Did the insurance company require an audit of the insured network? If they didn't then I say they should pay up. The insurance company should require an IT audit once a year to make sure the insured are kept up to spec. Its a win/win for the insurance company as they do not have to pay for the audit, for fixing the issues, and for paying up if a hacker got in through a known hole.
Maybe the admin thought they were completely secured and following every word of the insurance contract, but as it turns out, they were insecure. With the rapidly changing world of IT, how can someone know they are completely secure without either being licensed for every technology in your network (not gonna happen), or by requiring network audits by an external party.
Biting the hand that feeds IT
