Cyber insurance has gone from a niche product bought by large enterprises to something many small businesses are being asked about — by accountants, by clients who want to see proof of coverage, and by insurers who are increasingly bundling it with business policies.
The market has also changed significantly. After several years of large-scale ransomware attacks generating enormous claims, insurers have responded with higher premiums, stricter requirements, and more detailed exclusions. A cyber insurance policy is no longer something you can buy without understanding what it actually covers.
What Cyber Insurance Typically Covers
A standard SMB cyber insurance policy will generally cover some combination of:
First-party costs — costs incurred by your own business in responding to an incident:
- Incident response and forensic investigation
- Data recovery and system restoration
- Business interruption losses during downtime
- Ransomware payment (in some policies, with conditions)
- Crisis communications and PR management
- Regulatory notification costs
Third-party liability — claims made against your business by others affected by a breach:
- Customer claims for losses resulting from their data being compromised
- Regulatory fines and penalties (subject to significant variations)
- Legal defence costs
What Cyber Insurance Typically Does Not Cover
The exclusions in cyber insurance policies are where most disputes arise. Common exclusions include:
Acts of war and nation-state attacks. This exclusion became significant following the NotPetya attack in 2017, which some insurers classified as an act of war by Russia and used to deny claims. The classification of cyberattacks involving nation-state actors is contested and evolving.
Pre-existing vulnerabilities. If your systems had known, unpatched vulnerabilities at the time of the breach, some policies may reduce or deny coverage on the basis that you failed to maintain adequate security.
Social engineering fraud. Many policies exclude losses from business email compromise and fraudulent wire transfers unless specifically covered by a social engineering rider.
Consequential business losses. Lost future business, reputational damage, and long-term revenue impacts are generally not covered.
Failure to meet security requirements. Increasingly, policies include specific security requirements — MFA on key accounts, endpoint protection, regular backups — and coverage may be void if these weren’t in place at the time of an incident.
Why Premiums Are Rising and Requirements Are Tightening
The cyber insurance market experienced significant losses from 2020 to 2023, driven by the ransomware epidemic. Insurers responded by:
- Raising premiums, in some cases dramatically
- Adding detailed security questionnaires to the application process
- Including specific security requirements as conditions of coverage
- Adding sub-limits and co-insurance requirements for ransomware claims
The security requirements now standard in many policies include: multi-factor authentication on email and remote access, endpoint detection and response tools, regular tested backups isolated from the main network, and an incident response plan. If you can’t demonstrate these controls, some insurers will decline to offer coverage, and others will charge significantly higher premiums.
This creates a useful dynamic: the requirements for getting cyber insurance at a reasonable premium are also good security practice. Meeting them protects the business whether or not an incident occurs.
Before You Buy
If you’re evaluating cyber insurance:
Read the policy carefully, particularly the exclusions section. Cheap policies often have exclusions that make them substantially useless in real incidents.
Understand the claims process. Some policies require you to use the insurer’s approved incident response providers. If you already have a trusted IT partner, check whether their involvement would be covered.
Answer the security questionnaire accurately. Misrepresenting your security controls on the application is grounds for claim denial. If you don’t have MFA, don’t claim you do.
Consider the limit relative to your risk. The average cost of a breach for an SMB exceeds $3 million. A policy with a $100,000 limit provides limited protection in a serious incident.
Match the policy to your business. A law firm with confidential client data has different risk exposure than a restaurant. The coverage that makes sense varies by business type, data held, and regulatory environment.
W3IT helps businesses understand and meet the technical security requirements that cyber insurers increasingly mandate. If you’re preparing to apply for coverage — or renewing an existing policy — a security review gives you an accurate picture of your current posture and what needs to change.