How to Know If Your Small Business Is Ready for Cyber Insurance

Why insurers are asking harder questions

Ransomware claims exploded over the past several years. Insurers paid out hundreds of millions of dollars to businesses that had minimal security in place. In response, underwriters tightened requirements significantly. Many insurers now deny applications or cancel renewals if certain controls are not in place.

This is not just about getting coverage. It is about whether a claim will actually be paid. Having a policy does not help you if the insurer denies the claim because you did not meet the security requirements you agreed to when you signed up.

Controls insurers commonly require

• Multi-factor authentication on email, remote access, and admin accounts — this is now a near-universal requirement
• Endpoint detection and response (EDR) on all devices, not just basic antivirus
• Offsite or cloud backups that are tested regularly and kept separate from the main network
• A documented incident response plan and, increasingly, a business continuity plan
• Email security controls including spam filtering and anti-phishing measures
• Patch management — current operating systems and software with a regular update schedule
• Privileged access controls limiting who has admin-level access to your systems
• Security awareness training for staff on at least an annual basis

What the application process looks like now

Most applications now run to several pages and ask specific technical questions. Do you have MFA on all remote access? Do you use EDR? Are backups stored offsite? What is your patch cadence? Some insurers send a security questionnaire that takes an hour or more to complete accurately.

If you answer yes to controls you do not actually have, and then file a claim, the insurer will investigate. Misrepresentation on an application can void a policy entirely. It is worth taking the time to answer honestly and to fix gaps before you apply.

How to prepare before applying or renewing

1. 1

   Audit what you actually have in place. Not what you think you have — what is confirmed and running on every device and account.

2. 2

   Enable MFA on Microsoft 365, any cloud applications, and especially any remote access tools like VPNs or remote desktop.

3. 3

   Make sure your backup is current, tested, and stored separately from your main systems. A backup that has not been tested is not a backup.

4. 4

   Document your incident response process, even in a simple one-page format. Insurers want to see that you have thought through what happens if something goes wrong.

5. 5

   Review the application questions with your IT provider before submitting. They should be able to confirm what controls are in place and flag anything that needs attention.

What coverage to look for

A basic cyber policy should cover first-party losses: ransomware payments, data recovery costs, business interruption, and notification expenses if client data is exposed. Third-party liability coverage protects you if a client sues because their data was compromised in a breach at your firm.

For a small business handling client data — especially financial records or personal information — both types of coverage matter. Talk to your broker about what is included in your specific policy and what the sublimits are for ransomware payments and business interruption.