Lisa Shields stood before the Hamilton, Ontario, city council in mid-2025 and said what no one in the room wanted to hear. The city's $5 million cyber insurance claim had been denied. The policy did not fail. It worked exactly as it was written.
"Get cyber insurance and your business is covered." Most operators who run a small firm have heard some form of this. A broker walks them through a quote. The premium lands around $1,740 a year for a firm with fewer than 250 people. They sign, they pay, and they move on.
It sounds right. It is not. Hamilton paid its premiums. Hamilton had a policy. And when a ransomware attack shut down close to 80 percent of the city's network in early 2024, the insurer said no.
The reason was one control.
The Mechanism
Multi-factor authentication is the step where you confirm your login with a second device. The policy required it across all city systems. Staff knew about the rule in fall 2022. They started a pilot in a few departments in 2023. But when the breach hit, MFA was not enforced across the board. Partial was not enough.
The insurer's position, from a staff report to council: "No coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach."
Five million dollars. Gone on a gap between a checked box and a live system. The rebuild tab so far: $18.4 million, with $400,000 a month still going out the door through late 2026.
The data on this is worth reading. More than 40 percent of cyber insurance claims filed in 2024 and 2025 were denied. Of those, 82 percent involved firms that lacked MFA. Another 17 percent were denied because the firm reported the breach too late. Most policies require notice within hours. Not days. Hours.
The Verizon 2025 Data Breach Report found that 88 percent of breaches at small and mid-size firms had a ransomware piece. The At Bay 2026 InsurSec Report looked at more than 100,000 policy years of claims data. It put the average ransomware cost at $508,000. For firms under $25 million in revenue, the figure was $422,000. VPN access points were the entry door in 73 percent of cases.
The threat is real. The coverage is conditional. And the condition is buried in the form you signed.
"Get cyber insurance" does not fail the person. It fails the system they are trying to protect.
The Structural Flaw
The problem is not that operators skip security controls. The problem is that the form replaces the audit.
Your cyber insurance form is not a one-time snapshot. It is a continuing warranty. Every "yes" you checked is a condition you must meet at the moment of the breach, not the moment you signed. The gap between what you said you run and what your systems actually run is the denial trigger.
Hamilton knew about the rule for over a year. They started the rollout. They checked the box. The insurer still said no, because partial does not count.
Most people treat this as a bad-luck story. It is a system flaw.
The Replacement Principle
The better frame is short: treat your form like an open audit file, not a document you filed and forgot. Once that is clear, three moves follow from it.
Move 1: Pull Your Form and Audit Every "Yes"
Get a copy of what you signed. Read each line. For every control you marked "yes," check if it is live and enforced across your whole operation right now. Not planned. Not in progress. Live. This is where the gap lives: between what you said and what you run. Most operators skip this step because they assume the broker handled it. The broker sold you the policy. The broker does not run your systems.
Move 2: Document Controls with Exports, Not Memory
Underwriters have stopped taking your word for it. They want screenshots, exports from your tools, and third-party checks. If you cannot produce proof of a control in under an hour, that control does not exist for claims purposes. Build a folder. Update it each quarter. Date every file.
Move 3: Build Your Notice Protocol Before You Need It
Find the notice window in your policy. It is measured in hours. Write down who calls, what number they dial, and what they say. Most firms learn about this rule during the worst week of their year. By then it is too late. Seventeen percent of claim denials in 2025 came down to late notice alone.
Firms that deploy MFA across all key systems earn premium discounts of 18 to 22 percent. The insurer is telling you what it cares about. Follow the money.
What the System Shows You
Running this audit once does something the advice never did. It shows you which controls are real and which are checked boxes with nothing behind them. It shows you where your proof has gaps. It shows you what your insurer will ask for when you file a claim. And it puts a dollar figure on the distance between your attested state and your actual state.
For Hamilton, the price of that distance was $18.4 million and counting.
Three Questions for Your Next Renewal
At the end of the audit, ask three things.
→ Which attested controls are fully enforced, and which are partial or planned?
→ Which "yes" answers on the form have no proof behind them?
→ If a breach happened this week, could your team meet the notice window in the policy?
That is the difference between a policy that sounds like protection and a system that proves it.
Where You Stand
Hamilton is still paying $400,000 a month to rebuild. The $5 million policy did not cover a dollar of it. The policy did what it was designed to do.
