Skip to content
Back to blog
Risk Management

Does Your Business Really Need Cyber Insurance? A Plain-English Guide

LevoySec Team

Every small business owner has heard the pitch: “You need cyber insurance.” Your insurance broker has probably mentioned it. Maybe your accountant has. Maybe a vendor requires it in their contract.

But when you look at the premium — and the dense policy language — it’s fair to ask: do you actually need this? And if you do, how do you make sure you’re getting coverage that will actually pay out when something goes wrong?

Here’s the honest breakdown.

What cyber insurance actually covers

A cyber insurance policy generally splits into two categories: first-party coverage (costs you incur) and third-party coverage (claims others bring against you).

First-party coverage typically includes:

  • Incident response costs — forensic investigation, breach coach attorneys, and crisis management consultants. These services alone can cost $50,000 to $500,000 depending on the scope of the breach.
  • Business interruption — lost revenue and extra expenses while your systems are down. Ransomware attacks take the average small business offline for 7 to 21 days.
  • Data restoration — costs to rebuild or recover data and systems after an attack.
  • Ransom payments — reimbursement if you choose to pay a ransom (subject to OFAC sanctions compliance and carrier approval).
  • Notification costs — mailing breach notifications, setting up call centers, and providing credit monitoring to affected individuals.
  • Regulatory fines and penalties — coverage for fines from HIPAA, state privacy laws, PCI DSS, and other regulatory frameworks (where insurable by law).

Third-party coverage typically includes:

  • Privacy liability — lawsuits from customers or employees whose data was exposed.
  • Network security liability — claims arising from a security failure on your network that affects others, like passing malware to a client.
  • Media liability — claims related to content you publish online (defamation, copyright infringement).

What it doesn’t cover

This is where businesses get burned. Cyber insurance has significant exclusions that you need to understand before you assume you’re protected.

  • Known vulnerabilities left unpatched. If a critical vulnerability has been public for months and you didn’t patch it, your carrier may deny the claim. Policies increasingly include “minimum security standards” that must be maintained.
  • Acts of war or nation-state attacks. Many policies exclude attacks attributed to nation-state actors. This exclusion has been tested in court (see the Merck/NotPetya case) and is being rewritten across the industry, but it remains a gray area.
  • Fraudulent transfer of funds. Social engineering attacks — like business email compromise (BEC) where an employee wires money to a fraudulent account — are often covered under a separate “social engineering” endorsement, not the base policy. If you don’t have that endorsement, you may not be covered for one of the most common and costly attack types.
  • Prior acts and pending claims. Events that occurred before your policy period or that you knew about before purchasing coverage are typically excluded.
  • Failure to maintain security controls. If your application said you had MFA enabled and you didn’t, your carrier has grounds to deny coverage. Policy applications are increasingly specific about the controls they require, and misrepresentation can void your policy entirely.

How premiums are determined

Cyber insurance pricing has become significantly more sophisticated over the past few years. Carriers used to ask a handful of questions and quote a premium. Now, many carriers conduct external scans of your network, review your security questionnaire in detail, and may require evidence of specific controls before they’ll offer coverage.

Factors that affect your premium:

  • Industry — Healthcare, financial services, and legal firms pay more because they hold sensitive data and face regulatory exposure.
  • Revenue and employee count — larger organizations pay more because the potential exposure is greater.
  • Security controls in place — MFA, endpoint detection and response (EDR), email filtering, backup practices, and security awareness training all directly impact your premium. Some are now table stakes — without MFA, many carriers won’t even offer a quote.
  • Claims history — previous claims increase your premium, similar to auto insurance.
  • Data types — if you store Social Security numbers, financial account data, or protected health information, your exposure (and premium) increases.
  • Coverage limits and deductible — higher limits and lower deductibles mean higher premiums. A $1 million policy with a $10,000 deductible is the most common small business configuration.

For a small business with 10 to 50 employees, expect annual premiums between $1,500 and $7,500 for $1 million in coverage. Businesses in regulated industries or those without strong security controls will land at the higher end — or may face surcharges.

The real question: premiums vs. risk

The average cost of a data breach for a small business is approximately $150,000 when you factor in incident response, downtime, notification costs, and lost business. For businesses subject to HIPAA, PCI DSS, or state privacy regulations, that number climbs significantly.

Compare that to an annual premium of $3,000 to $5,000. The math isn’t complicated.

But here’s the nuance: cyber insurance is not a substitute for security. It’s a financial backstop. If your house doesn’t have smoke detectors, a fire alarm system, or fire extinguishers, homeowner’s insurance still exists — but your premiums are higher, your coverage may be limited, and the insurer may deny your claim if the fire was preventable.

Cyber insurance works the same way. It transfers financial risk. It doesn’t reduce the probability of an incident, the operational disruption, the reputational damage, or the stress of managing a crisis. Good security controls do that.

Compliance requirements are pushing the decision

For many businesses, cyber insurance is becoming less optional and more mandatory.

  • FTC Safeguards Rule — requires financial institutions (including accounting firms, tax preparers, and auto dealers) to implement comprehensive security programs. Cyber insurance demonstrates risk transfer as part of that program.
  • HIPAA — while not explicitly requiring cyber insurance, HHS expects covered entities to manage risk. Cyber insurance is a recognized risk management strategy.
  • CMMC — defense contractors pursuing CMMC certification are increasingly expected to carry cyber insurance as part of their risk management framework.
  • Client and vendor contracts — it’s increasingly common for larger companies, government agencies, and prime contractors to require cyber insurance as a condition of doing business. If you’re in a B2B relationship, check your contracts.
  • State privacy laws — states like California (CCPA/CPRA), Colorado, Connecticut, and Virginia have privacy laws that create liability exposure. Cyber insurance helps manage that exposure.

How to get approved — and get a better rate

If you’re ready to purchase cyber insurance or renew your policy, here’s what carriers are looking for:

  1. Multi-factor authentication (MFA) on all email accounts, remote access, and privileged accounts. This is non-negotiable for most carriers.
  2. Endpoint detection and response (EDR) on all endpoints — traditional antivirus is no longer sufficient.
  3. Email filtering and anti-phishing — advanced email security that goes beyond basic spam filtering.
  4. Regular patching — a documented process for applying security updates within 30 days of release for critical vulnerabilities.
  5. Offsite, encrypted backups — tested regularly and not accessible from your primary network.
  6. Security awareness training — documented, recurring training for all employees.
  7. Incident response plan — a written plan that defines roles, contacts, and procedures for responding to a security incident.
  8. Privileged access management — controls around who has administrative access and how that access is managed.

Implementing these controls does double duty: it reduces your actual risk of an incident and lowers your insurance premium. Many carriers offer 10 to 25 percent discounts for organizations that can demonstrate mature security programs.

The bottom line

If your business stores client data, processes payments, handles health information, or operates in a regulated industry, you should carry cyber insurance. It’s not a question of if something will happen — it’s a question of when, and whether you’ll have the financial resources to recover.

But don’t buy a policy and assume you’re protected. Read the exclusions. Understand what controls are required. And invest in the security fundamentals that actually prevent incidents — because the best claim is the one you never have to file.

Need help getting your security controls in place before your next renewal? Book a discovery call to discuss your security posture and identify gaps that could affect your coverage.

cyber insurance risk management compliance small business

Ready to strengthen your security?

Whether you need compliance support, managed security, or just want to understand your risk — we're here to help.

Book a Discovery Call Schedule a Discovery Call