Cyber Insurance: The Thing You Probably Need but Definitely Don't Understand

Cyber insurance used to be a nice-to-have. Now it's basically mandatory — and it's getting harder to qualify for. Insurers have been paying out massive claims and they've gotten a lot pickier about who they'll cover and under what conditions.

If you don't have cyber insurance yet, you need it. If you do have it, you might not actually be covered when it matters. Here's what you need to know.

Why You Need It

The average cost of a data breach for a small business is over $150,000. That includes forensics, legal fees, customer notification, system restoration, and lost business. For most small businesses, that's an existential number. Cyber insurance is the difference between a really bad month and closing your doors.

What Insurers Require (and Your IT Company Should Be Helping With)

MFA everywhere. This is non-negotiable for virtually every insurer now. If you don't have multi-factor authentication on email, VPN, and admin accounts, you probably won't get approved.

Endpoint detection and response. Basic antivirus isn't enough anymore. Insurers want to see EDR, which actively monitors for suspicious behavior rather than just scanning for known viruses.

Regular backups with offsite storage. They want to know that if you get hit with ransomware, you can restore without paying the ransom. That means tested backups stored somewhere the attackers can't reach.

Security awareness training. Documented, regular training for all employees. Insurers know that humans are the weakest link, and they want to see that you're addressing it.

Incident response plan. A documented plan for what happens when you get breached. Who do you call? How do you contain it? Who notifies customers?

The Catch

Here's what most people don't realize: if you claim you have all of these things on your application and you actually don't, the insurer can deny your claim. It's not enough to check the boxes — you have to actually have the controls in place. We've seen businesses get denied on claims because their 'MFA' was only on one system instead of all of them.

How We Help

When our clients apply for cyber insurance, we fill out the technical portion of the application with them. We know exactly what's in place because we manage it. No guessing, no stretching the truth. That's the advantage of having an MSP that's actually doing the work.