What Cyber Insurance Actually Covers

Most cyber insurance policies cover two broad categories: first-party losses (costs your organization incurs directly) and third-party liability (claims made against you by others). First-party coverage typically includes forensic investigation costs to determine how a breach occurred, breach notification expenses including credit monitoring for affected individuals, crisis communications and public relations costs, business interruption losses during system downtime (subject to waiting periods and sub-limits), cyber extortion payments and ransom negotiation services, and data restoration costs. Third-party liability coverage typically includes defense costs and settlements for lawsuits alleging that your security failure caused harm to others, regulatory defense costs, and privacy liability claims. The scope of coverage varies significantly by carrier and policy, and the distinction between what’s first-party and third-party matters enormously when it comes to limit adequacy.

The Exclusions That Surprise Business Owners

The exclusions in cyber insurance policies are where the real surprises live. Social engineering and fraudulent funds transfer — where an employee is tricked into wiring money to an attacker — is excluded from many base policies and requires a specific endorsement. War and nation-state exclusions have become more prominent since Lloyd’s of London issued guidance in 2022 requiring nation-state attack exclusions; if your incident is attributed to a state-sponsored actor, coverage may be denied. System failure and infrastructure outages not caused by a malicious actor are typically excluded. Unencrypted data — if your policy requires encryption and you store sensitive data in plaintext, a breach of that data may fall outside coverage. Bodily injury and property damage resulting from a cyber incident are excluded from cyber policies and must be addressed by general liability coverage. Perhaps most critically, known vulnerabilities or incidents that began before the policy inception date are excluded — meaning you can’t buy coverage after discovering you’ve been breached.

Why Cyber Insurance Premiums Tripled

Between 2020 and 2022, cyber insurance premiums increased by 200–300% as carriers absorbed losses from the ransomware surge of that era. Colonial Pipeline, Kaseya, and dozens of high-profile ransomware incidents made insurers recalibrate their models. The market has stabilized somewhat since 2023, but premiums remain significantly elevated compared to pre-pandemic levels. Insurers responded to the claims surge by raising premiums, reducing limits, increasing deductibles and co-insurance requirements, and dramatically tightening underwriting standards. Organizations that could formerly get coverage with minimal security controls now face detailed security questionnaires, attestation requirements, and in some cases third-party security assessments before coverage is bound. The result is that cyber insurance has effectively become a forcing function for basic security hygiene — which, from a systemic risk perspective, is arguably a positive development.

What Insurers Require Before They’ll Cover You

• Multi-factor authentication: Now considered a baseline requirement. Policies without MFA on email and remote access are often declined or rated at significantly higher premiums.
• Endpoint detection and response (EDR): Many carriers now require EDR rather than traditional antivirus for coverage of ransomware incidents.
• Privileged access management: Controls on administrative accounts, including MFA for all admin access and separation of privileged from standard user accounts.
• Immutable or segregated backups: Backups that cannot be encrypted by ransomware — either offline, immutable cloud backups, or air-gapped systems.
• Patch management program: Evidence that critical patches are applied within a defined window, particularly for internet-facing systems.
• Incident response plan: A documented IR plan and, increasingly, evidence of testing through tabletop exercises.

Is Cyber Insurance Worth It for Small Businesses?

For most small businesses, yes — cyber insurance is worth carrying, but it should be the last line of defense, not the first. The mistake is treating insurance as a substitute for security controls rather than a complement to them. A business with strong security controls will pay lower premiums, face fewer incidents, and have a much more straightforward claims experience when something does happen. A business relying on insurance to bail them out without investing in controls will find premiums unaffordable, coverage terms restrictive, and claims disputed. The right approach: implement the baseline security controls that both reduce your incident probability and qualify you for better coverage, then purchase a policy with limits appropriate to your revenue and data risk profile, and review coverage annually as your environment and risk profile evolve.