When a Cork digital services company filed a cyber insurance claim following a ransomware attack in late 2025, they expected the process to be straightforward — they had paid premiums for three years without a claim. What they did not expect was a three-month dispute with their insurer, who argued that the company had materially misrepresented its security posture on the renewal questionnaire by stating it had "appropriate access controls" when, in fact, no MFA was enabled on any account and no incident response plan existed. The claim was eventually settled at a reduced figure, but the legal costs and the business disruption of a prolonged dispute cost more than the settlement difference.
This outcome is becoming more common. Cyber insurance for Irish businesses is entering a new phase — one in which insurers are aligning their underwriting criteria directly with regulatory requirements including NIS2, and where non-compliance with those requirements is increasingly treated not as a simple gap but as a material misrepresentation of risk.
WHAT: How Insurers Are Responding to NIS2
For years, cyber insurance underwriting focused primarily on historical claims data and basic security questionnaire responses. The arrival of NIS2 — with its specific, enforceable requirements for risk management, incident handling, access control, and business continuity — has given insurers a regulatory framework against which to benchmark policyholder behaviour. They are using it.
The most significant change is in how insurers treat the absence of baseline NIS2 controls during claims assessment. Insurers are no longer simply accepting that a claim arose from a covered event — they are examining whether the policyholder had implemented the basic controls that NIS2 requires, and whether the renewal questionnaire accurately reflected the business's actual security posture.
MFA is the most common flashpoint. An insurer who discovers that no MFA was enabled on email accounts, VPN access, or cloud platforms — when the renewal questionnaire indicated that "access controls were in place" — has a potential misrepresentation argument. If the absence of MFA was a material contributor to the incident that gave rise to the claim, the insurer may argue that coverage is void or significantly reduced.[^1]
When did you last review your cyber insurance renewal questionnaire against your actual security controls? Book a free 20-minute strategy call — we can review your security posture against your policy's representations and identify any gaps before your next renewal.
WHAT NOW: What Insurers Are Now Requiring
The shift in underwriting practice has three practical dimensions that every Irish SME with cyber insurance needs to understand.
Pre-renewal security questionnaires are becoming more specific. Where previous questionnaires asked general questions about "access controls" and "patching processes," current questionnaires from major insurers are asking specifically about MFA deployment rates, whether privileged access management is in place, whether NIS2 obligations have been assessed, and whether an incident response plan exists and has been tested. Vague affirmative answers to these questions carry increasing risk of a misrepresentation finding if a claim arises.
Insurers are requesting documentary evidence. Some insurers — particularly on higher-value policies or renewals following a claim — are requesting actual evidence of controls rather than self-reported responses. Screenshots of security settings, copies of incident response plans, and evidence of staff security awareness training are being requested at underwriting stage. An Garda Síochána's National Cyber Crime Bureau has noted that the insurance industry is increasingly engaged in the cybersecurity posture of Irish businesses as part of their underwriting process.[^2]
Policy exclusions are becoming more specific. Exclusions for incidents arising from "failure to maintain minimum security standards" are appearing in updated policy wordings. Where those minimum standards are defined with reference to regulatory requirements — including NIS2 — a business that has not implemented the baseline NIS2 controls may find that the exclusion applies to a significant proportion of the scenarios most likely to generate a claim.
WHY IT MATTERS: The GDPR Precedent
The relationship between regulatory compliance and insurance coverage is not new in Ireland. The Data Protection Commission's enforcement track record under GDPR has already influenced how cyber insurers approach breach-related claims. A business that suffers a personal data breach and is found by the DPC to have failed to implement appropriate technical measures — a finding that typically involves the absence of controls like MFA, audit logging, or data encryption — faces both a regulatory fine and a difficult conversation with its insurer about whether the policy's "appropriate security measures" representations were accurate.[^3]
NIS2 enforcement will follow a similar pattern. When the National Cyber Security Bill becomes law and enforcement begins, the businesses that face the most difficult outcomes will be those that suffer an incident, face a regulatory investigation, and then discover that their insurance coverage does not extend to scenarios involving non-compliant security postures.
The practical implication is straightforward: NIS2 compliance and cyber insurance coverage are now linked, and the link will tighten as enforcement develops. A business that is compliant with NIS2 — with documented controls, a tested incident response plan, and accurate renewal questionnaire responses — has a significantly stronger position than one that is not, both with the regulator and with its insurer.
Cyber insurance is not a substitute for cybersecurity controls — and it is becoming less effective as a safety net for businesses that treat it as one.
WHAT NEXT: Three Actions Before Your Next Renewal
1. Review your current cyber insurance policy documentation — specifically the representations and warranties you made at renewal and any security-related exclusions in the policy wording. Compare those representations against your actual current security controls. If there is a gap, address it before your next renewal and update your questionnaire accurately.
2. Enable MFA on all accounts if you have not already done so. This is the single most commonly cited control in insurance underwriting criteria. Its absence, combined with a policy renewal that indicated access controls were in place, creates the most direct route to a misrepresentation finding.
3. Document your incident response procedure and ensure it is current and tested. When an insurer's assessor asks whether you have an incident response plan, "yes, we created one last month and tested it with a tabletop exercise" is a significantly stronger answer than "we have one somewhere."
Related Reading
- NIS2 Cost of Non-Compliance: Why Irish SMEs Cannot Ignore It
- NIS2 Board Liability: Can Irish Directors Be Personally Liable?
- How to Build a NIS2-Compliant Incident Response Plan in One Day
[^1]: NCSC Ireland — NIS2 compliance guidance and baseline controls: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau and insurance industry engagement: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — enforcement findings and security expectations: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.