*8 min read · Last updated June 18, 2026*
In this article
– Why cyber insurers now demand specific security controls – How a wrong application answer voids the whole policy – The MFA attestation is the most common trap – What counts as a material misrepresentation – How to make your application actually true before you sign – FAQ
Daniel Cho runs a 22-person accounting firm. In April, ransomware locked every workstation during tax season, and the recovery, lost billings, and client notification added up to a $310,000 claim. He had a cyber policy with a $500,000 limit, so he expected it to respond. Instead the insurer rescinded the policy. His renewal application had stated that multi-factor authentication protected all remote network access. One legacy VPN account, used by a part-time bookkeeper, had it switched off. That account was the exact door the attackers walked through. The carrier refunded his premium and paid nothing.
Why cyber insurers now demand specific security controls
Five years ago, a cyber application was short and vague. Today it is a detailed security questionnaire. Ransomware losses forced insurers to stop guessing and start underwriting on hard facts about your defenses.
The application now asks yes-or-no questions about specific controls. Do you require MFA on email and remote access? Do you keep offline or immutable backups, meaning copies an attacker cannot reach or overwrite? Do you patch critical vulnerabilities within a set number of days? Do you use endpoint detection and response (EDR), the monitoring software that watches each computer for attacks?
Here is the part that catches business owners. These answers are not background information. The carrier prices and issues the policy on the assumption that every answer is true. When the answer is false, the carrier argues it never agreed to the risk it actually took on.
| Control on the application | What it means in plain terms | Where businesses get the answer wrong |
|---|---|---|
| MFA on all remote access and email | A second login step on every account that can reach the network from outside | One old VPN, admin, or service account left without it |
| Offline or immutable backups | Backup copies an attacker cannot delete or encrypt | Backups exist but sit on the same network the attacker reached |
| Endpoint detection and response (EDR) | Software that monitors each device for active attacks | Installed on most machines but not the older servers |
| Best for | Any business buying or renewing cyber coverage | Verify each answer against real systems before signing |
How a wrong application answer voids the whole policy
The legal tool insurers use here is called rescission. Rescission does not just deny one claim. It unwinds the entire contract as if it had never been issued. You get your premium back, and the carrier owes nothing on any loss.
This is harsher than a normal coverage dispute. In a normal dispute, the carrier argues a specific loss falls outside the policy. With rescission, the carrier argues there was never a valid policy at all. A real example shows how aggressive this has become. In a widely reported 2022 case, the insurer Travelers asked a federal court to rescind a cyber policy because the customer had attested to using MFA across its systems when it had not. The carrier did not wait to fight the claim. It moved to erase the policy from the start.
That is the exposure Daniel faced. His firm did have MFA almost everywhere. The single account without it was enough for the carrier to argue the application answer was false. For more on how these policies are supposed to work when everything is in order, see how cyber liability insurance protects small businesses.
The MFA attestation is the most common trap
MFA is the control insurers care about most, because it blocks the cheapest and most common attack: a stolen or guessed password. So nearly every application asks about it, and the question is usually broad. It asks whether MFA protects all remote access, all email, and all privileged or administrator accounts.
The word “all” is where firms get hurt. A growing business accumulates accounts over the years. An old remote-desktop login. A vendor’s service account. A shared mailbox nobody owns. A founder’s admin account set up before the company had a policy on this. Any one of these without MFA can make a blanket “yes” untrue.
This same theme runs through other cyber gaps. Attackers also exploit human trust, which is why a separate coverage problem shows up in social engineering fraud, where a deceived employee wires money out. The lesson is the same in both: the policy responds to what you accurately described, not to what you assumed it covered.
What counts as a material misrepresentation
Not every mistake on an application voids a policy. The carrier generally has to show the misrepresentation was material. Material means the truth would have changed the carrier’s decision, either to charge a higher premium or to decline the risk entirely.
MFA clears that bar easily. Insurers state plainly that they would not write the same terms, or sometimes any terms, for a business without MFA on remote access. So a false MFA answer is treated as material almost by default. Some states also require the carrier to show intent to deceive, while others allow rescission for an innocent but material misstatement. The protection varies by state, so do not count on “I didn’t mean to” as a defense.
This is different from running out of coverage. If your real problem is that your limit is too small, that is a cyber sublimit gap inside a business owners policy, not a misrepresentation. A rescission attacks whether you have a policy at all.
How to make your application actually true before you sign
You complete a cyber application once a year, and that signature controls whether a six-figure claim gets paid. Treat it like the legal document it is.
1. Inventory every account that can reach your network from outside. Walk the list with your IT provider before you answer the MFA question. Include service accounts, vendor logins, and old admin accounts, not just employee email. 2. Match each application answer to a real system, not a memory. If the form asks about offline backups, confirm the backups are actually isolated from the network. If it asks about EDR, confirm it is on every server, not most of them. 3. Fix the gaps before you sign, or disclose them. If a control is not fully in place, either close the gap first or tell the broker the precise truth. An accurate “no” is far cheaper than a false “yes” that voids the policy. 4. Keep evidence of your answers. Save the configuration screenshots and the dates. If the carrier later challenges an answer, contemporaneous proof is your strongest defense against rescission.
If you are unsure whether a payout problem after a breach is a coverage limit or a misrepresentation, the difference matters. A limit shortfall still pays up to the cap. A rescission, like the kind that can follow a ransomware payment dispute, can pay zero.
Make sure your cyber coverage holds up when you actually need it
Compare business insurance options and confirm your security controls match what your policy requires before your next renewal.
Compare Business Insurance CoverageFAQ
Can a cyber insurer really deny a claim because of one account without MFA? Yes. If the application stated MFA protected all remote access and one in-scope account did not have it, the carrier can argue the answer was a material misrepresentation. Because that single account was often the breach point, insurers treat the gap as directly relevant to the loss.
What is the difference between a denied claim and a rescinded policy? A denied claim means this specific loss falls outside coverage, but the policy still exists for other losses. A rescinded policy is erased from the start. The carrier refunds your premium and pays nothing on any claim under it.
Does it matter that I didn’t lie on purpose? It depends on your state. Some states require the insurer to prove intent to deceive before rescinding. Others allow rescission for an innocent but material misstatement. Do not assume an honest mistake protects you, because in many states it does not.
How do I know if my application answers are accurate? Review the application with your IT provider line by line before signing. Confirm each control is actually in place across every system the question covers, not just most of them, and keep dated evidence of what you confirmed.
Is this the same as not having enough coverage? No. A coverage limit that is too low still pays up to the cap. A misrepresentation that triggers rescission can leave you with no coverage at all, which is why an accurate application matters as much as a high limit.
The cyber policy you bought is only as good as the answers you gave to get it. Walk the application with your IT provider before you sign, close the gaps you find, and keep proof of every control you claimed. A breach is the wrong moment to learn that one switched-off account turned your six-figure policy into a refund check.
