Cyber insurance has changed dramatically in the last three years. What used to be a rubber-stamp process is now a detailed security questionnaire with real consequences for answering wrong. Here is what you need to know before you buy a policy and before you file a claim.
What Cyber Insurance Covers
A standard cyber liability policy for small businesses typically covers first-party losses (damage to your own business) and third-party liability (claims from customers or partners whose data was affected).
First-party coverage includes: incident response costs, forensic investigation, data recovery, business interruption losses during an attack, ransomware payment (in some policies), and crisis communication costs.
Third-party coverage includes: legal defense if customers sue over a data breach, regulatory fines and penalties in some jurisdictions, and notification costs when you are legally required to tell customers their data was exposed.
What Gets Claims Denied
Cyber insurance claims are denied more frequently than people realize. The most common reasons:
Misrepresentation on the application. You answered yes to "do you have MFA on email" when you did not. After a breach, the insurer investigates. If they find you misrepresented your security posture on the application, they can deny the claim and potentially rescind the policy.
Known vulnerabilities. If you had an unpatched system with a known, public vulnerability and attackers exploited it, some policies have exclusions for "known vulnerabilities left unremediated." This is increasingly common.
War and nation-state exclusions. Attacks attributed to nation-state actors may be excluded under war clauses. This was contested in several high-profile cases. Read your policy carefully.
Business interruption sub-limits. Many policies have separate, lower sub-limits for business interruption losses. You may be covered for $500,000 in breach costs but only $50,000 in lost revenue during the outage.
What Insurers Now Require
The underwriting process for cyber insurance has gotten significantly more rigorous since 2021. Controls that were optional are now mandatory for coverage at any reasonable premium:
MFA on email and remote access. No exceptions. If you do not have MFA on Microsoft 365, Google Workspace, and any VPN or remote desktop access, you will either be denied coverage or pay substantially higher premiums.
Endpoint detection and response (EDR). Basic antivirus is no longer sufficient. Most insurers now require modern EDR software on all endpoints.
Privileged account management. Admin accounts should not be used for day-to-day work. Privileged accounts should require MFA and activity should be logged.
Tested backups. Offline, immutable backups that are tested regularly. If ransomware can reach your backups, you do not have effective backups in the eyes of your insurer.
The Security Assessment Connection
Several insurers now offer premium discounts for businesses that can produce a third-party security assessment report. Showing your insurer that you had a professional review your posture and remediated the findings demonstrates good faith and measurably reduces risk in their models.
Blackhount's security assessment ($299) produces a written report you can provide to your insurer. Contact us and we will discuss what your specific insurer is likely to want to see.
Talk to Blackhount