I set up a new server for a client and, in a rush to get remote access working, I left Port 3389 (RDP) open to the internet without IP whitelisting. Two weeks later, a ransomware gang brute-forced the port, encrypted the client’s entire accounting system, and demanded 5 BTC ($500,000 in 2026 money). The client’s forensic audit pinpointed my open port as the entry point, and they are suing me for the ransom and the cleanup.
Key Takeaways
- Third-Party Cyber Liability: You need coverage for “damages to others” caused by your failure to secure the network.
- “Failure to Maintain Security”: This is the specific allegation. Your policy must cover “failure to prevent unauthorized access.”
- The “Minimum Standards” Condition: Some policies require you to use MFA (Multi-Factor Authentication) or specific firewall rules. If you skipped this, the claim is denied.
- Subrogation: If the client’s insurance pays the ransom, their insurance company will sue you to get the money back. Your insurance defends against this.
The “Why”: The Security Maintenance Exclusion
The Trap: In 2026, insurers are tired of paying for lazy security.
Check your policy for a “Security Standards Warranty.”
It might say: “Coverage is void if the insured fails to maintain industry-standard security protocols, including closing unused ports and enforcing MFA.”
If you left RDP open to 0.0.0.0/0, you might have violated this warranty, leaving you uninsured. You need a policy with “soft hammer” wording (which reduces coverage rather than voiding it) or no warranty at all.
The Investigation: I Quoted 3 Major Carriers
1. Beazley (The Cyber Heavyweight)
- My Analysis: Beazley is aggressive but fair. Their “Tech E&O” is designed for this. They cover the liability of you causing a breach. However, they are strict on MFA. If you didn’t have MFA on that RDP access, you are in trouble.
2. CNA
- My Analysis: CNA’s “NetProtect” offers solid defense for technology companies. They focus heavily on “vicarious liability.” If you hired a junior dev who left the port open, CNA covers you.
3. Cowbell Cyber
- My Analysis: They use AI to scan your perimeter continuously. If you had Cowbell, they likely would have alerted you to the open port before the hack. If you ignored the alert, coverage is jeopardized.
[IMAGE: Diagram showing the “Attack Vector” report pointing to the open port]
Comparison Table: Breach Liability
| Carrier | Covers “Failure to Secure”? | MFA Required? | Monitoring Included? | Best For… |
| Beazley | Yes | Yes (Strict) | No | Large MSPs |
| Cowbell | Yes | Yes | Yes (Continuous) | Proactive IT |
| CNA | Yes | Variable | No | General Tech |
Step-by-Step Action Plan
- Close the Port: Mitigation is your legal duty.
- Pull the Logs: Secure the server logs to prove when the breach happened.
- Review the “Warranty” Section: Read your policy to see if you violated a security condition.
- Notify Carrier: Frame it as “Alleged failure to secure network configuration.”
FAQ
Can insurance pay the ransom?
Your insurance pays the client’s damages. If the client pays the ransom, that is part of their damages, so yes, indirectly.
Am I liable if the client refused to buy a firewall?
If you have a paper trail (email) where you recommended a firewall and they declined, you have a strong defense.
Does this count as a “Cyber” claim or “E&O”?
It’s a “Tech E&O” claim because your professional error (misconfiguration) caused the cyber event.