Cyber Insurance Guide for Small Business

Why Small Businesses Need Cyber Insurance

Traditional business insurance doesn't cover cyber incidents. When a ransomware attack encrypts your data, a phishing scam diverts a wire transfer, or a data breach exposes customer information, your general liability policy won't help. Cyber insurance fills this critical gap, covering costs that can bankrupt small businesses.

The average small business data breach costs exceed $100,000 when factoring in forensics, legal fees, customer notification, credit monitoring, regulatory fines, and business interruption. Cyber insurance transforms this potentially catastrophic expense into a manageable deductible.

What Cyber Insurance Covers

First-Party Coverage (Direct Costs to Your Business)

Data Breach Response

Forensic investigation to determine breach scope
Legal counsel specializing in breach response
Notification costs (printing, mailing, call center)
Credit monitoring services for affected individuals
Public relations and crisis management
Identity restoration services

Business Interruption

Lost income during downtime from cyber incident
Extra expenses to maintain operations
Costs to restore operations
Revenue loss from network outage

Ransomware and Cyber Extortion

Ransom payment (if you choose to pay)
Negotiation with attackers
Cryptocurrency transaction facilitation
Decryption assistance
Data restoration costs

Data Restoration

Cost to restore or recreate lost data
System restoration and rebuilding
Forensic data recovery
Software replacement

Funds Transfer Fraud

Social engineering resulting in fraudulent transfers
Business email compromise (BEC) losses
Deception-based financial transfers

Cyber Crime and Theft

Theft of funds via hacking
Electronic theft from bank accounts
Cryptocurrency theft

Third-Party Coverage (Liability to Others)

Privacy Liability

Legal defense costs
Settlements and judgments
Regulatory defense
Fines and penalties (where insurable)

Network Security Liability

Claims arising from breach or security failure
Defense costs for lawsuits
Damages and settlements
Claims from business partners

Media Liability

Copyright or trademark infringement online
Defamation or libel in digital content
Privacy violations in online communications

Regulatory Defense and Penalties

Defense against regulatory investigations
Fines (GDPR, CCPA, HIPAA, etc., where insurable)
Compliance costs

Common Exclusions

What's Typically Not Covered:

Prior known breaches or incidents
Intentional acts or fraud by employees
Infrastructure improvements (existing vulnerabilities)
Betterment (upgrading beyond restoration)
Acts of war or terrorism (sometimes)
Bodily injury or property damage
Intellectual property theft (sometimes excluded)
Losses from unpatched known vulnerabilities (emerging exclusion)

Understanding Policy Structure

Coverage Limits

Aggregate Limit: Maximum the policy will pay across all claims in the policy period

Per-Incident Sublimits: Caps on specific coverage types:

Ransomware: Often $100,000-$500,000 sublimit
Social engineering: $50,000-$250,000 sublimit
Business interruption: Daily or monthly caps

Typical Limits for Small Businesses:

$1 million (minimum for most SMBs)
$2 million (recommended for most)
$5 million+ (larger organizations, high-risk industries)

Deductibles

Waiting Period Deductible: Common for business interruption (e.g., 8-24 hours)

Monetary Deductible: Typical range:

$1,000-5,000 (very small businesses)
$5,000-25,000 (most small businesses)
$25,000-100,000+ (larger organizations)

Considerations:

Higher deductible = lower premium
Choose deductible you can afford during crisis
Different deductibles for different coverage types possible

Retention vs. Deductible

Deductible: You pay first, insurance pays after deductible met

Retention: Insurance advances costs, you reimburse up to retention amount

Preference: Deductible structure is more common and simpler

Cyber Insurance Requirements

Security Controls Questionnaire

Insurers assess your security posture before offering coverage. Expect questions about:

Access Controls:

Multi-factor authentication usage
Password policies
Privileged access management
User access reviews

Endpoint Protection:

Antivirus/EDR deployment
Patch management processes
Endpoint encryption
Mobile device management

Network Security:

Firewall implementation
Network segmentation
Intrusion detection
VPN usage for remote access

Data Protection:

Backup procedures and frequency
Backup testing
Offsite/offline backup storage
Encryption practices

Email Security:

Advanced email filtering
Anti-phishing tools
SPF, DKIM, DMARC implementation
Email authentication

Incident Response:

