Cyber insurance is no longer something companies can buy and forget. As ransomware, phishing, business email compromise, and AI-assisted attacks become more common, insurers are changing their role. They are not just paying claims after an incident. They are now deciding whether an organization is secure enough to insure in the first place.
The lesson is clear from the City of Hamilton, Ontario. In February 2024, the city suffered a ransomware attack that disrupted services across the municipality. Hamilton refused to pay the $18.5 million ransom and restored essential services within 48 hours, but some systems remained affected for weeks. A year later, its cyber insurance provider denied the city’s claim after investigators found that several departments had not implemented multi-factor authentication for workers accessing internal systems.
That detail mattered. The policy reportedly said coverage could be voided if the breach was linked to missing basic security controls, including MFA. In other words, insurance did not replace security. The city’s experience showed that coverage depends on whether an organization can prove it followed the minimum standards required by the insurer.
This is becoming the new model for cyber insurance. Insurers are moving from passive underwriting to active security assessment. They want to know whether a company has MFA, endpoint detection and response, logging, patching deadlines, tested backups, segmentation, employee training, and incident response procedures. A company that cannot show evidence of these controls may face higher premiums, narrower coverage, or outright rejection.
The timing is not accidental. Cyberattacks are becoming easier to launch and harder to contain. Generative AI has lowered the skill barrier for attackers, making phishing emails more convincing and enabling larger-scale attacks. Business email compromise remains one of the most common sources of claims because it targets people, not just systems. Even organizations with strong perimeter tools can still be exposed if employees are tricked, identities are overtrusted, or controls are applied inconsistently.
That is why insurer-led audits now matter. They force companies to treat cybersecurity as a measurable business requirement. Security teams must document controls, prove that systems are monitored, run exercises, maintain evidence for renewals, and show that risk is being reduced. This can be frustrating, but it also creates discipline. For many organizations, especially small and medium-sized businesses, insurance requirements may be the push that finally gets basic controls funded and implemented.
Firewalls remain important, but they are not enough. A firewall can monitor traffic, block suspicious access, and reduce exposure at the network edge. But it cannot eliminate risk. Misconfigurations, stolen credentials, zero-day vulnerabilities, supply-chain attacks, insider threats, and human error can still lead to breaches. Even strong technical defenses cannot automatically cover the legal, financial, operational, and reputational damage that follows a successful attack.
This is where cyber insurance still has value. When a policy responds, it can fund forensic investigations, legal advice, public relations support, ransom negotiation, recovery services, and business-interruption losses. Insurers may also provide access to vetted incident response partners that many companies would struggle to find quickly during a crisis. In a serious breach, that coordination can reduce downtime and limit total damage.
But companies should not assume every claim will be paid. Claim denials often happen because of misrepresentation, exclusions, undisclosed risks, or failure to meet policy conditions. If an organization said it had MFA everywhere but did not, or claimed to have tested backups that were never validated, the insurer may challenge the claim. The policy is not just a financial document anymore. It is a security contract.
The broader result is that insurance companies are becoming informal cybersecurity regulators. They are setting minimum standards through underwriting and renewals, especially for organizations that lack mature security programs. This will likely continue as AI-driven threats scale further and insurers try to control their own exposure.
Cyber insurance still matters. But it should be treated as one part of a risk strategy, not as a substitute for security. The organizations best positioned to benefit from insurance will be the ones that can prove they have done the basics: protect identities, monitor systems, patch quickly, train employees, back up critical data, and test their response plans before attackers do.
