Skip to content
Back to blog
Risk Management

Does Your Business Really Need Cyber Insurance? A Plain-English Guide

LevoySec Team

Every small business owner has heard the pitch: “You need cyber insurance.” Your insurance broker has probably mentioned it. Maybe your accountant has. Maybe a vendor requires it in their contract.

But when you look at the cost, questionnaires, and dense policy language, it’s fair to ask: do you actually need this? And if you do, how do you prepare without assuming the policy will solve every operational problem?

Here’s the honest breakdown.

What cyber insurance actually covers

A cyber insurance policy generally splits into two categories: first-party coverage (costs you incur) and third-party coverage (claims others bring against you).

First-party coverage typically includes:

  • Incident response costs — forensic investigation, breach coach attorneys, and crisis management consultants. These services alone can cost $50,000 to $500,000 depending on the scope of the breach.
  • Business interruption — lost revenue and extra expenses while your systems are down. Ransomware attacks take the average small business offline for 7 to 21 days.
  • Data restoration — costs to rebuild or recover data and systems after an attack.
  • Ransom payments — reimbursement if you choose to pay a ransom (subject to OFAC sanctions compliance and carrier approval).
  • Notification costs — mailing breach notifications, setting up call centers, and providing credit monitoring to affected individuals.
  • Regulatory fines and penalties — coverage for fines from privacy laws, payment-card obligations, and other regulatory frameworks where they apply and are insurable by law.

Third-party coverage typically includes:

  • Privacy liability — lawsuits from customers or employees whose data was exposed.
  • Network security liability — claims arising from a security failure on your network that affects others, like passing malware to a client.
  • Media liability — claims related to content you publish online (defamation, copyright infringement).

What it doesn’t cover

This is where businesses get burned. Cyber insurance has significant exclusions that you need to understand before you assume you’re protected.

  • Known vulnerabilities left unpatched. If a critical vulnerability has been public for months and you did not patch it, your carrier may challenge the claim. Policies increasingly include “minimum security standards” that must be maintained.
  • Acts of war or nation-state attacks. Many policies exclude attacks attributed to nation-state actors. This exclusion has been tested in court (see the Merck/NotPetya case) and is being rewritten across the industry, but it remains a gray area.
  • Fraudulent transfer of funds. Social engineering attacks — like business email compromise (BEC) where an employee wires money to a fraudulent account — are often covered under a separate “social engineering” endorsement, not the base policy. If you don’t have that endorsement, you may not be covered for one of the most common and costly attack types.
  • Prior acts and pending claims. Events that occurred before your policy period or that you knew about before purchasing coverage are typically excluded.
  • Failure to maintain security controls. If your application said you had MFA enabled and you did not, your carrier may challenge coverage. Policy applications are increasingly specific about required controls, and misrepresentation can create serious coverage problems.

How carriers evaluate pricing and readiness

Cyber insurance underwriting has become more evidence-driven over the past few years. Carriers used to ask a handful of questions. Now, many carriers conduct external scans, review security questionnaires in detail, and may ask for proof of specific controls before quoting or renewing coverage.

Factors that commonly affect underwriting questions and pricing:

  • Industry and data sensitivity — organizations that hold more sensitive data or have higher downtime risk usually pay more.
  • Revenue and employee count — larger organizations pay more because the potential exposure is greater.
  • Security controls in place — MFA, managed endpoint protection, email filtering, backup practices, and security-awareness training are common questionnaire topics. Some are now table stakes — without MFA, many carriers may not quote or renew.
  • Claims history — previous claims can change underwriting scrutiny and pricing, similar to other insurance lines.
  • Data types — if you store Social Security numbers, financial account data, or protected health information, your exposure and evidence burden usually increase.
  • Coverage limits and deductible — higher limits and lower deductibles generally change pricing and review expectations.

For a small business with 10 to 50 employees, pricing varies widely by industry, revenue, controls, claims history, and data exposure. Treat any online benchmark as a starting point for broker conversations, not a promise.

The real question: insurance vs. operational risk

Incident response, downtime, notification costs, lost business, and recovery work can become expensive quickly. If privacy, payment-card, contractual, or customer-notification obligations apply, the burden can climb significantly.

The decision is not just “policy cost versus incident cost.” The better question is whether you can keep the business operating, prove you maintained required controls, and recover cleanly after an incident.

But here’s the nuance: cyber insurance is not a substitute for security. It’s a financial backstop. If your house does not have smoke detectors, a fire alarm system, or fire extinguishers, homeowner’s insurance may still exist — but the insurer will look at whether you maintained those controls, and a preventable fire is a harder claim to defend.

Cyber insurance works the same way. It transfers financial risk. It doesn’t reduce the probability of an incident, the operational disruption, the reputational damage, or the stress of managing a crisis. Good security controls do that.

Business expectations are pushing the decision

For many businesses, cyber insurance is becoming less optional and more expected.

  • Client and vendor contracts — it’s increasingly common for larger companies and business partners to require cyber insurance as a condition of doing business. If you’re in a B2B relationship, check your contracts.
  • Banks and lenders — financing, merchant services, and other business relationships may ask how you manage cyber risk.
  • Insurance underwriting — carriers increasingly expect proof that basic controls are in place before they quote, renew, or adjust terms.
  • State privacy laws — states like California (CCPA/CPRA), Colorado, Connecticut, and Virginia have privacy laws that create liability exposure. Cyber insurance helps manage that exposure.

How to prepare for underwriting and renewal conversations

If you’re ready to purchase cyber insurance or renew your policy, these are the control areas carriers commonly ask about:

  1. Multi-factor authentication (MFA) on all email accounts, remote access, and privileged accounts. This is non-negotiable for most carriers.
  2. Managed endpoint protection on company devices, with status reporting and alert handling — traditional antivirus alone is usually not enough.
  3. Email filtering and phishing protection that goes beyond basic spam filtering.
  4. Regular patching — a documented process for applying security updates within 30 days of release for critical vulnerabilities.
  5. Offsite, encrypted backups — tested regularly and not accessible from your primary network.
  6. Security awareness training — documented, recurring training for all employees.
  7. Incident response plan — a written plan that defines roles, contacts, and procedures for responding to a security incident.
  8. Administrative access controls — clarity on who has admin access, how exceptions are approved, and how that access is reviewed.

Implementing these controls does double duty: it reduces your actual risk of an incident and gives you stronger evidence for underwriting, renewal, and claim-support conversations. Some carriers may offer better terms when controls are mature and documented, but the defensible goal is readiness and proof — not assuming a promised outcome.

The bottom line

If your business stores client data, processes payments, depends on email, or cannot operate without its systems, you should seriously evaluate cyber insurance. It’s not a question of if something will happen — it’s a question of when, and whether you’ll have the financial resources to recover.

But don’t buy a policy and assume you’re protected. Read the exclusions. Understand what controls are required. And invest in the security fundamentals that actually prevent incidents — because the best claim is the one you never have to file.

Need help preparing a practical evidence packet before your next renewal? Book a discovery call to review your security baseline, identify gaps, and prioritize the next 90 days of security work.

cyber insurance risk management security readiness small business

Want help putting this into practice?

Book a 30-minute discovery call and we’ll talk through what it would take to protect your business — in plain English.

Book a discovery call Check your security score — free →