Incident response plan existence
Testing frequency
Designated response team
Tabletop exercises

Training:

Security awareness training frequency
Phishing simulation testing
Training documentation

Policies and Procedures:

Information security policy
Acceptable use policy
Remote work policy
Vendor management

Minimum Requirements

Many insurers now require specific controls for coverage:

Often Mandatory:

Multi-factor authentication (MFA) on all remote access
Endpoint detection and response (EDR) on all systems
Regular backups (daily recommended)
Offline/immutable backups
Email security beyond basic spam filtering
Privileged access management

Emerging Requirements:

Security awareness training (quarterly minimum)
Vulnerability scanning
Penetration testing (annually)
Incident response plan
Vendor risk management

Failure to Meet Requirements:

Coverage denial
Coverage exclusions for specific risks
Higher premiums
Lower coverage limits

Choosing the Right Cyber Insurance

Coverage Evaluation

Essential Coverage Components:

✅ Must Have:

Data breach response (forensics, notification, credit monitoring)
Ransomware payment and response
Business interruption
Funds transfer fraud
Privacy and network security liability
Regulatory defense

⚠️ Evaluate Carefully:

Social engineering sublimit (ensure adequate for your risk)
Ransomware sublimit (increasingly attacked)
Business interruption waiting period (shorter is better)
Prior acts coverage (if switching policies)

❌ Nice to Have but Not Critical:

Media liability (unless content is core to business)
Reputational harm coverage
Branding restoration

Policy Comparison Checklist

Coverage:

[ ] Aggregate limit meets your risk profile
[ ] Sublimits are adequate for key coverages
[ ] Deductible is affordable
[ ] Business interruption waiting period is reasonable
[ ] Funds transfer fraud coverage is sufficient
[ ] Regulatory fines covered (where legally possible)

Terms:

[ ] Definition of "security failure" is broad
[ ] Prior acts coverage (if applicable)
[ ] Extended reporting period option
[ ] Consent to settle clause is reasonable
[ ] Exclusions are clearly defined and acceptable

Insurer:

[ ] Financial strength rating (A.M. Best A- or higher)
[ ] Experience in cyber insurance
[ ] Claims handling reputation
[ ] Incident response resources provided
[ ] Breach response panel (pre-vetted vendors)

Red Flags

Avoid Policies With:

Overly narrow definition of covered incidents
Extensive exclusions for common scenarios
Unreasonable security requirements you can't meet
"Claims made and reported" vs. "claims made" (more restrictive)
Sublimits so low they're effectively illusory
No clear path to incident response assistance

The Application Process

Step 1: Gather Information

Company Details:

Revenue
Number of employees
Industry
Geographic locations
Types of data handled (PII, PHI, PCI, etc.)

Security Posture:

Completed security controls questionnaire
Security audit or assessment results
Compliance certifications (SOC 2, ISO 27001, etc.)
Previous incident history (be honest)

Desired Coverage:

Coverage limit
Deductible preference
Specific coverage requirements
Policy term

Step 2: Complete Application

Be Honest:

Misrepresentation can void coverage
Disclose prior incidents
Accurately represent security controls

Documentation:

Security policies
Incident response plan
Training records
Backup procedures

Step 3: Underwriting Review

Underwriter Assessment:

Reviews application and security posture
May request additional information
Determines pricing and terms
May require security improvements

Possible Outcomes:

Coverage offered as requested
Coverage offered with exclusions or sublimits
Coverage offered contingent on improvements
Coverage denied (rare for businesses with basic security)

Step 4: Policy Issuance

Review Policy Carefully:

Verify coverage matches expectations
Understand all exclusions
Note all requirements and warranties
Confirm contact information for claims

Maintain Compliance:

Implement any required controls
Document compliance
Update insurer of material changes

Making a Claim

Immediate Response

First 24 Hours:

Notify your insurance broker immediately
Call insurer's breach hotline (24/7 typically)
Document everything
Do NOT engage vendors without insurer approval (may void coverage)

Insurer Will Provide:

Breach coach (attorney to guide response)
Forensic investigator
PR firm (if needed)
Other vendors from approved panel

Your Responsibilities:

Cooperate with investigation
Preserve evidence
Maintain communication
Follow breach coach guidance

Claims Process

Investigation:

Forensic firm determines scope and cause
Legal counsel oversees process
Insurer assesses coverage

