Cyber Insurance: What Insurers Check Before They Pay Out
What do cyber insurers check after a hack before they pay out? Learn everything about contractual obligations for SMEs.
The threat landscape for the Mittelstand: why cyber insurance is indispensable
The threat landscape for the German Mittelstand has worsened dramatically in recent years. Cybercriminals now operate with a high degree of professionalism and increasingly target small and medium-sized companies, since these are often easier to breach than large corporations. According to data from the German Insurance Association (GDV), insurers were notified of around 4,000 cyberattacks in 2023, an increase of 18.7 percent compared to the previous year[1]. A single cyber loss came in at an average of 45,370 euros[1]. For many mid-sized businesses, such unforeseen costs are an existential threat. In this tense environment, cyber insurance has therefore become an indispensable economic safety net to cushion financial damage.
The reality in the Mittelstand: high risks and poor prevention
Many managing directors and IT leads feel a false sense of security as soon as a policy is in place. Yet claims settlement after a loss is by no means unconditional. After an incident, insurers check meticulously whether the agreed IT security standards were actually maintained in the business. A glaring gap between expectation and reality becomes apparent here: a Forsa survey commissioned by the GDV revealed that 69 percent of the mid-sized companies surveyed do not even meet the most basic IT security requirements[1]. If these contractually defined duties, known as obligations, are neglected when it matters, companies risk significant benefit reductions or even the insurer being fully released from liability.
| Insurer requirement (target) | Common shortfall in the Mittelstand (actual) | Effect on insurance coverage |
|---|---|---|
| Regular, offline-secured backups | Backup copies are stored unencrypted on active network drives | Risk of being encrypted by ransomware and of refusal to pay |
| Strict password policies and MFA | Weak passwords and missing multi-factor authentication at critical interfaces | Gross negligence can lead to a reduction in the payout amount |
| Use of modern protection systems | Outdated antivirus without behavior-based real-time monitoring | Breaching minimum technical requirements jeopardizes the entire contract |
To close these dangerous coverage gaps, companies must professionalize their security architecture and document it continuously. This is where CAVRIX comes in, with a combination of state-of-the-art protective measures and complete documentation. The services in the area of Cybersecurity offer mid-sized businesses continuous monitoring and threat defense, while the Managed IT module ensures that endpoints and systems are always up to date and auditable. Through this automated verifiability, companies can prove beyond doubt to the insurer in an emergency that all contractual security requirements were met without gaps.
The contractual trap: what are obligations and why do insurers check so closely?
Cyber insurance is vital for small and medium-sized companies in an emergency, yet claims settlement is by no means unconditional. After an incident, insurers check IT security standards extremely meticulously. The reason for this lies in the contractual duties of the policyholder, known as obligations. Anyone who fails to fulfill these duties completely risks the insurer reducing the benefit or refusing it entirely in the event of a loss. For managing directors and IT leads at German small and mid-sized companies, this is a critical topic, because lapses here can have existence-threatening financial consequences.
The reality in many businesses, however, stands in stark contrast to the requirements of the policies. According to a representative Forsa survey commissioned by the German Insurance Association (GDV), 77 percent of the mid-sized businesses surveyed consider themselves sufficiently protected, but this assessment is deceptive[2]. In fact, 52 percent of companies rate their own IT security far better than it actually is in practice[2]. This misjudgment becomes fatal at the latest when forensics specialists reconstruct the exact security posture after an attack.
What exactly are obligations?
In insurance law, obligations describe the contractual duties a company must observe in order not to jeopardize its claim to insurance coverage. A distinction is made between obligations before a loss, such as compliance with agreed minimum IT standards, and obligations after a loss, such as the immediate reporting of the incident. Typical requirements include regularly performing backups, using multi-factor authentication, and applying security updates quickly. Anyone who cannot demonstrably fulfill these conditions may, in an emergency, lose any claim to financial compensation.
