Introduction

Cyber insurance has become a boardroom topic in 2025. With ransomware payouts hitting record levels and insurers scrutinizing claims more closely than ever, firms are realizing that coverage is not guaranteed. The recent denial of Hamilton’s $18.3M claim made that painfully clear.

I recently attended a webinar on cyber insurance and risk management that unpacked how underwriting really works, why so many claims result in no payouts, and what business leaders - especially in professional service firms - need to understand before they sign a policy.

  1. Underwriting Isn’t What You Think

Most companies assume cyber insurance premiums are based on a quick questionnaire. In reality, insurers now combine those questionnaires with attack surface scanning - using the same lens a hacker would to assess your external vulnerabilities.

  • Revenue is the top driver of pricing.
  • Industry risk follows (finance, legal, healthcare are higher).
  • Technical controls and configuration round it out.

🔑 Takeaway: Your answers on the form matter, but external scan data is what really predicts whether you’ll be attacked.

  1. Why So Many Claims Are Denied

Industry data shows that over 50% of claims don’t pay out. Often it’s because:

  • The business impact was deemed minimal (so no payout triggered).
  • The questionnaire was completed inaccurately.
  • Required controls (like MFA) weren’t actually enforced.

Hamilton is the cautionary tale: despite having coverage, their lack of multi-factor authentication across systems gave the insurer grounds to deny the claim.

🔑 Takeaway: Honesty beats optimism. If you say “yes” to every control but can’t prove it, you risk total denial.

  1. The MSP Advantage in Cyber Insurance

Some cyber insurance brokers partner with Managed Service Providers (MSPs). Before the underwriter even reviews a policy, the MSP gets first access to scan data. That means vulnerabilities can be fixed before the insurer sees them.

This benefits everyone:

  • Clients look stronger on paper.
  • MSPs prove measurable value.
  • Insurers lower risk exposure.

🔑 Takeaway: Working with an MSP that understands cyber insurance can save you from rejection - or worse, denial when you need it most.

  1. Not All MSPs Are Created Equal

It’s important to recognize that not every company calling itself an “MSP” is truly delivering managed services. Many provide reactive IT support - fixing issues when they arise - but don’t go further into proactive risk management, compliance alignment, or cyber insurance readiness.

The difference matters:

  • IT Support = Help desk tickets, device troubleshooting, reactive fixes.
  • True Managed IT Services = Strategic planning, 24/7 monitoring, security configuration management, vulnerability remediation, and alignment with insurance & compliance requirements.

When it comes to cyber insurance, that gap can mean the difference between coverage approval or claim denial. An MSP without the right tools, frameworks, or insurance knowledge may keep your systems running - but they won’t position your firm for resilience or protection when it counts.

🔑 Takeaway: If your MSP isn’t talking about cyber insurance, compliance, and risk management, they’re leaving you exposed.

  1. Risk Management Must Evolve

Risk management is no longer about buying tools - it’s about configuration quality and monitoring.

Key recommendations:

  • Implement 24/7 managed detection and response (MDR).
  • Establish a process to identify which of the thousands of CVEs each week actually matter to your stack.
  • Upgrade security awareness training - focus on quality over frequency to combat evolving social engineering.

🔑 Takeaway: Risk management isn’t a checklist. It’s an ongoing discipline.

  1. Policy Types and Brokers Matter

Not all policies are created equal. General property & casualty brokers often add a cyber rider, but these are shallow and filled with exclusions. Specialist cyber brokers, on the other hand, can tailor policies and provide a vulnerability checklist before you sign.

🔑 Takeaway: Choose a broker who understands cyber risk, not just insurance paperwork.

Conclusion

Cyber insurance is no longer a “set it and forget it” line item. It’s a living partnership between your insurer, your MSP, and your organization. Honest questionnaires, proactive risk management, and quality configurations determine whether you’re truly covered - or whether you’ll be left holding the bill like Hamilton.

At ITS Canada, we help firms align their technology, security, and compliance controls with both best practices and insurer expectations. If you’re considering a policy renewal - or just want to validate your readiness - we can walk you through a Cyber Insurance Readiness Assessment to ensure there are no gaps between your answers and your reality.