The $18.3M Wake-Up Call Cyber Insurance Is a Control Audit

The $18.3M Wake-Up Call: Cyber Insurance Acts as a Control Audit 

What happened: In February 2024, the City of Hamilton, Ontario suffered a ransomware attack. In July 2025, the City disclosed that its cyber-insurance claim was denied after a forensic and third-party legal review, leaving taxpayers to cover CAD $18.3M in recovery costs. The denial stemmed from incomplete MFA deployment at the time of the attack, which the insurer cited as a policy requirement. 

Why this matters for schools and nonprofits: Cyber insurance only responds if you meet and can prove the controls your policy requires. “We have MFA” or “we back up data” is not enough. Carriers expect complete, documented coverage across identity, email, remote access, endpoints, and backups. In a high-volume ransomware environment, a single control gap can convert a recoverable incident into an unfunded crisis.

What “good” looks like 

  • MFA everywhere it counts. Identity provider, email, VPN/remote access, admin roles, cloud consoles. Prefer phishing-resistant factors where feasible. Keep exception logs. 
  • Backups you can prove. Immutable or offline copies, documented RPO/RTO, and a recent, successful restore test with artifacts. 
  • Endpoint visibility. EDR/XDR deployed to all supported endpoints, with alerting and response playbooks. 
  • Email and identity hygiene. Modern filtering, DMARC alignment, conditional access, least privilege for admins, and routine access reviews. 
  • Evidence on file. Screenshots, exports, policy configs, and reports dated prior to the incident. After the fact is too late. 

A quick self-check 

  • Can you show an auditor your MFA coverage report for all privileged accounts and remote access as of last quarter? 
  • Do your EDR and email security reports demonstrate near-100% deployment, with exceptions tracked? 
  • Do you have a one-page runbook for who calls your broker, carrier, counsel, and IR firm within the first hour? 

How CTS helps 

Insurance Readiness Tune-Up (30 days). 

  • Control gap analysis mapped to common carrier questionnaires. 
  • Remediation plan for MFA, EDR/XDR, backups, identity, network and email security. 
  • Evidence pack for attestations: coverage reports, configuration exports, and restore-test artifacts. 
  • Tabletop focused on “claim support” and roles. 

Managed Cyber Protection. Our Managed Cyber Program covers the daily controls carriers expect: 24/7 SOC, EDR/XDR, email filtering, identity access, vulnerability and patching. We add user awareness training and an incident response runbook, all mapped to NIST CSF with insurer-ready evidence and quarterly board reports. 

Managed Cyber Advisory, aligned to NIST CSF. Quarterly attestation, control monitoring, restore drills, and board-level reporting so your policy is more likely to respond when it counts. 

Bottom line: Hamilton’s experience shows that missing one required control can mean no coverage and eight-figure costs. Implement completely, document continuously, and rehearse recovery. 

Reach out! Ask us for the Insurance Readiness checklist and a no-cost scoping call. 

Picture of Joseph Colarusso | Principal Consultant
Joseph Colarusso | Principal Consultant
Joseph Colarusso serves as a Principal Consultant at Charter Technology Solutions (CTS), where he supports schools and mission-based organizations in aligning IT service, technology, and cybersecurity with their broader vision for learning and community impact. Over the past decade, Joseph has held leadership roles at Zeta Charter Schools, DREAM Charter High School, and other mission-driven institutions, designing systems that strengthen operations and coaching leaders through moments of growth and change. A trained attorney and experienced educator, he combines legal, operational, and technological expertise to help organizations thrive.
You might also like