Axulu Cyber Insurance Diagnostic Sales Page
73% of cyber insurance claims are denied.
The dangerous question is not “Do you have cyber insurance?”
The dangerous question is: will it actually pay when you need it?
If you were hacked today, would your cyber insurance claim be paid or denied?
Cyber insurance is not a magic cheque book. It is a contract full of conditions, exclusions, time limits, and evidence traps. It only pays if you can prove you complied.
A serious SME cyber breach is rarely just a technical clean-up. The real cost is usually made up of the breach fix itself, forensic investigation, legal advice, PR, business interruption, and customer fallout.
The ransom demand is often just the first invoice.
A serious cyber incident can hit you in five places at once:
- the technical clean-up;
- forensic investigation;
- legal and PR costs;
- business interruption;
- customer, supplier, and management fallout.
And if your claim is denied, reduced, capped, or delayed, those costs do not disappear. They land on your balance sheet.
In the UK, the cost of a “significant” SME cyber attack is £124,000. The average cyber claim pay-out is only £64,000. That leaves a dangerous uninsured gap.
The cyber attack is the event. The uninsured tail is the killer.
Cyber insurance policies often look reassuring - until you read the conditions
Cyber insurance policies often say you must have “reasonable” security controls in place.
“Reasonable” is not your word. It is theirs. You only find out what “reasonable” means when the insurer is deciding whether to pay.
In practice, if you cannot evidence those controls - MFA for everybody including service accounts, restore-tested backups, anti-malware installed everywhere, privileged accounts protected, remote users secured - your claim may be denied.
Policies are not enough.
If you cannot prove it after the breach, it is hard to rely on it when the insurer starts asking questions.
It looks very different when a claims investigator starts asking:
- Why was that former employee still on your systems?
- Where is the MFA export?
- When was the last restore test?
- Who approved the exception?
Policies vs evidence
Many businesses have policies. But a policy document is not evidence. A promise from your IT provider is not evidence. A green tick in a dashboard is not always evidence.
Show me the logs.
Show me the restore test.
Show me the MFA export.
Show me the patch record.
Show me the incident response plan.
Show me who knew what, and when.
Most businesses do not have a cyber insurance problem. They have an evidence problem.
The reasonable precautions trap
Mostly protected is not universally protected - meaning if any device, account, or system cannot be proved to have MFA, your claim can be denied.
With an average cost of £124,000 for a significant SME cyber attack, the financial impact can be brutal
If your business is doing £2m a year, every working day lost costs about £9,000. For a £5m business, it is about £22,000. This is not abstract “downtime”. It is lost output, lost billing, delayed projects, angry customers, idle staff, management distraction, and emergency professional fees.
And if the insurer says no, that money has to come from somewhere. Usually, you.
What happens in the diagnostic
It is a call with an experienced CIO who owned and ran an IT company for nine years, worked in security around the world, spent years in enterprise architecture, and acted as a virtual CIO for more than 40 SME businesses.
In one diagnostic, I can give you a clear view of whether you are defensible in a crisis and, if you are not, what you need to ask your IT company for.
We look at your cyber policy like an insurer, your evidence like a forensic investigator, and your IT contract like a lawyer.
Your insurer has experts protecting its payout.
Your IT company has contract wording protecting its liability.
Who do you have?
Here is the truth most business owners do not know:
In the overwhelming majority of cases, your managed services agreement does not cover the cost of a cybersecurity breach.
Most of the time, it is “best efforts” only.
At most, you may only recover a few months of IT fees.
In other words: the IT failed, the breach cost your business hundreds of thousands, and the best you may get back is a small refund on your IT support invoices.
You think you have two safety nets: your cyber insurer and your IT company. But when the breach happens, both contracts can point away from themselves and back at you.
Your insurer protects its loss ratio and says: prove you complied.
Your IT company protects its liability position and says: our contract does not cover that.
And the business owner says: so who pays?
That is the trap. You are crushed between both rocks with your cheque book open.
I was poacher turned gamekeeper. I know where the escape hatches are because I used to write them.
In a diagnostic, I do not only look at your cyber insurance policy. I also look at your managed services agreement and show you where the two line up, where the gaps are, and whose job it is to cover them.
Your IT contract may only say they are “deploying MFA”, not that they are auditing, reporting, and evidencing it everywhere.
So what have you really been buying - protection and certainty, or just the cheapest per-seat support your team could find on Google?
Let’s get really clear on five denial traps hiding in plain sight
1. Backupsclick to read ↓
Here is a screenshot from a real Hiscox cyber policy. It says you must take “reasonable precautions”. So ask yourself: would an insurer think a daily email saying “Backup Job Completed” is reasonable, or would they expect proof that you restored and tested your backups every six months?
But very few IT companies perform genuine restore tests to prove the backups actually work, because restore testing takes time and costs money.
That is not the same as testing it.
That is not the same as restoring it.
That is not the same as proving the business can recover.
