KC
Kapacyber
Compliance · Insurance7 min read

E&O Insurance and Your WISP: Why a Claim Gets Denied Without One

Insurance agencies — of all businesses — understand risk transfer. But many assume their own E&O or cyber policy will simply pay out after a breach. Increasingly, it won't. Here's the gap, and how to close it.

Kapacyber

Security Research Team

There's an irony in this one. Independent insurance agencies are, professionally, experts in risk transfer. They explain exclusions and conditions to clients every day. Yet many agencies carry their own E&O and cyber coverage with a quiet assumption that if they're ever breached, the policy will simply pay.

It increasingly won't — not automatically. Modern cyber and E&O policies are built around the security controls you attested towhen you applied. If a breach happens and those controls weren't actually in place, the insurer has a clear path to reduce or deny the claim. The missing piece, again and again, is a real Written Information Security Program — a WISP — and the controls it promises.

The Application Is a Contract of Attestations

When your agency applied for cyber or E&O coverage, the application asked detailed security questions. Each "yes" is an attestation the insurer relied on to price and bind the policy. The common ones:

  • Multi-factor authentication on all remote and administrative access
  • A documented Written Information Security Program (WISP)
  • Encryption of non-public information in transit and at rest
  • Regular security awareness training for all staff
  • Endpoint detection and response on all devices
  • Tested backups and a documented incident response plan
  • Vendor / third-party due diligence with written contracts
  • Designated security officer or Qualified Individual

Here's the trap: it's easy to answer "yes" to all of these in good faith. We have MFA. We do training. We have a security program.But "we have MFA" and "MFA is enforced on every account and we can prove it" are very different statements when a claim is being investigated.

Why Claims Get Denied

After a breach, the insurer's forensic and legal review doesn't just establish what happened — it establishes whether you held up your end of the policy. Four recurring reasons claims get reduced or denied:

Material misrepresentation

You attested to a control on the application that didn't actually exist. The insurer can reduce the payout or rescind the policy entirely.

Failure to maintain a condition

The control existed when you applied but lapsed — MFA disabled for convenience, training stopped, backups untested. Policies often require continuous maintenance.

No WISP on file

The NAIC Model Law requires a WISP in adopting states. An insurer can treat the absence of a legally required program as a failure to meet a policy condition.

Breach-notification failure

Missing the 72-hour regulator-notification window — or failing to follow your own incident response plan — can prejudice the claim.

The pattern that should worry every agency principal: the controls in question are exactly the ones the NAIC Insurance Data Security Model Law already requires you to have. So a missing control can be both a regulatory violation andthe reason your claim isn't paid — a double exposure from a single gap.

The WISP Is the Connective Tissue

A Written Information Security Program does three jobs at once for an agency:

  • It satisfies the NAIC Model Law in adopting states, where a WISP is legally required.
  • It substantiates your insurance attestations — the WISP is the documented evidence that the controls you claimed actually exist.
  • It gives the insurer a reason to pay. A current WISP, backed by real controls and real evidence, removes the insurer's grounds to argue misrepresentation.

A WISP that sits in a drawer, written once and never maintained, does none of this. The document has to describe controls that are genuinely operating — and you need the evidence trail (logs, training completion records, configuration proof) to show it.

How to Make Sure Your Claim Would Be Paid

  1. Maintain a current, accurate WISP — reviewed at least annually and after any material change.
  2. Verify every attestation. Go through your last insurance application line by line and confirm each control genuinely exists today.
  3. Keep evidence. MFA configuration, training completion logs, EDR coverage reports, backup test records, incident response plan. Evidence is what turns "we said yes" into "here's the proof".
  4. Close any gaps before renewal — and answer the next application from a position of truth.

A managed security partner produces most of this evidence as a natural by-product of doing the work — the monitoring logs, training records, and configuration reports that substantiate every attestation are generated continuously, not assembled in a panic after a breach.

The Bottom Line

Insurance won't save an agency that didn't do the security work — it will simply decline the claim and point at the attestations. The WISP isn't paperwork; it's the bridge between "we're insured" and "we're actually covered". For an agency, that distinction is the whole point of the policy.

Related reading: the NAIC Model Law plain-English guide, what cyber insurers require in 2025, and cybersecurity for insurance agencies.

Frequently Asked Questions

Will my E&O or cyber insurance pay out after a breach?

Only if you held up your end. Modern cyber and E&O policies are written around the controls you attested to on the application — MFA, encryption, a written information security program, training. If a breach occurs and you didn't actually have those controls, the insurer can reduce or deny the claim for material misrepresentation.

What is a WISP and why does my insurer care?

A Written Information Security Program is a documented set of security policies, controls, and procedures. For insurance agencies it's required by the NAIC Insurance Data Security Model Law in adopting states — and insurers increasingly require evidence of one before binding coverage and before paying a claim.

Can an insurer really deny a claim over a missing control?

Yes. If the application asked 'do you enforce MFA on all remote access?' and you answered yes but didn't, that's a misrepresentation the insurer can act on. Claim denials and rescissions over attested-but-absent controls are a documented and growing pattern.

What's the difference between E&O and cyber insurance for an agency?

E&O (errors and omissions) covers professional mistakes in your insurance work. Cyber insurance covers breach-related costs — response, notification, business interruption, sometimes BEC. Many agencies need both; neither pays reliably without documented security controls behind the attestations.

How do I make sure my agency's claim would actually be paid?

Three steps: keep a current, accurate WISP; make sure every control you attested to on the insurance application genuinely exists and is maintained; and keep evidence — logs, training records, configuration screenshots — that proves it. A managed security partner produces this evidence as a by-product of doing the work.

Would Your Agency's Claim Actually Be Paid?

Free 30-minute assessment. We'll review your WISP and security controls against your insurance attestations.

Get Free Assessment
← Back to Security Insights