Cyber Insurance for Small Business: What It Covers and What It Does Not

Cyber insurance has gone from a niche product to a near-necessity for small businesses in the span of a few years. The shift happened because breaches got more expensive, more frequent, and more disruptive, and business owners realized that their general liability policy does not cover any of it. But cyber insurance is not a simple product. Policies vary widely in what they cover, what they exclude, and what they require from you before they will pay a claim. Understanding those details before you need to file a claim is the difference between a policy that saves your business and one that gives you a false sense of security.

What Cyber Insurance Typically Covers

Most cyber insurance policies are split into two categories: first-party coverage and third-party coverage. First-party coverage pays for your own losses. Third-party coverage pays for claims made against you by others.

First-Party Coverage

Incident response costs. When a breach occurs, you need forensic investigators to determine what happened, how the attacker got in, and what data was compromised. You need legal counsel to navigate notification requirements and regulatory exposure. You may need a public relations firm to manage communication with customers and media. First-party coverage typically pays for all of these, and many policies provide access to a pre-approved panel of vendors so you do not have to find them in the middle of a crisis.

Breach notification costs. Every state requires notification to affected individuals when personal data is compromised. The notification process includes identifying affected individuals, drafting compliant notification letters, mailing them, and often providing credit monitoring services. For a breach affecting thousands of individuals, these costs add up quickly. Most policies cover notification expenses and credit monitoring.

Business interruption. If a cyberattack takes your systems offline and your business cannot operate, you lose revenue for every hour of downtime. Ransomware recovery typically takes two to four weeks for businesses without tested backups. Business interruption coverage reimburses lost income and extra expenses incurred during the recovery period. This is often one of the most valuable components of a cyber policy for small businesses, where even a few days of downtime can have a serious financial impact.

Data recovery and restoration. If ransomware encrypts your files or an attacker destroys data, you need to rebuild. Coverage typically includes the cost of restoring data from backups, rebuilding systems, and in some cases paying for temporary systems or workarounds while recovery is in progress.

Ransom payments. Many policies cover ransomware payments, though this is increasingly contentious. Some insurers are reducing or eliminating ransom coverage, adding sublimits, or requiring pre-approval before any payment is made. If ransom coverage matters to you, read the policy language carefully and ask your broker specifically how the insurer handles ransomware claims. Keep in mind that even with coverage, paying a ransom is a complex decision with legal and operational implications beyond what insurance covers.

Cyber extortion. Beyond ransomware, some attackers threaten to release stolen data, launch DDoS attacks, or publicly embarrass the business unless a payment is made. Extortion coverage addresses these scenarios, though the specifics vary by policy.

Third-Party Coverage

Regulatory fines and penalties. If a breach triggers regulatory action under HIPAA, PCI DSS, state privacy laws, or other frameworks, the resulting fines and penalties may be covered. This varies significantly by policy and jurisdiction. Some fines are legally uninsurable in certain states, so check with your broker about what applies in your situation. Healthcare practices should also note that AI-related HIPAA breaches (staff pasting PHI into consumer AI tools without a BAA) are a growing source of OCR enforcement – the AI and HIPAA article covers the specific BAA and documentation work insurers and OCR look for.

Legal defense costs. If affected individuals, business partners, or regulators bring legal action against your business following a breach, the policy covers your legal defense costs and, in many cases, any settlements or judgments.

Liability for data loss. If your breach exposes customer data and those customers suffer financial harm, third-party coverage pays for claims brought against you. This includes credit card data, health records, Social Security numbers, and other sensitive personal information.

What Cyber Insurance Does Not Cover

The exclusions in a cyber insurance policy matter as much as the coverage. These are the scenarios where business owners most commonly discover that their policy does not help.

Pre-existing vulnerabilities and known issues. If your insurer discovers that you knew about a vulnerability and did not patch it, or that you misrepresented your security posture on the application, the claim can be denied. This is not theoretical. Insurers have denied claims when they found that the business was not actually using the security controls they claimed on their application. If you said you have MFA enabled on all accounts and you do not, that is grounds for denial.

Acts of war and nation-state attacks. Most policies include a war exclusion that has traditionally applied to physical conflicts. Insurers have increasingly attempted to apply this exclusion to cyberattacks attributed to nation-state actors. The Merck v. Ace American Insurance case, where Merck’s insurer tried to deny a $1.4 billion NotPetya claim under the war exclusion, brought this issue into sharp focus. Some insurers have since updated their war exclusion language specifically to address cyber incidents. Read your policy’s war exclusion carefully and ask your broker how it applies to state-sponsored cyberattacks.

Unencrypted data on lost devices. If a laptop containing unencrypted customer data is stolen and you did not have disk encryption enabled, the resulting breach may not be covered. Policies typically require reasonable security measures, and failing to encrypt portable devices is considered a basic failing.

Social engineering losses with caveats. Business Email Compromise and social engineering fraud, where an employee is tricked into wiring money to an attacker, is sometimes covered under a separate social engineering endorsement rather than the base cyber policy. If your policy does not include this endorsement, BEC losses may not be covered at all. Given that BEC is one of the most common and financially damaging attack types for small businesses, this is worth verifying explicitly.

Voluntary shutdowns. If you proactively take systems offline as a precaution rather than because they were directly impacted by an attack, some policies will not cover the resulting business interruption. The distinction between a system being forced offline by an attack and being taken offline voluntarily during investigation can matter for claims purposes.

Improvements and upgrades. Cyber insurance pays to restore you to your pre-breach state. It does not pay for security improvements you should have had before the breach. If the breach revealed that you needed network segmentation, better backup systems, or EDR on every endpoint, those upgrades come out of your own budget.