Response:

Notification to affected individuals
Regulatory reporting
Credit monitoring setup
Public communications

Recovery:

System restoration
Business resumption
Documentation of losses

Settlement:

Submit expenses with documentation
Insurer reviews against policy terms
Payment for covered costs
Potential settlement of third-party claims

Maximizing Your Claim

Best Practices:

Document all costs meticulously
Keep communications with insurer
Use approved vendors when possible
Get pre-approval for major expenses
Submit claims promptly
Maintain detailed timeline

Common Claim Delays:

Missing documentation
Using unapproved vendors
Failing to prove business interruption losses
Inadequate evidence of expenses

Cost of Cyber Insurance

Pricing Factors

Company Characteristics:

Industry (healthcare, finance = higher)
Revenue (higher revenue = higher premium)
Number of employees
Types of data handled
Geographic location

Security Posture:

MFA implementation (major factor)
EDR deployment
Backup practices
Security training
Previous incidents

Coverage Selected:

Limits (higher limits = higher premium)
Deductible (higher deductible = lower premium)
Coverage breadth

Typical Costs

Small Businesses (< $5M revenue):

$1M coverage: $1,000-3,000/year
$2M coverage: $2,000-5,000/year

Growing Businesses ($5-25M revenue):

$2M coverage: $3,000-8,000/year
$5M coverage: $5,000-15,000/year

Larger SMBs ($25-100M revenue):

$5M coverage: $10,000-30,000/year
$10M+ coverage: $25,000-100,000+/year

Market Trends:

Premiums increased 50-100% in 2021-2022
Market stabilizing in 2023-2024
Strong security controls yield better pricing

ROI Consideration

Cost vs. Benefit:

$5,000 annual premium vs. $100,000+ average breach cost
Insurance provides access to expert response resources
Breach response panel expertise reduces damage
Peace of mind and risk transfer

Maintaining Your Coverage

Annual Renewal

Renewal Process:

Re-complete security questionnaire
Disclose any incidents or material changes
Update coverage needs
Review and negotiate terms

Factors Affecting Renewal:

Claims history
Security posture changes
Market conditions
Insurer's risk appetite

Premium Changes:

Typically increase 10-30% annually (market dependent)
Claims can significantly increase premiums
Security improvements may reduce increases

Continuous Compliance

Maintain Required Controls:

Keep MFA implemented and enforced
Maintain EDR on all systems
Continue regular backups
Document security practices

Update Insurer:

Material business changes
Significant security incidents
Major system changes
Mergers or acquisitions

Common Mistakes

Mistake 1: Insufficient Limits

Problem: Choosing $1M when risk warrants $5M+

Solution: Conduct risk assessment; breach costs often exceed expectations

Mistake 2: Ignoring Sublimits

Problem: Focusing on aggregate limit, missing critical sublimit gaps

Solution: Review all sublimits; ensure ransomware and social engineering are adequate

Mistake 3: Misrepresenting Security Posture

Problem: Claiming stronger security than reality to get coverage/lower premiums

Solution: Be honest; misrepresentation voids coverage

Mistake 4: Not Reading Exclusions

Problem: Assuming everything is covered

Solution: Understand all exclusions; negotiate removal of problematic ones

Mistake 5: Delaying Notification

Problem: Waiting to report incident until scope is clear

Solution: Notify insurer immediately; delay can jeopardize coverage

Mistake 6: Engaging Vendors Before Approval

Problem: Hiring forensic firm before insurer approval

Solution: Use insurer's panel or get pre-approval; unapproved vendors may not be reimbursed

The Bottom Line

Cyber insurance is essential risk management for modern businesses. The cost is modest compared to potential breach expenses, and policies provide access to expert response resources that most small businesses couldn't afford on their own.

However, insurance is not a substitute for security. Insurers increasingly require basic security controls, and premiums reflect your risk posture. View cyber insurance as one component of a comprehensive risk management strategy that includes prevention, detection, and response capabilities.

Start by implementing security fundamentals—MFA, EDR, backups, and training. Then obtain cyber insurance appropriate to your risk profile. The combination of strong security and appropriate insurance coverage provides the best protection for your business.

Need help understanding your cyber insurance needs and security requirements? Get a SimplCyber assessment to evaluate your risk and coverage gaps.