| IT security criterion | Insurer requirement | SME reality according to GDV study |
|---|---|---|
| Employee training | Regular awareness training for staff against social engineering and phishing attempts | 64 percent of mid-sized businesses forgo such training entirely[[cite:https://www.gdv.de/gdv/medien/medieninformationen/forsa-umfrage-zu-cyberrisiken-it-sicherheit-vieler-deutscher-unternehmen-ist-mangelhaft-192844]] |
| IT contingency planning | Maintaining a documented and functional contingency plan for emergencies | 48 percent of the companies surveyed have not drawn up any contingency plan[[cite:https://www.gdv.de/gdv/medien/medieninformationen/forsa-umfrage-zu-cyberrisiken-it-sicherheit-vieler-deutscher-unternehmen-ist-mangelhaft-192844]] |
| Basic technical security | Use of strong passwords and prompt installation of critical software updates | More than two thirds of companies fail to meet even these basic criteria[[cite:https://www.gdv.de/gdv/medien/medieninformationen/forsa-umfrage-zu-cyberrisiken-it-sicherheit-vieler-deutscher-unternehmen-ist-mangelhaft-192844]] |
Why insurers look so closely after an incident
When a company becomes the victim of a cyberattack, for example through a serious ransomware attack, large loss amounts are usually at stake. Insurers typically commission specialized forensics experts to reconstruct the exact course of the attack. Since 68 percent of all successful cyberattacks begin with a phishing email or a malicious email, the behavior of staff is under particular scrutiny[2]. If the experts find that the breach was made possible by missing security updates or a glaring deficit in security awareness, the insurer has a legal basis to drastically reduce the payout.
To minimize this existence-threatening risk, complete technical and organizational protection is essential. With the integrated solutions for Cybersecurity and Managed IT, CAVRIX offers mid-sized companies all-round protection that closes security gaps automatically and documents compliance with all contractual policies without gaps. Through the intuitive Command Center, managing directors and IT leads keep an eye on the current security and compliance status at all times, so they are perfectly prepared in an emergency and can prove their insurance coverage completely.
The process in an incident: how insurers' IT forensics teams investigate attacks
As soon as a security incident is reported, the clock starts ticking for German mid-sized companies. The settlement of a loss by cyber insurance is by no means unconditional. Immediately after a loss is reported, insurers call in specialized IT forensics experts to reconstruct the exact course of the attack without gaps[3]. The primary goal of these experts is to find out how the attackers were able to penetrate the systems, which data is affected, and whether the company met its contractually agreed duties, known as obligations. For IT leads and managing directors, this is a critical phase, because mistakes in the initial response can jeopardize the entire insurance coverage.
Preserving digital evidence instead of premature remediation
In practice, many small and medium-sized companies make the mistake of immediately rebuilding systems or restoring backups hastily after discovering a ransomware attack, in order to become operational again as quickly as possible[3]. From a forensic perspective, this approach is fatal. Premature restarts and system changes delete volatile data in memory and irretrievably overwrite important evidence trails[3]. Insurers' forensics teams check meticulously whether such unauthorized recovery attempts hindered the root cause analysis[4]. Without a prior bit-exact backup of the affected storage media, companies risk significant benefit reductions or even the insurer being completely released from liability[5].
| Forensic review area | Specific check by the experts | Possible insurance-law consequence |
|---|---|---|
| Entry path and vulnerabilities | Were known security gaps patched in time, or were administrative accesses insufficiently protected? | Benefit reduction for gross negligence in case of lax patch management. |
| Integrity of the data backup | Was the backup concept functional, current, and sufficiently isolated from the production network? | Loss of the benefit claim if contractual backup requirements are disregarded. |
| Response time and loss mitigation | When was the attack noticed and were the contractually prescribed initial measures initiated? | Limitation of claims settlement in case of culpable delay in reporting. |
Prevention and verifiability as the key to claims settlement
To be able to provide proof of compliance with all security requirements in an emergency, mid-sized companies need complete documentation of their IT infrastructure. Modern managed service models such as Cybersecurity from CAVRIX offer a decisive advantage here. Through continuous 24/7 monitoring, integrated vulnerability management, and the automated creation of audit-proof reports, companies can prove at any time that they meet the required minimum technical standards. This not only protects against financial losses after an attack but also ensures that IT decision-makers are optimally prepared for the strict review processes of insurers.
In addition, the structured integration of Compliance frameworks helps to align security measures with legal requirements. With the automated evidence from the CAVRIX platform, working with forensics teams in the event of a loss is drastically simplified, since all log data is available in a structured and protected form. This way, cyber insurance becomes what it is meant to be: reliable protection for an emergency, without the risk of nasty surprises during claims settlement.
The 5 most important technical checks insurers carry out
Anyone who takes out cyber insurance often feels a deceptive sense of security. In an emergency, however, claims settlement and loss investigation represent a considerable hurdle. Insurers do not settle losses blindly, but check meticulously after an incident whether the affected company has fully met its contractually agreed obligations[5]. Almost one in three applications for cyber insurance is now rejected or reduced in the event of a loss because IT security standards were not demonstrably implemented[6]. For managing directors and IT leads in the Mittelstand, meeting these minimum technical requirements is therefore a matter of economic survival.
