Back to Blog
2026-04-2813 min read
Compliance

Cyber Insurance 101: What's Covered, What's Not, and What's Changing

A comprehensive guide to cyber insurance for SMBs. Learn coverage types, common exclusions, rising premiums, and how to prepare for renewal.

Sean P. Conroy

You wouldn't run your business without general liability insurance. You wouldn't operate a fleet without auto coverage. But a surprising number of CEOs are running their companies without cyber insurance, or worse, with a policy they've never read and don't understand.

Cyber insurance is no longer optional for any business that stores customer data, processes payments, or relies on digital systems to operate. But the market is changing fast. Premiums are rising. Requirements are tightening. And the fine print can leave you exposed at exactly the moment you need coverage most.

This guide will give you a clear understanding of what cyber insurance covers, where the gaps are, what insurers now demand before they'll underwrite your policy, and how to prepare your business for renewal.

Key insight: Cyber insurance is not a substitute for cybersecurity. It is a financial safety net that complements your security program. Insurers are increasingly requiring proof of strong security controls before they will offer coverage, and they will deny claims if you misrepresented your security posture on the application.

Understanding Coverage Types

Cyber insurance policies generally cover two broad categories of loss. Understanding the distinction is critical for knowing what you're actually protected against.

1First-Party Coverage

Covers your direct losses from a cyber incident:

  • Business interruption: Lost revenue during downtime caused by a cyber event
  • Data recovery: Costs to restore or recreate lost or corrupted data
  • Ransomware payments: Extortion demands (though coverage varies significantly)
  • Forensic investigation: Hiring experts to determine the cause and scope of the breach
  • Notification costs: Expenses for notifying affected customers and regulators
  • Crisis management: Public relations and communication services

2Third-Party Coverage

Covers claims made against you by others:

  • Legal defense: Attorney fees and court costs from lawsuits
  • Regulatory fines: Penalties from data protection authorities (where insurable)
  • Settlement costs: Payments to resolve claims from affected parties
  • Media liability: Claims arising from data published on your digital platforms
  • PCI DSS fines: Penalties for payment card data breaches
  • Customer credit monitoring: Services provided to affected individuals

How Much Coverage Do You Need?

There is no one-size-fits-all answer, but here are the factors that should drive your decision:

  • Volume of sensitive data you handle, More records means higher potential notification and legal costs
  • Revenue dependency on digital systems, If a week of downtime would be catastrophic, you need robust business interruption coverage
  • Regulatory environment, Industries like healthcare, finance, and retail face higher fines and stricter notification requirements
  • Contractual obligations, Your clients or partners may require minimum coverage levels

Data point: The average cyber insurance claim for small businesses is between $120,000 and $350,000, but ransomware events can easily exceed $1 million when you factor in downtime, recovery, and legal costs. -NetDiligence Cyber Claims Study, 2023

What's Typically Not Covered

This is where most CEOs get an unpleasant surprise. Cyber insurance policies contain significant exclusions, and they vary widely between carriers. Here are the most common gaps:

Prior known incidents

If you knew about a vulnerability or breach before the policy took effect and didn't disclose it, your claim will almost certainly be denied. This includes ongoing security issues you were aware of but hadn't remediated.

War and nation-state attacks

Most policies exclude acts of war, and insurers are increasingly applying this exclusion to nation-state cyberattacks. This is a growing area of dispute, some policies now specify "cyber war" exclusions that could apply to attacks attributed to foreign governments.

Infrastructure failures

Outages caused by your cloud provider, internet service provider, or power company may not be covered unless you have specific endorsements. A widespread AWS or Azure outage that takes your business offline might not trigger your policy.

Failure to maintain security controls

If your application states that you have MFA enabled and you don't, your claim can be denied. Insurers are getting aggressive about verifying that the controls you attested to are actually in place.

Reputational damage

While crisis management PR costs are often covered, the long-term revenue loss from damaged brand reputation is typically not. If customers leave because they lost trust in your company, that revenue decline is on you.

Future improvements

Policies cover the cost of responding to an incident, not the cost of improving your security afterward. The new firewall, EDR platform, or security hire you need post-breach comes out of your own budget.

What Insurers Now Require

The days of filling out a brief questionnaire and getting a policy are over. Insurers have been burned by massive claim volumes, and they are now demanding proof of specific security controls before they will offer coverage. If you can't demonstrate these controls, you'll face higher premiums, reduced coverage, or outright denial.

