Cyber insurance questions to ask.
Not all cyber insurance actually covers a cyber event. Here are the questions to ask your broker before you need the policy.
Cyber insurance is more common now than ever — and more confusing than ever. The word "cyber" covers wildly different kinds of events, and your policy might not cover the one that actually happens to you. Asking the right questions before a breach is the difference between a policy that pays and a policy that argues.
Why this matters
Policies have evolved faster than most brokers can keep up with. Some policies have ransomware sub-limits that are a fraction of the headline number. Some exclude "social engineering" entirely, which is how most small business claims start. Some require specific controls (MFA, EDR) that, if missing, let the insurer deny coverage outright.
The questions to put to your broker
- What's the sub-limit on ransomware? (Could be 10% of the policy limit — verify.)
- Is social engineering / fraudulent instruction covered? (This is BEC and wire fraud.)
- What controls are required to keep the policy valid — MFA, EDR, backups?
- Is business interruption covered? For how many hours/days?
- Is there breach counsel and IR retainer included, or do you have to find your own?
- What's the claim process — who do I call at 2 AM?
- Is there coverage for regulator fines, notification costs, and credit monitoring?
What "covered" often doesn't mean
“A small accounting firm had $1M in cyber coverage but a $50K sub-limit on ransomware.”
Red flag: Ransom plus downtime was over $200K. The insurer paid $50K. The firm was on the hook for the rest.
“A small firm's policy required MFA on all accounts. A compromised account without MFA became the breach vector.”
Red flag: Insurer denied the claim — the required control hadn't been enforced. Everything paid out of pocket.
We coordinate with your broker.
We help clients align their security controls with policy requirements. If you want a second set of eyes on your renewal, ask us.
- 1Read your current cyber policy — specifically the exclusions and sub-limits.
- 2Ask your broker the seven questions listed above in writing.
- 3Confirm your controls (MFA, EDR, backups) match what the policy requires.
- 4Save the claim process and emergency numbers in your incident response plan.
- 5Review coverage annually at renewal — threats change and so do policies.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
HIPAA basics for small teams.
You don't need a compliance department to run a HIPAA-aware practice. Five controls handle most of what regulators actually care about.
ReadTip #27 · CompliancePCI basics for accepting cards.
You don't need a CISO to handle PCI compliantly. Five practical habits cover most of what small businesses accepting cards actually need.
Read