How Insurers Are Tightening Requirements

The cyber insurance market has changed dramatically in the last few years. Premiums have increased, coverage limits have tightened, and insurers are asking far more detailed questions about your security posture before they will issue or renew a policy.

Five years ago, a cyber insurance application was a short questionnaire. Today, it is a detailed security assessment. Insurers now commonly require evidence of specific controls before they will offer coverage:

Multi-factor authentication on all remote access, email, and admin accounts is now a baseline requirement for almost every insurer. If you do not have MFA enabled, many insurers will decline to quote entirely. This is not negotiable. MFA is table stakes, though as we have covered, MFA alone is not enough to protect your environment.

Endpoint Detection and Response (EDR) on all endpoints is increasingly required, particularly for businesses over 25 employees or those in higher-risk industries. Insurers have recognized that traditional antivirus does not provide adequate protection against modern threats, and they want to see behavioral detection and response capability on every device.

Regular, tested backups with offline or immutable copies are required to demonstrate that you can recover from ransomware without paying. Insurers want to know your backup frequency, retention period, whether backups are stored offsite or offline, and whether you have actually tested a restore. A hybrid backup approach with cloud and on-premises copies typically satisfies insurer requirements because it provides both the offsite isolation and the tested recovery capability they look for. Microsoft 365’s built-in retention does not satisfy this requirement. Insurers expect independent backup with point-in-time recovery capability.

Email security beyond basic spam filtering, including anti-phishing protection and DMARC implementation. Insurers know that phishing is the most common entry point and they want to see that you have technical controls in place to reduce that risk.

Patch management processes that demonstrate you are applying security updates on a regular schedule, usually as part of a broader endpoint management program. Unpatched vulnerabilities are one of the most common root causes of breaches, and insurers are paying attention.

Security awareness training for employees, with documentation showing regular training sessions and phishing simulations. Many insurers also want to see a written cybersecurity policy that covers acceptable use, incident response, and data handling – and for remote-heavy businesses, a dedicated remote work IT policy as well. AI-specific questions are also appearing on renewal questionnaires now; insurers want to see an AI acceptable use policy with an approved-tools list, a data classification rule, and a review cadence, especially for businesses handling regulated data. The AI security risks every small business should know about article covers the threat-side picture insurers are increasingly underwriting against (voice cloning fraud, AI-generated phishing, deepfake-enabled BEC), with the practical controls insurers expect to see.

The trend is clear: insurers are no longer willing to cover businesses that are not doing the basics. The application process has effectively become a security audit, and the answers you provide are binding. Misrepresenting your security posture on an insurance application is not just risky, it can void your coverage entirely when you need it most.

How a Managed Security Provider Helps You Qualify

Meeting insurer requirements is easier when you have a managed security provider handling your security stack. An MSP that provides managed security typically deploys and manages MFA, EDR, email security, backup management, patch management, and security awareness training as part of their service. That means the controls insurers require are already in place and documented.

Documentation matters because insurers do not just take your word for it. They want evidence. A managed provider can supply deployment reports showing EDR coverage across all endpoints, MFA enrollment status for all accounts, backup test results showing successful completions and verified restores, and patch compliance reports. This documentation simplifies the application process and strengthens your position during renewal negotiations.

Some insurers offer premium discounts for businesses that use a managed security provider, recognizing that professionally managed security reduces claim likelihood. The discount does not always offset the full cost of managed security, but it reduces the net expense and gives you a tangible financial benefit beyond the security itself.

There is also a practical advantage during a claim. If a breach occurs and your managed provider has been maintaining detailed logs, monitoring records, and incident response documentation, the claims process moves faster and the insurer has clear evidence that you were meeting your obligations under the policy. Gaps in documentation during a claim are where disputes and denials happen.

How to Evaluate a Cyber Insurance Policy

When shopping for cyber insurance, do not focus only on the premium. Here are the questions that matter:

What are the coverage limits and sublimits? A policy with a $1 million aggregate limit may have a $100,000 sublimit on ransomware payments or a $250,000 sublimit on business interruption. Make sure the sublimits are adequate for your actual risk exposure, not just the scenarios you hope will not happen.

What is the retention (deductible)? Cyber policy retentions typically range from $1,000 to $25,000 for small businesses. A higher retention lowers your premium but means you pay more out of pocket before coverage kicks in. Make sure you can actually afford the retention in a breach scenario.

What is the waiting period for business interruption? Most policies have a waiting period, typically 8 to 24 hours, before business interruption coverage begins. If your systems are down for 12 hours and your waiting period is 12 hours, you get nothing for that downtime.

Does the policy cover social engineering and BEC? If it does, what is the sublimit? BEC losses can be six figures in a single incident. A $25,000 social engineering sublimit is inadequate for that risk.

What are the notification requirements? Most policies require you to notify the insurer within a specific window after discovering a breach, often 24 to 72 hours. Missing that window can jeopardize your coverage. Know the requirement and make sure your incident response plan includes insurer notification as an early step.

Who chooses the incident response vendors? Some policies require you to use the insurer’s panel of approved vendors for forensics, legal, and notification. Others allow you to choose your own. Using panel vendors is often faster and covered without question, but you should know the requirement in advance.

The cost of a breach without insurance is significant enough that going without coverage is a gamble most small businesses cannot afford. But the policy itself is only as valuable as your understanding of what it does and does not cover.

Sequentur helps small and mid-sized businesses implement the security controls that insurers require, from MFA and EDR to backup management and employee training. If you are applying for cyber insurance or preparing for a renewal and want to make sure your security posture meets current requirements, reach out through our contact page to discuss your setup.