Someone just had a ransomware attack. They filed a claim with their cyber insurance provider, but then they got the call that nobody wants: claim denied. Not because they don’t have a policy, nor because they think they’re lying. But because they couldn’t prove their employees had been trained.
More than 40% of cyber insurance claims were denied in 2024. Insurers have found a loophole, now treating security awareness training as a documented condition of coverage. If you can’t show it happened, your policy may not protect you when you need it most.
The Shift That’s Already Happened
Cyber insurance used to work a bit like your car insurance. You paid a premium, you described your setup, and if something went wrong, you filed a claim. Underwriters weren’t asking many hard questions.
That era is over. Fitch Ratings reported that cyber insurance claims volumes surged nearly 60% in 2024, and carriers have responded by tightening exactly what they’re willing to pay for and what they require you to have in place. The underwriting questionnaire that used to be two pages is now detailed enough to identify gaps in your security posture before you even sign a policy. MFA, endpoint protection, backup protocols, incident response plans, and increasingly, documented employee security training.
What catches many businesses off guard is the word “documented.” It’s not enough to have had a training session at some point. Carriers want to see proof that ongoing training is a regular part of your operations, such as dates, completion records, and test results. As one insurance requirements guide puts it, carriers now typically require annual or biannual training with documented results, and that documentation is what gets scrutinized when a claim is filed.
Why Training Specifically?
Insurers aren’t fixated on training; they’re following your data. Human error remains the most common entry point for breaches, and phishing – the kind that your firewall won’t catch because a real employee clicked a real-looking link – is responsible for most ransomware incidents. When an insurer looks at a claim and sees that the attack started with a phishing email, the first question is whether employees had been trained to recognize it.
The evidence on why insurers focus on training isn’t hard to find. Verizon’s 2024 Data Breach Investigations Report found that 68% of breaches involve a non-malicious human element, such as someone making an error or falling for a social engineering attack. That figure has stayed stubbornly consistent for years. Insurers read the same report. When two thirds of breaches trace back to human behavior rather than technical failure, the logical response is to require evidence that the humans in your business have been trained to do better.
Insurers know this, which is why the requirement for security awareness training has moved from “recommended” to “required” across most carriers’ standard policies. It’s no longer a differentiating factor between a premium policy and a basic one. It’s a baseline condition.
What a Denied Claim Actually Looks Like
Companies have had claims rejected because they couldn’t demonstrate the required controls were in place at the time of the incident. In one widely cited case, a company facing an $18.3 million recovery bill had its claim denied due to incomplete multi-factor authentication deployment. The attack was real. The loss was real. The policy existed. But none of that mattered.
Employee training sits in the same category. Common exclusions in cyber policies include employee mistakes, failure to follow proper procedures, and lack of a formalized training program. If a phishing attack succeeds and you can’t show your team received regular, documented training, that’s grounds for a denial regardless of how comprehensive the rest of your setup looks.
The average cost of a data breach reached $4.88 million globally in 2024, according to IBM’s Cost of a Data Breach Report. For an SMB in Baltimore, absorbing even a fraction of that without a valid insurance claim is potentially a business-ending event. The math on training becomes a lot simpler when you frame it that way.
Better Rates, Not Just Better Coverage
There’s an upside to all this tightening. Businesses that can demonstrate strong security practices such as training records, phishing simulation results, and documented policies are better positioned to negotiate lower premiums. Insurers price risk. If you can show your risk is meaningfully lower than average, they have a reason to reflect that in what you pay.
Security awareness training programs that include phishing simulations give you something concrete to show an underwriter. Show them your completion rates, your phishing test fail-rate trend quarter over quarter, and documentation of every training module your team has completed. That’s a different conversation than most SMBs are having when renewal time comes around.
If you’re doing the math on whether training is worth the spend, this post on what $50 actually buys your business lays out the comparison plainly. The cost of being uncovered is measured in six figures, minimum.
What TTP Cyber Hub Gives You
TTP Cyber Hub is built around exactly what insurers want to see: structured, ongoing training with documented completion records, delivered through 3-4 minute monthly video modules that don’t disrupt your team’s day. Phishing simulations are included, giving you both the training activity and the test results that demonstrate effectiveness.
The employer dashboard tracks who’s completed what and when, so if you’re ever asked to show evidence of your training program, it’s there. The platform is designed for businesses with 10 to 75 employees who need a credible, affordable solution without building an internal IT training function from scratch. At $50 per month, it’s one of the most cost-effective steps you can take to genuinely improve your insurance position.
For context on what TTP Cyber Hub covers and why it’s built the way it is, this post on the value of 3-minute training walks through the platform design. And if you’re still weighing whether cybersecurity investment is worth the cost, this breakdown of what delay actually costs is worth a read before your next policy renewal.
Ready to get your documentation in order? Get pricing for TTP Cyber Hub and find out what’s included.
Frequently Asked Questions
What is the biggest email security risk for Baltimore SMBs?
Phishing and business email compromise remain the most common threats, often exploiting weak MFA or poor verification processes.
Do small firms really need advanced email security tools?
Yes. Attackers increasingly target smaller organizations because they often lack enterprise-grade protections.
How often should email security be reviewed?
At minimum, quarterly internal reviews and an annual professional assessment are recommended.
Can business IT support providers in Baltimore help with implementation?
Yes. Managed providers can assess gaps, deploy controls, train staff, and maintain ongoing protection.