Insurers assess a company's risk based on specific technical standards. Anyone who fails to meet the minimum requirements loses their insurance coverage. The days when a simple firewall and standard antivirus were enough are definitively over. Today, providers demand proactive defense and monitoring technologies that must be continuously documented and active.
| Technical check | Insurer requirement | Evidence in the event of a loss |
|---|---|---|
| Multi-factor authentication (MFA) | Mandatory for all administrative accesses, VPN connections, and cloud services. | Active configuration profiles and complete user access lists. |
| Isolated backup | Regular data backups that are physically or logically separated from the production network. | Successful recovery tests and tamper-proof backups. |
| Patch management | SLA-driven installation of critical security updates within defined deadlines. | Up-to-date IT documentation of all installed software versions and updates. |
| Endpoint detection (EDR) | Behavior-based real-time monitoring of all endpoints instead of pure signature scanners. | Log exports from the EDR platform and evidence of threat analysis. |
| Security monitoring | Continuous detection of anomalies and fast response to security incidents. | Proof of complete monitoring and predefined response plans. |
The EDR area in particular illustrates the technological shift. Conventional virus scanners are no longer sufficient to stop modern, complex attacks such as ransomware. Insurers therefore increasingly require the use of modern behavior-based systems, as established within a professional Cybersecurity setup[5]. With modern EDR systems, mid-sized businesses can isolate attacks in real time and thus actively meet the required loss mitigation duty.
The technical implementation of these requirements often exceeds the capacity of internal IT departments in the Mittelstand. This is where the integrated services from CAVRIX come in. Through the Managed IT and Cybersecurity modules, companies gain access to a fully managed IT security ecosystem that covers all essential insurance requirements by default. From the automatic provision of security patches to audit-proof documentation, the platform ensures that all obligations are demonstrably met.
Thanks to the integrated support for regulatory requirements and compliance policies, small and medium-sized companies are on the safe side not only with insurers but also within the framework of legal requirements. Through continuous monitoring and reporting in the Command Center, you can prove the complete operation of all required protective measures at the push of a button in an emergency, ensuring smooth claims settlement.
Legal consequences: when an insurer may reduce or refuse a payout
A successful cyberattack can reach existence-threatening dimensions for mid-sized companies. According to current figures from the German Insurance Association (GDV), a cyber loss in 2023 cost an average of 45,370 euros[1]. This sum often covers only the direct costs of recovery, while consequential damage from business interruptions is added on top. Cyber insurance is therefore an indispensable lifeline for many businesses to cushion financial risks. The settlement, however, is by no means unconditional.
Contractual obligations in focus
After a security incident, insurers check compliance with the agreed IT security standards meticulously. As a policyholder, you enter into contractual duties, known as obligations. If these duties are breached intentionally or through gross negligence, the insurer can reduce the benefit or, in the worst case, refuse it entirely. The problem in the Mittelstand is severe: a GDV survey shows that around 69 percent of the small and medium-sized companies surveyed do not even meet the most basic IT security requirements[1].
- Missing or outdated backups: when data backups are incomplete or not kept separate from the main network, there is often a significant breach of duty.
- Weak passwords: the use of weak passwords without multi-factor authentication (MFA) is considered grossly negligent under modern policies.
- Delayed updates: known security gaps in operating systems or software must be closed within the agreed deadlines.
- Insufficient employee training: if staff are not regularly made aware, phishing attacks can have an easy time.
In the event of a loss, companies must prove that they actively operated all necessary precautions at the time of the attack. Without complete documentation of IT processes and security measures, this proof is often difficult to provide. This is where CAVRIX provides support with the integrated Cybersecurity service, which ensures ongoing risk minimization and audit-ready evidence for mid-sized businesses. Through proactive measures, managing directors and IT leads can significantly reduce the risk of a benefit reduction and stay compliant with regulatory requirements.
Prevention and evidence: how SMEs secure their insurance coverage with CAVRIX
A cyber policy protects mid-sized companies from existence-threatening costs in an emergency. But the days when a policy was simply taken out by ticking a few vague questions on the application and settled without objection in the event of a loss are over. Insurers today already reject a considerable share of initial applications because basic security standards are missing[7]. After a security incident, claims adjusters check meticulously whether the technical and organizational measures assured in the risk questionnaire were actually active without gaps. If a company breaches these contractual obligations, significant benefit reductions or even the insurer being completely released from liability loom. For managing directors and IT leads, this means that continuous monitoring and audit-proof documentation of all security measures must be the top priority.
