Rejcted cyber insurance claims in South Africa are growing due to poor governance and outdated cyber security practices, according to Mr Muhammad Ali, MD of South African World Wide Industrial & Engineering Systems (WWISE).
In a media interaction, Mr Ali said insurers are increasingly scrutinising organisations’ actual cyber security maturity during investigations – and many companies are falling short.
He said this is a disturbing trend. A significant portion of claim disputes stems from discrepancies between what businesses declare when taking out a policy and what is implemented.
“Misrepresentation or non-disclosure of security controls at policy inception is one of the biggest reasons insurers refuse to pay out.
“During forensic investigations, it often becomes clear that organisations don’t have the logging or monitoring controls they originally claimed. Without evidence of events or the ability to trace an attack, insurers commonly argue negligence, especially in ransomware cases.”
Mr Ali said that over the past 3-5 years, the cyber insurance landscape has shifted dramatically due to escalating ransomware losses. Insurers had initially imposed blanket minimum requirements across all industries, but quickly abandoned this approach as claims surged.
“After experiencing substantial losses, insurers realised they needed a far more tailored, risk-based approach. Requirements now vary based on business size, industry, number of endpoints and the criticality of systems.”
This has also accelerated a shift away from annual audits toward more proactive and continuous assurance expectations.
Ali adds that insurers no longer view traditional annual security audits as sufficient evidence of resilience. Their focus today is on continuous visibility – timely patching, real-time monitoring and effective vulnerability management.
An important point is that many South African organisations wrongly assume that simply purchasing cyber insurance guarantees a payout. But insurers verify everything during an investigation.
“Some clients insist on using their own investigators instead of the insurer’s incident-response team, which often complicates or even invalidates the claim. A lack of understanding of policy obligations remains a major contributor to claim failures.”