South African businesses face increasing rejections of cyber-insurance claims, driven by misrepresented security controls, weak governance, and outdated cybersecurity practices. Experts warn that many firms assume cover guarantees a payout, only to discover gaps when insurers investigate after an incident.
This reflects a wider global trend. The 2024 Cyber Insurance and Cyber Defences report by Sophos found that 47% of organisations with cyber insurance had at least part of their claim denied.
Insurers are scrutinising real controls
Muhammad Ali, Managing Director of South African ISO specialist World Wide Industrial & Engineering Systems, says insurers now closely examine actual cybersecurity maturity during claims assessments.
“Misrepresentation or non-disclosure of security controls at policy inception is one of the biggest reasons insurers refuse to pay out,” Ali explains.
He notes that investigators often find companies lack the logging, monitoring, or response capabilities declared in proposal forms. Without clear evidence of attack paths or timelines, insurers frequently argue negligence, particularly in ransomware cases.
Ransom demands surge
The pressure intensifies as cybercrime costs escalate. Sophos’ State of Ransomware in South Africa Report 2025 shows the median ransom demand jumped from US$165,000 in 2024 to R17 million in 2025.
Ali says this surge has forced insurers to rethink how risk is assessed.
“Blanket minimum requirements did not work. Insurers now apply risk-based criteria linked to business size, industry, endpoint volume, and system criticality.”
Annual audits are no longer enough
Insurers are also moving away from relying on annual audits. Continuous assurance now matters more than periodic assessments.
Ali says insurers want proof of real-time visibility. This includes active monitoring, consistent patching, and effective vulnerability management. Static reports no longer provide comfort in a fast-changing threat environment.
Common reasons claims fail
During claim investigations, insurers often uncover gaps between declared and actual controls. Frequent issues include:
• Antivirus tools that are expired, free, or incorrectly configured
• Firewalls are limited to basic Wi-Fi protection rather than full network security
• Proposal forms completed without technical oversight
• Policy wording and minimum requirements not properly reviewed
“These gaps show a disconnect between what companies say they have and what actually runs in production,” Ali says.
Insurance is not a guarantee
Ali stresses a common misconception. Buying cyber insurance does not guarantee a payout.
“Insurers verify everything after an incident. Using third-party investigators instead of the insurer’s approved response team often complicates or invalidates claims.”
Policy obligations, he adds, are frequently misunderstood or ignored until it is too late.
ISO standards shape insurer expectations
Ali says alignment with ISO standards increasingly influences insurer decisions. His team helps organisations align controls with insurer expectations using ISO/IEC 27001-aligned risk assessments, policies, and evidence packs.
“Insurers model much of their proposal criteria on ISO standards. ISO 27001 compliance gives confidence that controls exist, work, and are monitored.”
He notes certification reduces perceived risk and, in some cases, lowers premiums by up to 50%.
Stricter requirements ahead
As AI-driven threats accelerate, Ali expects further tightening.
“ISO/IEC 27001:2022 will increasingly define what acceptable information security looks like. Box-ticking will not work. Organisations need real alignment to stay insurable.”