Table Stakes (Required by Most Carriers)

  • Multi-factor authentication on email, VPN, and administrative access
  • Endpoint detection and response (EDR) deployed on all endpoints
  • Regular backups stored offline or in immutable cloud storage
  • Email security with phishing filtering and DMARC configuration
  • Patch management with timely application of critical updates
  • Security awareness training for all employees

Increasingly Expected (Differentiate Your Application)

  • Incident response plan that's been tested within the past year
  • Privileged access management for administrative accounts
  • Network segmentation to contain lateral movement
  • Vulnerability scanning on a regular cadence
  • Vendor risk management program for third-party access
  • Encryption for data at rest and in transit

Data point: Cyber insurance premiums have increased by an average of 50% over the past three years, with some industries seeing increases above 100%. Carriers that once accepted self-attestation now require external scans or third-party assessments. -Marsh Global Insurance Market Index, 2024

How to Prepare for Your Renewal

Whether your policy renews in three months or twelve, here is what you should do now to position your business for the best possible terms.

90 Days Before Renewal

  • Review your current policy. Read the exclusions. Understand your deductible, coverage limits, and sublimits. Know what's covered and what isn't before you need to file a claim.
  • Inventory your controls. Can you truthfully attest to having MFA, EDR, backups, and training in place? If not, prioritize closing the gaps before your application is due.
  • Document your security posture. Compile evidence of your controls: training records, backup test results, vulnerability scan reports, incident response plan documentation. Carriers give better terms to companies that can demonstrate their maturity.
  • Assess your risk profile. Has anything changed since your last renewal? New services, more customer data, additional regulatory requirements, or significant growth may require adjusted coverage levels.
  • Get multiple quotes. Don't automatically renew with your current carrier. The cyber insurance market is competitive, and different carriers have different appetites for different risk profiles. Work with a broker who specializes in cyber coverage.

The Application: Accuracy Matters

Never misrepresent your security posture on an insurance application

This cannot be stressed enough. If your application states that MFA is enforced on all remote access and your IT team confirms that three accounts are exempted, your claim can be denied. Insurers conduct post-breach forensics, and misrepresentations on applications are a leading reason for claim denials. Be accurate, even if it means higher premiums.

What Small Businesses Actually Need

Enterprise cyber insurance policies can be complex and expensive. As an SMB, you need coverage that addresses your actual risk profile without paying for protections you don't need.

For most small businesses, the essentials are:

  • Business interruption coverage with a realistic assessment of your daily revenue at risk
  • Data breach response costs including forensics, notification, and credit monitoring
  • Ransomware and extortion coverage (verify this is explicitly included and understand any sublimits)
  • Legal defense and regulatory coverage appropriate to your industry and jurisdictions
  • Social engineering coverage for business email compromise and fraudulent funds transfers

You may not need:

  • Media liability coverage (unless you publish significant digital content)
  • Technology errors and omissions (unless you provide tech services to clients)
  • Intellectual property coverage (unless IP theft is a primary risk in your industry)

Work with a broker who understands your business, not one who sells the same package to every client. The difference between a well-fitted policy and a generic one can be hundreds of thousands of dollars when you file a claim.

Real-World Example: The Claim That Was Denied

In 2022, Travelers Insurance sued to void the cyber policy of International Control Services (ICS), an electronics manufacturer, after a ransomware attack. ICS had certified on its insurance application that it enforced multi-factor authentication on all administrative access. Post-breach forensics revealed that MFA was not enabled on at least one server, the entry point for the attack.

Travelers argued it would never have issued the policy had it known MFA was incomplete. The case was settled with Travelers voiding the policy, leaving ICS responsible for its own losses.

The lesson: Your insurance application is a binding document. Every attestation about your security controls must be accurate and verifiable. If you're unsure whether a control is fully deployed, say so. A slightly higher premium is infinitely preferable to a denied claim.

Key Takeaways

  • Understand first-party vs. third-party coverage, Know what your policy covers for your direct losses and what it covers for claims against you
  • Read the exclusions carefully, War exclusions, infrastructure failures, and prior known incidents are common gaps that can leave you exposed
  • Insurers now require strong controls, MFA, EDR, backups, and training are table stakes for getting coverage at reasonable rates
  • Never misrepresent your security posture, Application accuracy is the difference between a paid claim and a denied one
  • Prepare for renewal early, Start documenting your controls and shopping for quotes 90 days before your policy expires
  • Right-size your coverage, Work with a specialized broker to match coverage to your actual risk profile

Cyber insurance is one component of a comprehensive risk management strategy. For a broader framework covering insurance, incident response, and security governance, see Cybersecurity for CEOs.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.