Cyber Insurance for SMBs: What It Really Covers (and How to Qualify Without the Headache)
Cyber insurance has become essential for small and midsize businesses—but premiums, exclusions, and stricter questionnaires are tripping many SMBs up. Below: what’s typically covered, why applications fail, and a practical in-page checklist to raise your eligibility and lower risk.
Why cyber insurance matters for SMBs
Real costs
Forensics, recovery, legal notifications, PR, lost revenue.
Partner demands
Banks, payment processors, retailers, and hospitals increasingly require active policies
Contracts
More agreements now include cyber and data-protection clauses.
What cyber insurance usually covers (quick view)
- Incident response: forensics, containment, restoration.
- Liability: legal defense and settlements for data exposure.
- Notification & credit monitoring for affected individuals.
- Ransomware: negotiation and (depending on policy) reimbursement with limits/exclusions.
- Business interruption: lost income during downtime.
Note: Coverage and limits vary. Many policies exclude events if basic controls aren’t in place (MFA, EDR, tested backups, patching, logging, security awareness).
Why many SMBs get denied—or overpay
- Partial MFA (email only; no VPN/RDP/admin).
- Backups without isolation/air-gap or without restore tests.
- Missing or inconsistent EDR coverage.
- Weak patch management and centralized logging.
- No phishing training or simulations.
In-Page Checklist: 12 Controls That Improve Eligibility & Premiums
Use this as a quick self-assessment.
- MFA everywhere (email, VPN, RDP, SaaS, admin).
- 3-2-1 backups with one offline/air-gapped + monthly restore tests.
- EDR deployed on all endpoints with active alerting.
- Patch management (SLA ≤30 days; critical <7 days).
- Asset/software inventory that’s always current.
- Role-based access and least privilege.
- Email hardening: SPF, DKIM, DMARC.
- Centralized logging (SIEM or equivalent) with ≥90-day retention.
- Email/web filtering; block risky macros.
- Quarterly micro-trainings and phishing simulations.
- Incident response plan with contacts/escalation and forensics partner.
- Core policies: password, AUP, backup, BYOD.
If you check fewer than 9/12, book a 20-minute review to prioritize next steps.
How to handle the insurer’s questionnaire (without losing a week)
Answer with evidence
Screenshots/exports proving MFA, EDR coverage, backup success, retention, policies.
Be consistent
declarations must match what you actually enforce.
Assign owners
Per section**:** identity, endpoints, backups, networks, awareness.
Attach a 1-page posture summary
that maps to the 12 controls.
Pricing & limits: what to expect in 2025
- Premiums: driven by industry, revenue, loss history, and controls.
- Limits: common SMB ranges are $250k–$1M; ransomware may carry sub-limits.
- Retentions: higher with prior claims or weak controls.
Pitfalls that can void coverage
- Claiming “MFA everywhere” but only having it on email.
- Retaining logs for 7 days when the policy expects ≥90.
- Late notification to the insurer.
- Paying a ransom without insurer consent.
Want help reviewing your checklist and answering the insurer’s questions?
Book a 20-minute consultation with our team → book a call