Skip to main content
web60

Infrastructure

The Fine Print in Your Cyber Insurance Policy Is a Website Security Checklist

Graeme Conkie··10 min read
Abstract flat illustration of teal circular nodes connected by fine lines on a warm stone grey background, with one node ringed like a checkmark

A support ticket landed on my desk in June that stuck with me for weeks, not because of what went wrong on the server, but because of what happened after it.

Here is the shape of it, a composite built from a pattern I have now watched play out enough times, across our own incident calls and the wider Irish claims data, to trust it as typical rather than freak. A bridal wear boutique in Cavan took appointment bookings through its website and ran a small WooCommerce shop alongside the fittings, selling accessories and gift vouchers. Ransomware locked the site and the customer database on a Tuesday morning in the middle of wedding season. The owner had cyber insurance. She had read the policy summary when she bought it eighteen months earlier, and assumed that reading it was the point of having it.

The claim went in within days. Then it stalled. The insurer's forensic team found the WordPress admin account had multi-factor authentication available but never enforced, and that the last backup on file had never actually been restored to confirm it worked. Refusal was not the outcome. Reduction was, hard enough that the shortfall came straight out of the business at the worst time of year to absorb it. I used to tell clients a cyber policy was a safety net, full stop. Watching that claim get cut back corrected me. A policy is a contract with conditions attached, and those conditions increasingly describe exactly what a hosting provider controls.

What a Cyber Insurance Policy Actually Promises

Most cyber policies sold to small businesses in Ireland bundle three things together: liability cover for privacy claims and regulatory defence, cover for the business's own financial loss, extortion payments, data recovery, lost trading time, and an emergency incident response service you can call the moment something goes wrong. On paper, that is a genuinely useful package. A properly resourced incident response call at 6am on a Saturday is not something most business owners could arrange on their own.

The word that catches people out is "promises." Insurance is conditional, not automatic. When you apply, you answer a questionnaire describing the security controls in place, and the policy is priced, and the cover granted, on the basis that those answers are true. If an incident happens and the insurer's investigators find the answers did not match reality, whether through honest misunderstanding or plain neglect, the payout gets adjusted to reflect the gap. So what does that mean in practice? The security decisions made months before an attack, decisions about who manages your hosting and how carefully, are the ones that actually determine whether the policy you are paying for does what you think it does.

The Controls Insurers Now Check Before They Pay

Coalition, one of the larger cyber insurers writing policies through brokers, publishes its own claims data each year. Its 2026 Cyber Claims Report treats multi-factor authentication on remote access, email and privileged accounts as close to a non-negotiable condition across its own book, and notes that businesses able to demonstrate it is enforced everywhere typically see meaningfully lower premiums at renewal. Take that as one insurer's own portfolio rather than a universal rule, because wording varies between carriers and brokers. The direction of travel does not vary much though. MFA is moving from a box to tick into a control insurers actually verify.

Patch management works the same way. An unpatched WordPress core, theme or plugin is one of the most common entry points attackers use, and a policy that asks whether updates are applied "regularly" is really asking whether anyone can prove a timeline. So what does that mean for the person running the business rather than the server? It means the difference between a claim that pays in full and one that gets reduced can come down to whether updates happened on a schedule someone can point to, not whether they happened eventually.

The bigger shift is evidentiary. Where an application once accepted "yes, we have that" as an answer, renewal questionnaires increasingly ask for proof: screenshots, configuration exports, a dated log. Attesting to a control you assume is switched on, rather than one you have actually verified, is exactly the gap that caught the boutique in Cavan.

Abstract flat illustration of interlocking teal circles forming a chain with a small padlock-shaped gap in the centre, on a warm stone grey background
An available setting nobody enforces is, to an insurer, the same as not having it at all.

Backups Prove Nothing Until You Have Restored One

This is the part I see business owners get most wrong, and it is not really their fault, because a dashboard that says "backup completed" looks exactly the same whether the backup is usable or not.

A nightly backup file proves a job ran and wrote some data somewhere. It does not prove the site can actually be brought back from that file within the timeframe a policy assumes for business interruption, because nobody has tried. Our own guide to WordPress security and backup testing covers the mechanics of this properly, but the short version for an insurance context is blunt: an untested backup is a theory, not a control, and insurers have started treating it that way.

Here is the trade-off worth being honest about. Restoring a backup to check it actually works takes time, and on a site with live orders coming through, some care about which environment you test it in. Nobody wants to spend an afternoon on a restore drill instead of running their business. The alternative, discovering a backup does not work during a real incident, costs considerably more than an afternoon. That is the deal. Know it before you need to learn it the hard way.

