The trick with cybersecurity—and cyber insurance—is that it’s a moving target. The threats evolve, your business changes, and what worked a year ago might not work today. It’s easy to think of cyber insurance as a safety net, but there’s a catch: it’s only a safety net if you can prove you’ve done your part.

Let’s break this down.

The Price of Novice Security

If you don’t invest in basic cybersecurity measures, you’re not just leaving yourself open to attack, you’re also going to pay more for cyber insurance. Reports from cybersecurity insurance providers show that businesses with novice controls pay 2.5x more when incidents occur.

If you don’t have common, baseline technology controls like two-step account verification, endpoint encryption, or an incident response plan, you’re a higher risk.

You’ll pay more, and when a breach happens, you might not even get your payout if the insurer finds you didn’t meet the conditions outlined in the policy. It’s not just about having a policy; it’s about maintaining the security measures you promised.

Why Claims Get Denied

Here’s something people don’t talk about enough: 45% of cyber insurance claims get disputed. Insurers find reasons to deny claims when they can, and if they can show you were out of compliance with your own security questionnaire, that’s grounds for at least partial denial. If you said you had multi-factor authentication (MFA) across the board but only implemented it for some of your accounts and systems, you could lose the claim entirely.

This is where the real value of a cybersecurity program comes in. Build a defensible position with “reasonable” security measures so that if you do need to file a claim, you’ve done things by the book. That means having policy guidance, account controls, regular updates, ongoing employee training, and - critically - the ability to prove it when asked.

Know What You’re Actually Covered For

Another area businesses stumble on is understanding what their policy actually covers. It’s tempting to check the boxes, but ignorance is not bliss and is no exception - cyber insurance isn’t a catch-all. Consider:

• Business email compromise (BEC) - Your insurer might cover the cost of a breach, but what if the hacker initiated a fraudulent wire transfer from your hacked account? Is that covered? Make sure your policy explicitly mentions ACH and wire fraud coverage.
  • And make sure your accounting department has a process to verify people before making changes to ACH and wire destinations.
• Ransomware - Some policies cover ransom payments but cap the payout. If you’re facing a $1 million ransom and your policy has a $200,000 limit, that’s a problem. Fortunately, good backups can mitigate this impact, and most ransom demands are negotiated down.
• Third-party coverage - If a client or partner suffers damages due to a breach in your systems, will your policy cover their claims against you?

These details matter. Ask your insurer specific questions about limits and exclusions. It’s easy to think you’re protected until a breach happens, and suddenly you’re navigating the fine print.

It’s All About Risk

For a consumable read on cyber risk in business, see Ryan McGeehan’s The Value Of Risk Organizations. There are a few factors in calculating insurance premiums:

• Risk exposure (i.e., your questionnaire)
• Your business (revenue and complexity)
• Base rates (your past claim history, industry breach data)
• The regulatory environment (i.e., those who can fine you for non-compliance with things like HIPAA, GLBA FTC Safeguards, PCI, CMMC, etc.)

You have most control over your risk exposure through a solid cybersecurity risk management program - i.e. policies, procedures, and technical controls.

What Should You Be Spending on Cyber Insurance?

When you’re figuring out how much insurance you need, these are the numbers that matter. Blanket coverage might seem like a good idea, but if you’re not sizing it to your actual exposure, you’re either overpaying or under-protected.

Here’s a rough guideline based on the above factors:

1. Risk Exposure: Take a look at your most vulnerable points. Do you have a documented information security program? Have you had an expert evaluate your systems, applications, and controls for weaknesses?
2. What about your financials? How much money moves through your business in a typical three-month period? Look at how quickly you could bounce back from downtime. If a breach froze your systems for a week, how much would that cost in terms of lost revenue, customer trust, and cleanup?
3. How much does ransomware extortion typically cost similar-sized organizations? Common ACH and wire fraud amounts?
4. What data do you maintain or process? What industry are you in? What cybersecurity regulations are you under? HIPAA Security Rule? GLBA FTC Safeguards? CMMC? Each record of sensitive data you store could cost $160+.

The good news is that things aren’t as dire as most news articles make things out to be.

losses from cyber incidents are significantly lower than losses from other operational risks such as improper business or market practices, disaster and other events, product flaws, theft and fraud (Biener et al., 2015; Romanosky, 2016).

Median ransomware costs range from $40-$60k per incident, up to $200k for mid-sized businesses. Enterprise costs are in a different category (through the roof). Wire and payment fraud incidents have an average impact of around $80k.

And the bigger you are the harder you .. get hit. If you have fewer than 50 employees, insurance reports say that you can expect to be targeted 1-5 times per year. More if your industry is known to move large amounts of money as a course of business. If you have over 1,000 employees, that number jumps to 6-25 times per year. Some unlucky and unprepared companies make up to three claims per year.

Many small businesses commonly have million-dollar policies which may be over covered. Growing mid-market businesses may reach 5 million dollar coverage or more, and in the enterprise coverage quickly becomes custom.

Be Ready for the Questionnaire

When you’re applying for cyber insurance, you’re going to get fill out a questionnaire. This isn’t just busy work.

The answers you give will determine whether your policy holds up when you file a claim. You’ll check a box but will want to be able to show that you’ve implemented key security measures.

• MFA for email and other important systems
• Encryption for laptops and sensitive data
• A written incident response plan
• Ongoing security training for employees

Be truthful. If you can’t prove you have some control in place or answer a question, you’re setting yourself up for trouble down the road. It’s not enough to just check the box on the form. You need the documentation to back it up.

The Bottom Line

Cyber insurance is valuable, but it’s not a silver bullet. The real protection comes from making smart decisions about your technology, processes, and employee education. Get the right security controls in place, understand your coverage, and be prepared to back up your claims. If you can do that, cyber insurance becomes a tool, not a crutch.

‍