When a Cork-based professional services firm made a ransomware claim in 2025, their insurer did not pay out. The forensic investigation found that the company had ticked "Yes" on the MFA question in their application but had never enabled it for their CEO or finance director. Those were the two accounts the attackers had compromised. The insurer argued misrepresentation and denied the claim, leaving the firm to absorb a six-figure recovery cost unassisted. The tragedy was not just the attack — it was the false confidence the policy had provided for two years beforehand.
The Application Is Not a Form — It Is a Legal Declaration
Cyber insurance has become an essential part of risk management for Irish businesses. With the rising frequency of ransomware, data breaches, and Business Email Compromise, most SMEs now recognise they need it. The problem is that many treat the application as administrative paperwork — something to complete quickly and file away. That misunderstanding can be catastrophic.
Every question on a cyber insurance application is designed by underwriters to assess your security posture, and every answer you provide becomes a warranty. If you declare that a specific control is in place and a post-incident forensic investigation finds otherwise, your insurer has grounds to deny your claim. The Data Protection Commission has also signalled that failure to implement basic security controls — including MFA — constitutes a failure of the accountability principle under GDPR, which can result in separate regulatory fines independent of any insurance outcome.[^3]
Have you actually verified every security control you declared on your last cyber insurance application? Book a free 20-minute strategy call — we can review your application against your actual security posture and close any gaps before renewal.
The Questions That Most Often Cause Problems
Several questions consistently trip up Irish SMEs. Understanding what the insurer is actually asking — behind the plain language of the form — is essential.
Multi-Factor Authentication. When an application asks whether MFA is required for email, cloud services, and remote networks, the insurer means every single user, including executives, administrators, and board members, with no exceptions. Many businesses answer "Yes" because MFA is enabled for most accounts, but one unprotected privileged account is all an attacker needs. Post-incident, forensic teams pull Azure Active Directory or Google Workspace logs and check every account. If even one lacks MFA, the declaration is in jeopardy.
Backup and Recovery Testing. The operative word here is "testing." Having backups running is not the same as having verified, tested restores. Insurers want evidence that you have successfully performed a full restoration recently and documented the outcome. An untested backup is, in practical terms, a hope rather than a control. Many Irish businesses discover during a ransomware incident that their backups were corrupted, incomplete, or encrypted alongside the primary data — at which point the testing question on their application becomes a serious liability.
Endpoint Protection. Basic antivirus from five years ago does not satisfy a modern insurer. The expected standard is a managed Endpoint Detection and Response (EDR) solution deployed across all company devices, with centralised monitoring and enforced policies. Personal devices used for business purposes that fall outside the managed estate are a common source of misrepresentation — if an attacker enters through an unmanaged device, the insurer will examine whether your EDR coverage claim was accurate.
Patch Management. A documented, systematic patching process is what underwriters want to see. The NCSC Ireland recommends applying critical patches within 14 days of release.[^1] If your approach is "when the IT provider gets around to it," that is not a documented process. Post-breach analysis of the compromised system will show exactly when it was last patched, and an exploit for a six-month-old vulnerability is difficult to reconcile with a declared patching discipline.
Incident Response Planning. A downloaded template that has never been customised or tested is not an incident response plan for insurance purposes. Insurers want to see a document tailored to your business, with named roles and tested procedures. An annual tabletop exercise with documented outcomes is the kind of evidence that supports your declaration.
What Insurers Verify After a Breach
When a claim is made, the insurer's forensic team begins work immediately. They pull system logs, review Active Directory configurations, examine email security records, and check backup documentation. The verification is thorough and specifically designed to cross-reference your declared controls against the technical reality. Businesses that have been honest about gaps in their controls and worked to address them before renewal are in a far stronger position than those who ticked every box assuming they would never need to prove it.
An Garda Síochána's National Cyber Crime Bureau (NCCB) handles the law enforcement dimension of cyber incidents, but the insurance and regulatory consequences are separate processes that businesses must manage in parallel.[^2] Having accurate, documented security controls benefits you in all three arenas — criminal investigation, insurance claim, and DPC compliance — simultaneously.
The businesses that recover quickly after a cyber attack are the ones whose controls matched their declarations — because the controls were actually in place.
What to Do Before Your Next Renewal
Three actions will put you in a defensible position at renewal:
Conduct a pre-renewal security audit. Before you submit or renew your application, have your IT provider or security advisor run through each question with documentary evidence. For MFA, pull a report showing coverage by account. For backups, produce the most recent test restore record. For patching, export the patch compliance report. If you cannot produce evidence for a question, do not tick "Yes."
Close the gaps before declaring them closed. If the audit reveals that MFA is not fully deployed, deploy it before renewal. If backup testing is not documented, run and document a test restore this month. Insurers cannot verify what was in place at application time without your help — but they can verify what was in place at breach time, and that is when it matters.
Involve your security advisor in the application. The cyber insurance application is not a task for your office manager or a junior administrator. It requires someone with a comprehensive understanding of your IT environment. A vCISO or managed security provider can review each question, verify the underlying controls, and ensure your declaration is accurate and defensible.
Cyber insurance is a genuine and important safety net for Irish SMEs. But it only works when the application accurately reflects reality. A policy based on inaccurate declarations is not cover — it is a false sense of security that could leave you fully exposed at exactly the moment you need protection most.
Related Reading
- What Happens to a Small Business After a Cyber Attack
- Building an Incident Response Plan: A Template for Irish SMEs
- vCISO vs Full-Time CISO: Cost Comparison for Irish SMEs
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.