You Have a Cyber Insurance Policy, but the Claim Can Be Denied on the Day of Attack
An SME got hit by ransomware. Production stopped, files were encrypted, a claim was filed. The result: denied. The cause was not a technical defect. On the application form, the box saying "all remote access uses multi-factor authentication (MFA)" had been ticked. The attack came through a VPN account that had no MFA. The insurer's lawyer called it one thing: misrepresentation, and treated the policy as void.
We have seen this in the field more than once. Signing a cyber insurance policy does not protect you. Actually living up to the statements behind that policy, every single day, is what protects you. This is exactly where DSET's work begins: we are not an insurer; we are the technical team that makes you INSURABLE and keeps your claim file standing the day you need it.
What the Underwriting Questionnaire Actually Asks
The cyber insurance application is no longer a formality. After the post-2021 ransomware wave, insurers began demanding concrete technical controls before granting coverage. If these controls are missing, either no policy is issued, the premium multiplies, or, most dangerously, a control is ticked "yes" while it does not actually exist.
Here are the controls we most often encounter, and that get audited, on application forms:
| Control | What the Insurer Expects | Most Common Mistake |
|---|---|---|
| MFA | Mandatory for all remote access, email, privileged accounts | Enabled only on VPN, missing on email or admin accounts |
| EDR / XDR | Behavioral detection and response on all endpoints | Legacy antivirus present, no EDR, yet "yes" is ticked |
| Offline / immutable backup | Offline or immutable, network-isolated, restore-tested | Backup exists but on the same network, ransomware encrypts it too |
| Incident response plan | Written, role-defined, exercised IR plan | Exists as a PDF nobody read, phone list outdated |
| Email filtering | Advanced phishing and BEC protection, DMARC | Only basic spam filtering |
| Patch management | Defined SLA for critical flaws, priority on internet-facing assets | Assumed "auto-update is on" but servers are excluded |
| Privileged access management (PAM) | Separation, vaulting, session logging for admin accounts | Everyone is "Domain Admin", shared passwords |
Every row in this table is a question the insurer's lawyer will ask, one by one, inside a claim file.
The Price of Misrepresentation: The Fatal Detail
This is where most executives slip. In cyber insurance, the policy is built on the statements you made in the application. Legally this rests on a duty of disclosure and the principle of representation. If you declared a control as "present" on the form and that control is in fact absent at the moment of attack, the insurer can treat the policy as void from the start. No payout, and even the premiums paid become contestable.
This does not require bad faith. Often the IT team answers "is MFA in place" with an honest "yes", because MFA is genuinely enabled on some systems. But the attack comes from the single exception left without MFA. That one exception can throw the entire policy away.
The value DSET produces here is clear: before you fill the application, we establish the real state of every control in a provable way. Behind every "yes" you give stands a screenshot, a configuration output, a log record and a scope report. So your statement is honest and complete, and it survives the day of the claim.
The Fine Print: Knowing What Is Not Paid
Having coverage does not mean every loss is covered. The exclusions and sub-limits in the body of the policy define your real protection. The three traps we most often see in the field:
Ransom payment in most policies is either sub-limited or fully excluded. A company saying "I have 1 million in coverage" may have a ransom sub-limit of only 100 thousand. Moreover, some policies legally exclude ransom payments to sanctioned groups.
Social engineering and BEC (business email compromise) usually require separate coverage. Finance sending money to the wrong account on a fraudulent instruction falls not under standard cyber cover but under a separate "funds transfer fraud" coverage that must be added. In most policies this box is left unticked.
For business interruption loss, most policies have a waiting period. The first 8 to 12 hours of downtime are usually not paid. The first hours of an attack are the most expensive hours and are often paid out of pocket.
Signing a policy without knowing these three points means signing without knowing which risk stays with you. In its pre-bind technical risk assessment, DSET flags these gaps for you.
