Original article published in Swiss IT Magazine, March 2026
Cyber insurance is no substitute for IT security measures; rather, it is a prerequisite for them. Whilst the policy mitigates financial risks, payment of a claim in the event of an incident is subject to strict technical conditions. The obligations required by insurers – ranging from comprehensive multi-factor authentication (MFA) and structured patch management to hardened backups – have long since shaped the architecture of modern IT infrastructures. Between the time the policy is taken out and a claim being made, it is the IT documentation that determines whether the insurance cover actually applies.
In modern corporate management, cyber insurance has become an integral part of risk management. The reasoning behind this is clear: as absolute security is technically unachievable in networked IT environments, the remaining residual risk should be financially covered. However, this approach falls short in operational practice. As the threat landscape intensifies, insurers are continually tightening their technical requirements. Cyber insurance does not function as comprehensive cover that pays out unconditionally, but rather as a complex contractual arrangement whose effectiveness depends directly on the technical condition of the IT infrastructure.
From an IT service provider’s perspective, this significantly shifts their role: the provider becomes the enabler of insurability. In the event of a claim, the deciding factors are not primarily legal interpretations, but technical facts documented in log files, configurations and logs. Today, the most critical gap in risk management is often not the absence of a firewall, but the discrepancy between contractual security commitments and the actual IT reality within the company.
Every cyber insurance policy sets out what are known as ‘obligations’. These are technical and organisational measures that must not only be in place at the time the contract is concluded, but must also be demonstrated throughout the entire term of the policy. For IT operations, these clauses act as a dynamic set of specifications that influence key architectural decisions.
A key aspect is multi-factor authentication (MFA). Whilst MFA is now considered standard practice for remote access and privileged accounts, the challenge lies in its seamless implementation. In practice, blind spots are a regular occurrence: legacy systems without MFA support, external maintenance access provided by machine manufacturers, or service accounts for automated processes. If an attack occurs via one of these exceptions, allegations of gross negligence immediately arise. MFA must therefore be enforced architecturally in such a way that exceptions are either technically prevented or explicitly justified and documented within risk management.
The situation is similar with patch management. Insurers now define precise timeframes for the installation of critical security updates – often between 7 and 14 days after they become available. These deadlines often clash with operational realities, as updates must first be validated in test environments so as not to jeopardise the stability of business applications. However, if a vulnerability is exploited for which a patch has been available for weeks, a reduction in cover by the insurer is almost inevitable. Patch management is thus evolving from a purely technical maintenance task into a compliance task, in which documenting the update status is just as important as the installation itself.
Backups are regarded as a company’s last line of defence. Yet here too, insurers’ requirements have changed dramatically. The classic 3-2-1 rule – three copies, two different media, one copy offsite – is increasingly being supplemented by hardening requirements. Today, immutability or the logical separation of backups from the rest of the network is crucial.
Modern ransomware attackers specifically target online backups in order to delete or corrupt them before the actual encryption takes place. A cloud backup that is accessible via the same administrative accounts as the production systems no longer meets the requirements of many current policies. Solutions such as immutable backups or air-gapped solutions are required. From MTF Solutions’ perspective, the logical separation of the backup infrastructure should be the absolute standard today – yet in practice, it is regularly evident that this has not yet been consistently implemented by companies or even by many IT service providers.
An equally critical point is the regular verification of recoverability. A backup whose restore capability is not systematically tested at least quarterly and fully logged can lead to a nasty surprise in the event of an emergency. Companies that, in the event of a loss, cannot demonstrate that they have either logically isolated backups or documented restore tests risk the insurance company refusing to cover the costs of a complex data recovery, as the backup strategy did not comply with the agreed state of the art.
"Cyber insurance is no substitute for a sound security framework; rather, it is predicated on one. It is crucial that technical measures, responsibilities and evidence are properly implemented, regulated and documented before an incident occurs."
In the event of a claim, the insurer usually sends out forensic experts. Their task is to reconstruct the course of the attack and to check whether the contractual obligations were being met at the time of the incident. This effectively results in a reversal of the burden of proof: the insured company must be able to demonstrate that the agreed protective measures were active.
In practical terms, this means that it is not enough simply to have had a firewall in operation – one must be able to prove that it was correctly configured. If ransomware has not only encrypted data but also deleted logging servers, the line of argument against the insurer collapses. Audit-proof IT therefore requires centralised logging with retention spanning several years, versioned configuration documentation, logged restore tests and strictly documented identity management. This duty of proof makes the reporting functions of modern IT management systems critical components for insurance cover.
Even if all technical conditions are met, there are exclusion clauses that become relevant in the event of a claim. A common point of contention is gross negligence. The line between simple negligence and gross misconduct is blurred. Whilst a system that has not been patched for months is usually deemed to constitute gross negligence, a legal grey area arises in the case of minor delays. A structured, documented process can serve as exculpatory evidence in cases of doubt.
End-of-life (EOL) systems deserve particular attention. Operating servers or applications for which the manufacturer no longer provides support often results in the complete exclusion of cover for attacks on these components. War and cyberwar clauses are equally complex. Attacks that can be attributed to state actors are often excluded from insurance cover. However, as the technical attribution of an attack is extremely difficult, this often results in protracted legal disputes.
In the event of a cyber attack, competing interests often arise. The IT operations team and the organisation aim to restore the systems as quickly as possible in order to minimise operational disruption. The insurer and the forensic experts, on the other hand, need time to preserve the state of the infected systems for root cause analysis and evidence preservation. This conflict of interest can only be resolved through a pre-defined incident response plan. Such a plan governs not only technical procedures but also the insurer’s organisational requirements. For example, many insurers only accept certain, certified forensic service providers. If a provider is commissioned without authorisation, this may jeopardise the claim for compensation. Modern technologies such as snapshot-based backups now make it possible to preserve the system status for investigators, whilst production can already resume on isolated, clean copies. Without such technical precautions, the analysis costs valuable time, which unnecessarily prolongs the downtime.
Taking out cyber insurance should therefore not be a one-off process carried out solely by senior management or the insurance broker. A technical audit by the IT managers or the service provider is absolutely essential. The risk questionnaire must be verified point by point. Any commitment regarding multi-factor authentication (MFA) or backup intervals must be technically verifiable. An inaccurate statement could result in the loss of the entire cover in the event of a claim. In many cases, it is advisable to disclose existing security vulnerabilities or legacy systems. Insurers often accept temporary exemptions if a clear migration plan is in place. An annual review of insurance requirements against the actual state of the IT infrastructure ensures that cover remains in place even following cloud migrations or infrastructure changes.
Cyber insurance is not a substitute for IT security, but rather a prerequisite for it. The obligations required are based on established best practices, which would be necessary for a resilient IT infrastructure even without insurance cover. However, the widespread adoption of these policies has the positive side effect of driving a more professional approach to the quality of IT security.
For businesses, this means that the role of the IT service provider is expanding from mere system operation to a strategic partnership in risk management. SMEs would be well advised to coordinate the technical validation of their insurance policies closely with experts. Partners such as MTF Solutions play a key role in helping to bridge the gap between contractual requirements and day-to-day IT operations in a sustainable manner. Only if the infrastructure is configured, monitored and documented in such a way that it can withstand a forensic audit will cyber insurance provide the desired protection. In the event of an incident, technical evidence is decisive. Those who do their homework in collaboration with professionals have a robust safety net. Without this preparation, the policy often remains nothing more than a costly document with no real value in the event of a crisis.