You probably already have general liability and property insurance. But cyber insurance is a different animal — and most business owners who buy it don't fully understand what it covers until they need it.
I want to be clear upfront: we're not insurance brokers, and nothing in this post should be taken as legal or financial advice. But after 30+ years in the IT trenches, we've sat across the table from a lot of small business owners who just went through a cyberattack — and far too many of them assumed their cyber insurance would cover them completely. It didn't.
Cyber insurance is a real and useful tool. But it's not a substitute for good security, and it's not the simple safety net most people imagine it to be. Premiums have more than doubled in the last three years. Insurers are getting pickier about who they'll cover — and under what conditions. And the list of exclusions in most policies would surprise you.
So let's walk through what you actually need to know: what it covers, what it doesn't, why it keeps getting more expensive, and how the security choices you make today directly affect your premiums.
A typical cyber insurance policy is split into two buckets: first-party coverage (costs to your own business) and third-party coverage (your liability when someone else is harmed). Most small business policies include both, though the details vary enormously by carrier and plan.
This is the part that helps you recover when your business is directly hit. It typically includes:
This protects you when a breach harms your customers, vendors, or business partners:
On paper, that sounds pretty comprehensive. Here's where it gets complicated.
This is the section most people skip when they buy a policy. Don't skip it.
Prior incidents. If attackers were already inside your network before you bought the policy — which happens more often than you'd think, since attackers often sit quietly for weeks or months before striking — that event probably isn't covered.
Unencrypted data. Many policies require that sensitive data be encrypted. If your customer records weren't encrypted and get stolen, don't count on a payout.
Unpatched known vulnerabilities. If your systems had critical security patches available and you hadn't applied them, your insurer may deny the claim. This is becoming more common as insurers get more aggressive about security requirements.
No multi-factor authentication. This is a big one right now. Insurers are increasingly requiring MFA on email and remote access as a baseline condition of coverage. If you didn't have it when you got breached, you may not be covered. We've written more about why MFA is non-negotiable in 2026.
Insider threats. Fraud or theft by a current or former employee is typically excluded or requires a separate crime/fraud rider.
Reputational damage. If a breach costs you customers or damages your brand long-term, that revenue loss generally isn't covered beyond the immediate business interruption period.
Hardware replacement. If ransomware destroys your servers (rare but it happens), the physical hardware cost usually isn't covered by cyber insurance. That's a property insurance claim — and standard property insurance typically won't cover it either. It's a gap a lot of businesses fall into.
The bottom line: read your policy. If you already have one, pull it out today and look at the exclusions section. If you're shopping for one, have your broker walk you through every exclusion in plain English before you sign.
Cyber insurance premiums more than doubled between 2020 and 2023, and rates have continued climbing since. Some businesses have seen their premiums triple. Others have been dropped by their insurer entirely. What's going on?
Simple: the losses exploded. The ransomware boom of the early 2020s hit insurers hard. They paid out on claim after claim — hospitals, law firms, municipalities, manufacturers, small businesses across every industry. The math stopped working. Insurers who'd been collecting modest premiums suddenly faced catastrophic payouts.
The response has been a combination of premium hikes, tighter underwriting (more requirements before they'll cover you), higher deductibles, lower limits, and more exclusions. The easy, cheap, no-questions-asked cyber policies of 2018 are gone. What you get today depends heavily on what security controls you actually have in place.
Underwriters now routinely ask about:
Answer "no" to enough of those and you either won't get coverage or you'll pay significantly more for it. Answer "yes" and you'll get better rates and better terms.
Here's the part of this conversation that most people don't hear enough: the security investments that lower your cyber risk also lower your insurance costs. The two are directly connected, and the ROI is real.
Let's talk concrete numbers. A small business paying $5,000/year in cyber insurance premiums could potentially reduce that by 15–30% by implementing the controls underwriters are looking for. That's $750–$1,500 per year in savings — and those same controls also make it far less likely you'll have a claim in the first place.
The highest-impact controls that underwriters consistently reward:
Multi-factor authentication on everything. Email, VPN, remote desktop, cloud services. This one change eliminates the vast majority of account compromise attacks. Insurers know this, and they price for it. If you're not running MFA yet, it's the single highest-ROI security investment you can make. Full stop.
Endpoint detection and response (EDR). Not just antivirus. EDR tools watch for behavioral anomalies — they can catch ransomware in the early stages before it encrypts everything. Many insurers won't cover businesses running only traditional antivirus anymore.
Tested, offsite backups. The key word is tested. Having backups that have never been restored from is not a real backup strategy — it's a false sense of security. Insurers increasingly want to see backup procedures documented and tested quarterly. We've written a lot about this; our post on what happens when your IT coverage has gaps covers some of the backup pitfalls we see constantly.
Network segmentation. Keeping your servers, workstations, guest Wi-Fi, and any IoT devices on separate network segments limits how far an attacker can move if they get in. It's a force multiplier for everything else on this list.
Documented security policies. Written acceptable use policies, password policies, and an incident response plan. Some insurers offer premium discounts just for having these documents in place, because they signal a mature approach to security.
If you want to know where your business stands on these controls, the free Cybersecurity Essentials Guide we put together is a good place to start. It covers each of these areas in plain English without trying to sell you anything.
Probably yes — but the answer depends on your specific situation.
If any of the following are true, cyber insurance belongs in your budget:
For most businesses, that list covers you. The question isn't really whether to get cyber insurance — it's whether to get it as a standalone policy, add it as an endorsement to your existing commercial policy, or roll it into a broader package. Talk to a commercial insurance broker who specializes in this space. Not every general liability broker does.
What we'd caution against is buying the cheapest available policy without understanding what you're actually getting — and then treating it as a substitute for real security. Insurance is what you fall back on when prevention fails. It's not Plan A. The businesses that come out of a cyber incident the best are the ones that have both: security controls that reduce the likelihood of a breach, and insurance that limits the financial damage if one happens anyway.
If you want to understand what your actual security posture looks like — and what you'd need to do to satisfy an insurer's underwriting requirements — we're happy to walk through it with you. That's exactly the kind of conversation we have in a free consultation. No pitch, no obligation. Just an honest picture of where you stand and what would make the biggest difference. See our services page for more on what that looks like.