Why Your Practice's Cyber Insurance Might Not Pay Out
Cyber cover can be quietly refused when a practice cannot prove MFA, patching and backups were in place. Here is what insurers check and how to stay covered.
- Security
- Compliance
- Insurance
You renew your professional indemnity cover every year without a second thought, and more practices are now adding cyber insurance alongside it. It feels like a sensible safety net. If a client’s data is stolen or your systems are held to ransom in the middle of self-assessment season, the policy pays for the recovery, the legal advice and the fallout.
That is the theory. The uncomfortable reality is that a growing number of cyber claims are being turned down, and the firms involved often had no idea their cover was at risk until the worst had already happened.
A policy is only as good as the claim it pays
Cyber insurance is different from most cover an accountancy practice buys. With buildings or contents insurance, the insurer mostly cares whether the event happened. With cyber cover, they care just as much about whether you were doing the things the policy required you to do at the time.
When you complete the application, you answer a set of questions. Do you enforce multi-factor authentication? Do you keep software up to date? Do you back up your data? You tick the boxes, the policy is issued, and everyone moves on.
The verification does not happen then. It happens later, after a breach, when a forensic investigator goes through your systems to work out what failed. If they find that a control you said was in place was not actually switched on, or you simply cannot prove it was, the claim can be reduced or refused outright. Reports suggest more than 40 percent of UK cyber claims hit a problem at some stage, and the most common cause is a practice being unable to demonstrate the controls it had signed up to.
The gap, then, is rarely about lying on a form. It is about the difference between believing a control is in place and being able to prove it on the day it matters.
The controls insurers actually check
A handful of basics come up again and again when claims are examined. None of them will be a surprise, and all of them tie directly to your duty to protect client data.
Multi-factor authentication, enforced not optional
This is the big one. By some accounts, the large majority of denied claims involved a business that lacked active MFA. The trap is subtle. Many practices have MFA available on their email or remote access, but it is left as an option rather than enforced for everyone. From the insurer’s point of view, MFA that a member of staff can skip is the same as no MFA at all. Insurers typically expect it across email, any remote access into the practice, and crucially on administrator accounts, which are the keys to everything.
Patching you can evidence
Insurers expect software updates to be applied within agreed timeframes, and they expect written proof. This is where a lot of firms come unstuck. The updates might genuinely be happening, but if there is no log showing what was patched and when, the absence of records can be treated as a failure to patch. “We think it updates automatically” is not evidence. A dated patching record is.
Backups that have been tested
A backup you have never restored from is a hope, not a safeguard. Insurers want to see that your data is backed up and that the backups actually work. For an accountancy practice this overlaps neatly with your retention obligations, you already need to hold client records securely for years, so testing that you can get them back protects you on two fronts at once.
Access control
Who can reach which systems, and what happens when someone leaves? Tidy, documented access management shows an insurer that the practice is run carefully rather than by accident.
Why this matters more for an accountancy practice
You hold some of the most sensitive data a small business can hold. National Insurance numbers, bank details, full financial histories, the lot. That makes you an attractive target, and it raises the stakes if a claim is refused.
If a breach hits and the insurer walks away, you are not only facing the recovery cost. You still have your duty to protect client data, your obligation to report a personal data breach to the ICO, and the conversations with clients who trusted you with their figures. A declined claim turns a manageable incident into a threat to the practice itself. ICAEW and your clients both expect you to handle this data properly, and our note on what ICAEW and your clients expect from your IT goes into that side in more detail.
Documentation is the quiet hero
The thread running through every refused claim is the same. The control was missing, or it could not be proven. The fix is therefore not glamorous. It is making sure the basics are switched on for everyone and writing down that they are.
This is one reason Cyber Essentials is worth the effort for a practice. The certification asks for the exact controls insurers care about, MFA, patching, secure configuration, access control and malware protection, and the assessment produces dated, independent evidence that they were in place. That evidence is precisely what an insurer looks for after a claim. Some insurers also offer better terms or lower premiums to certified firms. Our plain-English guide to Cyber Essentials for practices walks through what is actually involved.
Beyond certification, keeping cover valid is largely a matter of routine: MFA enforced and reviewed, a patching log kept up to date, backups tested on a schedule, and access lists that reflect who actually works at the practice today. That kind of steady, documented housekeeping is a core part of managed IT support, and it is the difference between a policy that pays and one that does not.
A few minutes now is worth a refused claim later
The honest position is that most practices are closer to compliant than they fear, but few could prove it cold if a forensic investigator turned up tomorrow. The questions to sit down and answer are simple. Is MFA enforced for every member of staff, including on admin accounts? Can we show, on paper, that our systems are patched? Have we ever actually restored from a backup? Do we know who can access what?
If any of those make you pause, that pause is exactly what an insurer would find later. A free Practice IT Health Check goes through these controls with you in plain English and shows you where the evidence gaps are, so the cover you are paying for is there when you need it.
A cyber policy is a promise. Make sure your practice has kept its side of it.
Frequently asked questions
Does cyber insurance replace good IT security?
No. Cyber insurance is there for when something goes wrong despite your best efforts. Insurers now expect the basic controls, MFA, patching, backups and access management, to already be in place, and they will check after a claim. The cover sits on top of good security, it does not stand in for it.
Will Cyber Essentials help our claim get paid?
It helps a great deal. Cyber Essentials forces you to put the exact controls insurers ask about in writing, and the certificate is dated independent evidence that they were in place. Some insurers reduce premiums or improve terms for certified firms. It is not a guarantee of payout, but it removes the most common reason claims are refused.
What records should our practice keep to protect a claim?
Keep evidence that MFA is enforced on email, remote access and admin accounts, a patching log showing updates are applied on a regular schedule, records of restore tests proving backups work, and a clear list of who has access to which systems. Date everything. If you cannot show it, an insurer may treat it as if it never happened.
How quickly do we have to report a breach to our insurer?
Most policies require notification within 48 to 72 hours of detecting an incident, and that clock can start before you fully understand what has happened. Late reporting is a common reason claims are reduced or refused, so build insurer notification into your incident plan alongside your duty to report personal data breaches to the ICO.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check