The five core requirements of cyber insurers at a glance
To maintain the full protection of cyber insurance, mid-sized businesses must be able to prove that they operate state-of-the-art protective measures. The most important control areas include continuous multi-factor authentication (MFA), an active endpoint detection and response system (EDR), immutable backups, and structured patch management with short SLAs for critical security gaps[7]. These IT security standards largely overlap with the legal requirements demanded, for example, within the framework of the NIS2 directive. With integrated services such as Cybersecurity, companies can not only meet these demanding requirements technically but also prove compliance in an audit-proof and insurance-compliant way at any time.
| Insurer security requirement | Relevance in the event of a loss | Implementation with CAVRIX |
|---|---|---|
| Enforced multi-factor authentication (MFA) | MFA must be active on all cloud, VPN, and administration accounts without exception, otherwise breaches of obligation loom. | As part of Managed IT, CAVRIX manages identity administration and enforces MFA system-wide on all devices and accounts. |
| Endpoint detection and response (EDR) | Comprehensive monitoring of all endpoints (laptops, servers) for immediate detection of active attacks. | The integrated Cybersecurity service offers 24/7 EDR and SOC monitoring for active detection and fast defense against malware. |
| Audit-proof patch management | Critical security gaps must be demonstrably closed within tight deadlines. | Through the CAVRIX system, patches are installed automatically and fully documented, so audit logs are available at any time. |
| Immutable backups | Data backups must be tamper-proof and physically or logically separated from the main network. | CAVRIX implements automated, encrypted, and immutable backup routines with regular restore tests. |
Complete documentation as a digital shield
Merely deploying security tools is not enough. When a loss occurs, the burden of proof lies with the insured company. In the event of a loss, insurers demand detailed log files and historical system reports to verify compliance with the policy requirements[7]. This is where the integrated CAVRIX approach comes into play: through the Compliance service, all security-relevant data, configurations, and system states are captured automatically and documented in a tamper-proof way. These reports are available to management and IT leads at any time to provide auditors or regulators with complete proof of lived IT security.
In addition, the CAVRIX Command Center gives those responsible an intuitive and transparent view of all IT and security activities in real time. Through common chat tools such as Microsoft Teams, managers and IT leads can query the current security status and the fulfillment of legal requirements. This not only builds trust internally but also serves as a reliable logging tool in an emergency. Through this holistic approach, operated by Hamburg-based CITO GmbH as the sole contractual partner, mid-sized companies are on the safe side from day one, protect their management from personal liability, and receive the full financial protection of their cyber policy in an emergency.
Frequently asked questions
What is meant by a breach of obligation in cyber insurance?
A breach of obligation refers to the policyholder's disregard for contractually agreed IT security standards. This can be outdated systems, missing multi-factor authentication (MFA), or insecure passwords. Since, according to the GDV Forsa survey, 69 percent of SMEs do not even meet basic requirements, the risk here is high. In the event of a loss, such a breach can lead to the insurer reducing the benefit or refusing the payout entirely.
Which technical requirements do insurers check before signing and in the event of a loss?
Insurers primarily check critical protective mechanisms. These include active multi-factor authentication (MFA) for all administrative accesses, complete patch management within fixed deadlines, and a separate, offline-stored data backup. Employee training and a structured contingency plan are also frequently required by contract.
May the insurer refuse payment in case of gross negligence?
Yes, under the German Insurance Contract Act (VVG), the insurer may proportionally reduce the benefit in case of a grossly negligent breach of obligations. In case of intent, it is even completely released from the benefit. SMEs must prove that the breach of duty was causal neither for the occurrence of the loss nor for its extent, which is often difficult in practice.
How high is the financial risk of a cyberattack for German SMEs?
The financial risk is existence-threatening. An average cyber loss cost companies around 45,370 euros in 2023. On top of this come the record economic losses of 178.6 billion euros in 2024 from cybercrime in Germany. Without effective insurance, SMEs must bear these costs entirely themselves.
How can SMEs prove compliance with all insurance requirements without gaps?
SMEs should rely on automated evidence and professional security management. The CAVRIX services Managed IT, Cybersecurity, and Compliance provide an ideal basis for this. They continuously document the state of the IT infrastructure and provide audit-proof audit reports. Through the intuitive Command Center, IT leads and managing directors keep an overview of their security status at all times.