What This Actually Costs an Irish Business

The numbers behind this are worth sitting with. A June 2026 study by eir business, carried out with the Kemmy Business School at the University of Limerick, put the cumulative cost of cyber disruption to local firms somewhere in the region of €3.4 billion a year, with affected businesses losing roughly three working weeks annually to the disruption itself, separate from any ransom or recovery cost. For micro and small firms specifically, the same research found average annual losses sitting between roughly €8,600 and €8,700, rising toward €16,000 for those without basic controls in place, with a typical incident costing somewhere close to €8,700 on its own.

Those figures describe direct disruption rather than insurance shortfalls, and the usual caveat applies to any single-source study: results vary by sector, and by how "incident" gets defined. But it is a useful anchor. A reduced payout stacked on top of losses already in that range is not a rounding error for a business the size of the boutique in the opening story. It is the difference between a bad quarter and a genuinely dangerous one, and it is worth reading what GDPR itself actually requires once a breach happens alongside whatever your insurer requires, because the two obligations run in parallel and rarely get explained together.

Where This Genuinely Does Not Matter As Much

None of this applies evenly. A static brochure site with no bookings, no payments and no customer database stored anywhere on it gives an attacker very little to extort or steal, so most of an insurer's control checklist simply will not be relevant to it. Basic hosting security, kept current, is genuinely sufficient for a site like that, and buying a cyber policy at all may not be worth the premium. This article is really written for the operators taking bookings, holding payment details, or storing any customer data at all, which covers most businesses reading this, but not every one of them.

Getting Your Website Insurance-Ready in Four Steps

Audit. Pull up your actual renewal questionnaire, or the standard one your broker uses, and check each answer against what is genuinely enforced on the site today, not what you assumed was switched on when it was first set up.

Enforce. Move multi-factor authentication from optional to mandatory on every account with access to the site or the hosting dashboard, admin accounts and staff logins alike. A setting nobody uses is the same as not having it.

Verify. Restore your most recent backup to a staging environment rather than the live site, and confirm it actually comes back working. Do this on a schedule, not once and never again.

Document. Keep a simple, dated record, screenshots are enough, of each control as you confirm it. If a claim is ever assessed, the gap between "we believe this was on" and "here is the date we checked it" is exactly what the boutique in Cavan learned about the hard way.

Abstract flat illustration of a teal checklist rendered as overlapping rounded rectangles with small circular nodes, on a warm stone grey background
Proof beats assumption on a renewal questionnaire, and it is cheaper to gather before an incident than during one.

Where Managed Hosting Meets the Checklist

This is where the choice of hosting provider stops being a background decision and starts doing real work on your behalf. Server-level security hardening, fail2ban intrusion prevention and automatic malware scanning are not features you have to remember to configure on Web60, they run by default across every site on the platform. Nightly backups run automatically too, with pre-update and pre-restore safety snapshots taken on top of them, which is a meaningfully different position to be in than discovering at claim time that nobody ever pressed restore.

None of that replaces enforcing MFA on your own admin account, which remains something only the business owner can action. But managed hosting built around Irish infrastructure, automatic hardening and tested backup routines closes most of the gap between what a cyber policy assumes and what most small business websites actually have running, without anyone needing to become a security specialist to get there. If you are building or considering a new site, that groundwork is worth having in place from day one rather than retrofitted after a renewal questionnaire catches you out.

Conclusion

A cyber insurance policy is not a bad thing to have. It is a genuinely useful thing to have accurately. The gap between those two is rarely dramatic, usually just a setting left on "optional" or a backup nobody has actually restored, and it is closeable in an afternoon rather than a crisis. Before the next renewal questionnaire lands, it is worth checking whether the answers on it still match what is actually running on the site, because that check costs considerably less than finding out the hard way that they do not.

Sources

National Cyber Security Centre Ireland: guidance for small business

eir business, The Hidden Cost of Cyber Risk (June 2026)

RTE News, Cyberattacks costing Irish SMEs €3.4bn annually

Coalition, 2026 Cyber Claims Report

Graeme Conkie
Graeme ConkieFounder & Managing Director, Web60

Graeme Conkie founded SmartHost in 2020 and has spent years building hosting infrastructure for Irish businesses. He created Web60 after seeing the same problem repeatedly — Irish SMEs paying too much for hosting that underdelivers. He writes about WordPress infrastructure, server security, developer workflows, managed hosting strategy, and the real cost of hosting decisions for Irish business owners.

More by Graeme Conkie

Ready to get your business online?

Describe your business. AI builds your website in 60 seconds.

Build My Website Free →
Buy NowTry Free
Cyber Insurance Fine Print: A Website Security Checklist | Web60