

If MFA was required and logs show an account without MFA was the entry point, that is grounds for dispute. If patch management was required and the exploited vulnerability had a patch available for 60 days, that is grounds for dispute. If the policy required tested backups and the company cannot produce evidence of a recent restore test, that is grounds for dispute.

The investigation is not adversarial — it is standard. Insurers are entitled to confirm that the conditions of the policy were met before paying a claim. Irish businesses that do not maintain evidence of their compliance controls cannot demonstrate that the conditions were met.

Common Exclusions to Understand

Beyond the active requirements, most cyber policies contain exclusions that reduce coverage in specific circumstances. The most significant for Irish SMEs include:

War and nation-state exclusions. Many policies exclude losses attributed to acts of war or attacks by nation-state actors. The Stryker attack, attributed to Iran's MOIS, raises a live question about whether this exclusion would apply in similar incidents affecting Irish businesses. This is an active legal and insurance debate that Irish businesses with exposure to geopolitical threat actors should discuss with their broker.

Social engineering sublimits. Many policies contain a lower sublimit for losses arising from social engineering — including invoice redirection and business email compromise — than for technical incidents. A policy with €500,000 coverage for ransomware may have a €25,000 sublimit for BEC losses.

Regulatory fine exclusions. Fines issued by the Data Protection Commission or the NCSC Ireland under NIS2 may not be covered. Legal costs associated with defending regulatory action may have separate sublimits.

Why This Matters Right Now

The combination of rising premiums and stricter conditions means that Irish SMEs face a dual risk: paying for coverage that will not pay out because the conditions are not met, or going uninsured in a threat environment where incidents are increasingly likely.

The solution is not to abandon cyber insurance — it is to treat the insurer's requirements as a security implementation checklist. The controls required by a standard cyber insurance policy are the same controls that security advisors recommend for an Irish SME of this size. Meeting the policy conditions improves your security posture. Your improved security posture reduces your premium. The two goals are aligned.

What Next

1. Read your current cyber insurance policy in full this week. Identify every technical requirement. Confirm with your IT provider that each requirement is currently met.

2. Ask your insurer directly what evidence of compliance they would require in a claims investigation. Understanding the answer before an incident changes how you maintain and document your controls.

3. Review any exclusions with your broker. Specifically ask about the war exclusion, the social engineering sublimit, and the regulatory fine coverage. If the answers reveal significant gaps, those gaps inform what additional risk management is needed.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Cyber Insurance: What Local Donegal and Sligo Businesses Need to Know
• The Minimum Security Baseline Every Irish Small Business Should Have in 2026
• Immutable, Offline and Cloud Backups: The Last Line of Defence Against Ransomware

[^1]: An Garda Síochána — National Cyber Crime Bureau [^2]: Data Protection Commission Ireland [^3]: NCSC Ireland — Cyber Insurance Guidance

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.