Turkey Context: KVKK, SMEs and Insurability
The cyber policy market in Turkey is growing fast, but it brings an insurability problem with it. SMEs lacking basic controls either receive no offer at all or face unaffordable premiums. Insurers no longer say "take the money, ignore the risk"; they do not write policies for companies without technical maturity.
The KVKK (Turkish data protection law) dimension adds another layer. A data breach triggers a 72-hour notification duty, the risk of administrative fines, and liability toward data subjects. A well-structured cyber policy can cover this third-party liability too, but again, accurate declaration on the application and technical proof of KVKK compliance are essential. We covered how the breach notification process works in detail in our KVKK data breach notification 72-hour form article.
DSET's Cyber Insurance Readiness and Compliance Service
We do not sell insurance. We make you low-risk in the insurer's eyes and protected on the day of the claim. Our service runs in three phases:
Phase 1, pre-application maturity audit. We verify every control on the insurer's application form, one by one, in the field. MFA coverage, EDR/XDR reach, whether offline backups are truly isolated, the patch SLA and the privileged account layout. Output: an evidenced scope report showing which item you can honestly tick "yes".
Phase 2, building the missing controls. We close the gaps. For EDR/XDR deployment we bring in our EDR/XDR endpoint security solution, and for ransomware-resilient backup architecture our ransomware protection and recovery solution. The goal is to make every box you can say "yes" to actually a "yes".
Phase 3, claim support at the moment of breach. If an attack happens one day, our forensics and incident response (IR) team steps in. We document the root cause, scope and timeline of the attack with the technical rigor an insurer will accept. We explained how incident response works in our cyber incident response IR playbook article. This document is the backbone of your claim file; a disorganized response weakens even the most justified claim.
Frequently Asked Questions (FAQ)
I already have a cyber insurance policy, do I still need this service? Usually yes, even more so. Companies that have a policy but never actually implemented the controls they declared carry the highest denial risk. Comparing the statements in your current policy against reality and closing the gaps ensures your policy works on the day of attack.
In what cases does the insurer deny a claim? The most common reason is false or incomplete declaration: a control stated as "present" on the application being in fact absent during the attack. The second is a loss that falls under an exclusion (sub-limited ransom, BEC requiring separate coverage). The third is late breach notification or failing the duty to notify.
Is ransom payment covered by my policy? It can be, but read carefully. Ransom is sub-limited or fully excluded in most policies, and payment to sanctioned groups is legally out of scope. Always confirm the ransom sub-limit on your coverage table before signing.
Does a cyber policy cover KVKK data breach liability? Well-structured policies can cover third-party liability and some administrative-sanction defense costs. But this depends on accurate declaration in the application and technical proof of KVKK compliance. Neglecting the 72-hour notification can cause both a fine and loss of coverage.
Is DSET an insurance agency? No. We do not sell insurance, we are not an agency. We build the technical side: we implement the controls in the field, produce the evidence for you to fill the application honestly, and at the moment of breach we support your claim file with forensics and incident response. Our impartiality comes precisely from that.
Sources
- ENISA, Threat Landscape reports: https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends
- NIST SP 800-61, Computer Security Incident Handling Guide: https://csrc.nist.gov/pubs/sp/800/61/r3/final
- KVKK, Data Breach Notification: https://www.kvkk.gov.tr/veri-ihlali-bildirimi
- FBI IC3, Internet Crime Report: https://www.ic3.gov/AnnualReport/Reports
- Marsh, Cyber Insurance Market reports: https://www.marsh.com/en/services/cyber-risk.html
- Hiscox Cyber Readiness Report: https://www.hiscoxgroup.com/cyber-readiness
Are You Insurable? Do Not Guess This, Prove It
Before your next policy renewal or first application, know how your controls look in the insurer's eyes. Request DSET's pre-application maturity audit; see with evidence which box you can honestly tick, and close the gaps before the attack arrives.
DSET has served in cyber security, digital forensics and data recovery since 2003 at Hacettepe Teknokent Beytepe, Ankara. Phone: +90 536 662 38 09