If they are not restoring your data to a clean system and having one of your staff test it every six months, your backups may not work - and your claim may be at risk.
That is what they consider “reasonable”.
2. Multi-factor authenticationclick to read ↓
Do you have multi-factor authentication turned on? Most businesses say yes.
Do you have a policy saying MFA must be installed on all users, all devices, all privileged accounts, and all remote access?
If you do not have evidence proving it was installed on all of them, that one gap alone can be enough to put your whole claim at risk.
And here is the dirty little secret of IT companies: they are often not contractually required to put multi-factor authentication on everything, and they may not be required to prove it either.
The worst you can usually do is fire them.
For most IT providers, the terms and conditions exclude consequential losses. And even if they do not, you still have to sue them. That means legal costs, delay, and hoping they have insurance that will pay out.
Far cheaper. Far quicker. Far safer to get it now.
Mostly protected is not universally protected - meaning if any device, account, or system cannot be proved to have MFA, your claim can be denied.
3. Patching and known vulnerabilitiesclick to read ↓
Cyber insurers care about known vulnerabilities, not whether your IT company patches “regularly”.
Was it found in a scan or penetration test?
If the attacker used a known hole, the insurer may say the loss was avoidable. Patch delay can become claim denial.
4. Social engineeringclick to read ↓
Social engineering is not just fake invoices. The attacker does not need to break your firewall if they can persuade someone to hand over the keys.
The question is: can you prove they were trained, tested, followed up, and managed?
5. The first 72 hoursclick to read ↓
The clock starts before you feel ready.
The first 72 hours can decide whether your claim survives. If you do not have a tested incident response plan, you are unlikely to meet their time limits for reporting and crisis management.
Notify us first.
Do not admit liability.
Do not appoint your own forensic firm.
Do not pay the ransom without approval.
Do not destroy evidence.
Cooperate fully.
Provide information at your expense.
You cannot invent a tested incident response plan during the incident.
Your IT company’s instinct is to get you running again.
Your insurer may require evidence to be preserved, vendors to be approved, forensic work to be controlled, and the claim process to be followed.
If your IT provider charges in, wipes machines, rebuilds servers, loses logs, or starts spending money before the insurer has approved the process, they may damage the claim you are relying on.
A primary school lost the escape route
click to read
Years ago, we inherited a primary school customer after buying contracts from an IT company that had gone into administration.
We had not designed their setup. We had not had the chance to fix it. We inherited it as it was. We advised them to update their systems. They declined, saying it was too expensive.
Before we took the contract on, the school had been offered anti-ransomware protection. The cost was roughly £4,000 per year. Again, they declined.
A teacher’s laptop was compromised through phishing. The attacker cracked the local password. The same password had been used on the server environment. From there, the attacker moved through the network, found the backups sitting on another server share, encrypted the live systems, and encrypted the backups too. They did not just encrypt the servers; they encrypted the escape route.
The ransom demand was £250,000 in Bitcoin. This was a primary school. They could not pay it.
They had to wipe their servers and rebuild from scratch. They lost their data and had to manually reconstruct all records from paper.
The school eventually reopened but the head and most of the SLT had been replaced.
A small incident during private equity due diligence
click to read
Another customer was a fast-growing SME selling to private equity.
The business was well protected. The systems were locked down. The actual incident was small: a low-level sales rep’s mailbox was compromised through social engineering, and the attacker used it to send phishing emails to contacts. Technically, the blast radius was tiny.
But it happened right in the middle of private equity due diligence. The owners were selling the company. That changed everything.
Everyone was terrified the deal would be killed.
The PE buyer protected themselves, spent roughly £40,000 checking the incident, and then pushed that cost back onto the seller.
The seller then turned to the IT company and said: you made an error, so you need to pay. The IT contract did what a good IT contract is designed to do: it protected the IT company.
The IT contract had:
- limits of liability;
- exclusions for consequential losses;
- wording that pushed the commercial loss back to the customer.
The customer ended up paying.
That is the point. The IT company was not evil. The business owner was exposed.
Book a diagnostic to see whether you have the right documents
If you do not have the right documents today, you are not in a defensible position.
If there are gaps, you are at risk today.
In the diagnostic, we look for the practical evidence your insurer usually asks for:
- MFA evidence;
- backup and restore test evidence;
- patching records;
- anti-malware coverage;
- privileged access records;
- incident response plan;
- training and phishing records;
- approved forensic and vendor requirements.
Are you covered?
Can you prove it?
Does your IT company actually have to do it?
If not, what do you need to fix first?
When you get hacked, not if
The very fact that claims are becoming more common is why insurers are looking harder at whether you complied before they agree to pay.
If you had to claim today, could you prove they should pay?
Your insurer is not checking whether you bought IT support. They are checking whether the required controls were real, working, evidenced, and maintained.
Your cyber policy does not just insure your technology. It judges your management.
Book a diagnostic and find out before you need to claim.
You do not want to discover these gaps with a ransom note on the screen.
Find them now, before the insurer finds them for you.