Navigating cyber-insurance: Why South African businesses face claim rejections

South African businesses are facing growing risk of cyber-insurance claim rejections due to misrepresented security controls, poor governance practices and outdated approaches to cybersecurity assurance.

This mirrors a disturbing global trend. The Cyber Insurance and Cyber Defences 2024 report, compiled by international cybersecurity company Sophos, found that 47% of organisations with cyber-insurance had at least part of their claim denied.

According to Muhammad Ali, managing director of South African ISO specialist World Wide Industrial & Engineering Systems (WWISE), insurers are increasingly scrutinising organisations’ actual cyber-security maturity during investigations – and many companies are falling short.

He says a significant portion of claim disputes stem from discrepancies between what businesses declare when taking out a policy and what is truly implemented.

“Misrepresentation or non-disclosure of security controls at policy inception is one of the biggest reasons insurers refuse to pay out.

“During forensic investigations, it often becomes clear that organisations don’t have the logging or monitoring controls they originally claimed. Without evidence of events or the ability to trace an attack, insurers commonly argue negligence, especially in ransomware cases.”

Sophos’ “The State of Ransomware in South Africa Report 2025” shows that the median ransom demanded by cybercriminals rose from US$165 000 (R2.9 million) in 2024 to R17m in 2025.

Ali notes that over the past three- to five years, the cyber-insurance landscape has shifted dramatically due to escalating ransomware losses. Insurers had initially imposed blanket minimum requirements across all industries but quickly abandoned this approach as claims surged.

“After experiencing substantial losses, insurers realised they needed a far more tailored, risk-based approach. Requirements now vary based on business size, industry, number of endpoints and the criticality of systems.”

This has also accelerated a shift away from annual audits toward more proactive and continuous assurance expectations.

Ali adds that insurers no longer view traditional annual security audits as sufficient evidence of resilience. Their focus today is on continuous visibility – timely patching, real-time monitoring and effective vulnerability management.

The most common issues uncovered during claim assessments include:

• Antivirus tools that are free, expired, or misconfigured;
• “Firewall compliance” reduced to basic Wi-Fi protection rather than full network-level controls;
• Proposal forms completed without adequate technical input; and
• Businesses failing to read policy wording or minimum-requirement schedules.

Ali says these gaps reflect a disconnect between declared controls and actual operations, frequently resulting in denied claims.

An important point is that many South African organisations wrongly assume that simply purchasing cyber insurance guarantees a payout. But insurers verify everything during an investigation.

“Some clients insist on using their own investigators instead of the insurer’s incident-response team, which often complicates or even invalidates the claim. A lack of understanding of policy obligations remains a major contributor to claim failures.”

Ali and his team at WWISE regularly support organisations by aligning their cybersecurity posture with insurer expectations through ISO/IEC 27001-aligned risk assessments, policies, procedures and evidence packs. Alignment with ISO standards, and especially ISO/IEC 27001 certification, increasingly plays a major role in how insurers assess risk.

“Insurers model large parts of their proposal forms on ISO standards. Demonstrating ISO 27001 compliance can reduce premiums by up to 50% because it gives insurers assurance that controls are properly implemented and monitored.”

As AI-driven threats intensify, Ali predicts that cyber-insurance requirements will become even more stringent. “Insurers will increasingly rely on ISO 27001:2022 as the benchmark for defining what robust information security looks like. Organisations will need to demonstrate genuine alignment, not box-ticking, to remain insurable.”

Expert Muhammad Ali