I’m telling some of my potential clients to stop paying for cyber insurance. Not all of them. Some of them. And before that sentence gets me in trouble with every insurance broker in Central Florida, let me explain what I actually mean — because it isn’t “insurance is a scam.” It’s something more specific, and more useful, than that.
Here’s the problem. Roughly half the small and mid-sized businesses I sit down with are paying for a policy they will never successfully claim against. They have the certificate. They have the premium leaving the account every month. What they don’t have is the thing that makes the policy actually pay out when it matters.
How a claim actually gets denied
When you applied for that policy, you — or whoever handled it — filled out a questionnaire. A long one. It asked whether you had multi-factor authentication on every administrator account. Whether you had a written incident response plan, dated and tested. Whether your backups were separated from your production environment. Somebody checked the boxes, the policy was issued, and everyone moved on.
Then a breach happens. Ransomware locks your files, or an attacker quietly sits in your email reading invoices for three weeks. You file the claim. And the first thing the carrier does is not write you a check. The first thing they do is pull that questionnaire back up and start verifying it against what was actually in place the day you got hit.
That’s where it falls apart. The “MFA on every admin account” turns out to be MFA on most accounts. The incident response plan was a template someone downloaded in 2021 and never opened again. The backups were sitting on the same network the ransomware just encrypted. None of that is criminal. Most of it isn’t even unusual. But it’s enough. The claim gets denied for misrepresentation, the three years of premiums you paid are gone, and the coverage you thought you had never existed.
Cyber insurance without the controls is pointless. You’re paying to feel safe, not to be safe.
The rules changed, and a lot of policies didn’t keep up
This isn’t the carriers being sneaky. It’s the market catching up to reality. A few years ago, cyber insurance was close to a formality — fill out a short form, pay the premium, you’re covered. Then ransomware claims exploded and insurers started paying out far more than they took in. So they tightened.
Today, the application is the audit. Underwriters don’t want a checked box anymore — they want proof. Screenshots. Exports from your management tools. Evidence that a control was actually turned on, for everyone, on the day in question. You saying “yep, we’ve got that” carries almost no weight at claim time. If a forensics team can’t confirm the control was in place, the carrier treats the box you checked as a misrepresentation. Same outcome: no payout.
So you can end up in the worst possible spot — paying real money every month for a policy that’s quietly unenforceable, and not finding out until the exact moment you needed it to work.
The 12 things your carrier is going to ask about
Here’s the useful part. The questionnaire isn’t a mystery. Carriers have largely converged on the same set of controls, and if your renewal is coming up, these are the twelve you’ll be asked to prove. Read them honestly — not “we sort of do that.” Could you produce evidence today?
| Control | What the carrier actually wants to see |
| 1. Multi-factor authentication (MFA) | MFA enforced on email, remote access, and every admin account — not most accounts. Every one. |
| 2. Endpoint detection & response (EDR) | A real EDR or managed detection tool on all endpoints, ideally monitored around the clock. Plain antivirus no longer counts. |
| 3. Secure, separated backups | Backups that are encrypted, kept off your production network, and actually test-restored — not just “running.” |
| 4. Privileged access management | Admin rights limited to the people who truly need them, with those accounts locked down harder than everyone else’s. |
| 5. Email filtering & web security | A filtering layer in front of inboxes that catches phishing and malicious links before a user can click. |
| 6. Patch & vulnerability management | A documented routine for updating systems on a schedule, with critical fixes applied fast — not whenever someone gets to it. |
| 7. Incident response plan | A written plan, dated this year, that says who does what when something goes wrong — and that you’ve actually walked through. |
| 8. Security awareness training | Recurring training and phishing simulations for staff. A once-a-year, one-and-done session no longer satisfies carriers. |
| 9. Remote access hardening | Remote Desktop off the open internet, with remote logins protected behind MFA and a VPN. |
| 10. Logging & monitoring | Centralized logs, so that when something happens you can actually see what happened and when. |
| 11. Retiring end-of-life systems | No unsupported Windows and no servers the manufacturer stopped patching years ago still sitting on the network. |
| 12. Vendor & supply-chain risk | Some accounting of which outside vendors touch your systems and data — because their breach becomes your breach. |
If you went down that list and hit four or five you can’t honestly prove, you don’t have a coverage problem. You have a controls problem. The policy is just the place where that problem shows up.
So should you cancel? No — but maybe pause
I want to be careful here, because “stop paying for cyber insurance” is easy to misread. I’m not anti-insurance. The clients I tell to keep their policy are the ones who can stand behind their questionnaire — they have the controls, they have the proof, and they have a policy that will actually function when they need it. For them, it’s one of the best dollars they spend.
The clients I tell to pause are the ones renewing a policy they can’t back up. Writing another year’s premium on coverage that’s structurally unenforceable isn’t risk management — it’s a recurring donation. If you can’t check off most of those twelve, renewing doesn’t make you safer. It just makes you feel like you did something.
Put the money in the right order
Here’s the advice I actually give, and it’s simple. If your renewal is coming up and you can’t honestly check off the things your carrier is going to ask about, don’t renew yet. Take that premium and spend it on the controls first. Get MFA truly everywhere. Get a real EDR running. Get your backups off the production network and prove you can restore from them. Write the incident response plan and read it out loud with your team once.
Then get the policy. Because now the questionnaire is true, the coverage is enforceable, and — this is the part people don’t expect — you’ll usually pay less for it. Carriers price provable controls into the premium. Businesses that can document MFA, EDR, and separated backups routinely get better rates than identical companies that can’t. You end up more secure and you spend less on the insurance. That only happens when you do it in this order.
The policy follows the proof. Not the other way around.
Where we come in
Most of the businesses we work with around Lake Mary and the greater Orlando area didn’t fail that twelve-point list on purpose. They bought a policy a few years ago, checked the boxes their broker handed them, and never circled back as the requirements quietly got stricter. The gap usually isn’t negligence. It’s drift.
If your cyber insurance renewal is on the calendar this year, the smartest thing you can do before signing is run your own setup against that list — honestly — and close the gaps that would sink a claim. That’s a large part of what we do at Harmony MSP. We get the controls real, we document them so they hold up under a carrier’s scrutiny, and we make sure the coverage you’re paying for is coverage you can actually use.
If you’d like a straight answer on where you stand before your renewal date, reach out. No scare tactics, no fear pitch — just an honest read on whether the policy you’re paying for would hold up. Because feeling covered and being covered are two very different things, and the difference only matters once.