The Claim That Wasn't Covered
A startup founder shared this story: ransomware hit, they paid the ransom, filed a claim— and the insurer denied it. Why? Their policy excluded ransomware payments. They assumed "cyber insurance" meant "covered for cyber stuff." It doesn't work that way.
Cyber insurance is increasingly essential—and increasingly complex. Premiums have doubled in recent years. Insurers are adding exclusions. Application questionnaires look like SOC 2 audits. Getting the right coverage at the right price requires understanding what you're actually buying.
This guide explains cyber insurance for startup and SMB leaders: what it covers, what it doesn't, and how to buy it intelligently.
What Cyber Insurance Actually Covers
Cyber insurance typically includes two main categories: first-party coverage (your losses) and third-party coverage (claims against you).
First-Party Coverage
Third-Party Coverage
Cyber insurance is not "breach insurance." It's a collection of specific coverages, each with its own limits, deductibles, and exclusions. Read the actual policy language— "cyber insurance" means different things on different policies.
Common Exclusions (What's NOT Covered)
These exclusions catch many companies by surprise:
- Known Vulnerabilities — Breaches from unpatched vulnerabilities you knew about.
- Failure to Maintain Security — If you lied on the application about your controls.
- Acts of War/Nation-State — Attacks attributed to foreign governments (NotPetya claims were denied).
- Prior Acts — Breaches that occurred before the policy period.
- Contractual Liability — Some SLA penalties or contractual damages.
- Bodily Injury/Property Damage — Physical harm (need general liability for that).
- Criminal Fines — Many jurisdictions don't allow insuring criminal penalties.
The "war exclusion" is becoming a major issue. Insurers are denying claims for attacks attributed to Russia, China, or North Korea. Some policies now have explicit "cyber war" exclusions. Ask specifically how your policy handles nation-state attacks.
How Much Coverage Do You Need?
Factors That Determine Coverage Amount
- Data Volume — More records = higher breach costs (notification, credit monitoring)
- Data Sensitivity — Health/financial data has higher per-record costs
- Revenue — Business interruption coverage should match potential lost revenue
- Industry — Some industries face higher regulatory fines and litigation
- Customer Contracts — Many enterprise contracts require minimum coverage amounts
Coverage Benchmarks by Company Size
Average breach cost is ~$165 per record (IBM). If you have 50,000 customer records, that's $8.25M potential exposure—before legal fees, regulatory fines, or business interruption. Size coverage to actual exposure, not arbitrary numbers.
The Application Process
What Insurers Ask About
Cyber insurance applications have become detailed security assessments. Expect questions about:
Technical Controls:
- MFA on email and remote access
- Endpoint detection and response (EDR)
- Email security (filtering, DMARC)
- Backup and recovery procedures
- Patch management practices
- Network segmentation
Operational Controls:
- Security awareness training
- Incident response plan
- Vendor management program
- Access control policies
- Previous breaches or claims
- Compliance certifications
Controls That Affect Pricing
These controls have the biggest impact on whether you get coverage and at what price:
- MFA Everywhere — #1 factor. No MFA on email/VPN = no coverage or massive premium.
- EDR/XDR — Endpoint detection is increasingly required, not optional.
- Backup Testing — Untested backups don't count. Prove you can recover.
- Email Security — Phishing is the top attack vector. DMARC, filtering matter.
- Privileged Access Management — How you control admin access affects rates.
MFA on email and remote access is now table stakes. Many insurers won't quote without it. If you don't have MFA deployed, implement it before shopping for insurance—you'll save significant premium and may not get coverage otherwise.
Shopping for Cyber Insurance
Working with Brokers
- Use a Specialist — Cyber insurance is complex. General brokers may miss nuances.
- Get Multiple Quotes — Prices vary significantly between carriers.
- Compare Coverage, Not Just Price — Cheaper policies often have more exclusions.
- Ask About Claims — How does this carrier handle claims? What's their reputation?
Key Questions to Ask
- Is ransomware/extortion covered? With what sublimit?
- How is "war" or nation-state attack defined?
- What's the waiting period for business interruption?
- Are regulatory fines covered (where legal)?
- Do I have to use pre-approved vendors for incident response?
- How does the claims process work?
- What could void my coverage?
Common Cyber Insurance Mistakes
Mistake 1: Assuming "Cyber Insurance" Covers Everything
Read the policy. Understand what's covered and what's excluded. Many companies discover exclusions only when filing a claim—which is too late.
Mistake 2: Lying on the Application
Application misrepresentation can void your policy entirely. If you say you have MFA everywhere but you don't, the insurer can deny claims. Be accurate—gaps are better disclosed than discovered.
Mistake 3: Not Updating Coverage
Your coverage should grow with your business. If you had $1M coverage at $2M revenue and now you're at $20M revenue, you're probably underinsured.
Mistake 4: Ignoring Policy Requirements
Many policies require specific actions after a breach: notify the insurer within X hours, use approved vendors, get approval before paying ransom. Missing these steps can reduce or eliminate coverage.
When You Need Cyber Insurance
Definitely Get Coverage If:
- You handle customer PII or sensitive data
- Enterprise customers require it
- You process payments
- A breach would threaten business survival
- You're in a regulated industry
Consider Carefully If:
- Very early stage with minimal data
- Budget is extremely tight
- You have strong security controls already
- You can self-insure smaller incidents
- Premium exceeds likely incident cost
Quick Start: Your First Week
Day 1-2: Assess Your Baseline
Do you have MFA on email and remote access? EDR deployed? Tested backups? These basics affect insurability and pricing.
Day 3: Calculate Exposure
How many records? What type of data? What's your potential breach cost? This determines coverage amount needed.
Day 4-5: Talk to Brokers
Contact 2-3 cyber insurance specialists. Get quotes. Compare coverage terms, not just price.
Day 6-7: Review and Decide
Read policy language for key coverages and exclusions. Understand what's actually covered before you buy.
Next Steps
Cyber insurance is risk transfer—but it's not risk elimination. The best insurance strategy combines good coverage with strong security controls that reduce the likelihood of needing to file a claim.
Start with your controls. MFA, EDR, and tested backups will get you better coverage at better rates—and reduce your actual risk, which is the point.
Building your security program? vCISO Lite helps you implement the controls insurers want to see, track your security posture, and provide documentation that simplifies insurance applications and renewals.