The Dangerous Comfort of a Policy Number
Your insurance broker sold you a cyber liability policy. Maybe $1 million in coverage, maybe $5 million. You added it to the portfolio alongside your general liability, your property insurance, and your D&O coverage. You filed the certificate of insurance. You felt responsible. You felt protected.
You shouldn't have. At least, not as protected as you think.
Cyber insurance is a valuable component of a comprehensive risk management strategy. But it is not a security strategy. And the number of SMB leaders who treat their insurance policy as a substitute for actual cybersecurity controls is alarming — because when the breach happens, they discover that the policy they've been paying for covers far less than they assumed, takes far longer to pay out than they need, and does nothing to prevent the operational and reputational damage that actually kills businesses.
What Your Policy Actually Covers (and What It Doesn't)
Most business leaders have never read their cyber insurance policy beyond the coverage summary. The details matter — and the exclusions are where the surprises live:
Common Exclusions
- Known vulnerabilities: If you were breached through a vulnerability that had a patch available and you didn't apply it, many policies exclude the claim. The insurer's position: you knew the risk and didn't mitigate it. That's negligence, not an insurable event.
- Social engineering losses: Many standard policies exclude losses from business email compromise, wire fraud, and social engineering attacks. These require a separate "social engineering" rider that costs extra — and most SMBs don't have it. The $200,000 wire transfer fraud that devastated Meridian Supply? Excluded under a standard cyber policy.
- Nation-state attacks: Many policies include a "war exclusion" or "hostile act exclusion" that covers attacks attributed to nation-state actors. Given that major ransomware groups have ties to state actors, this exclusion is broader than most policyholders realize. In 2022, Lloyd's of London issued a directive requiring all cyber policies to explicitly exclude state-backed attacks.
- Failure to maintain minimum security controls: Your policy likely has a security questionnaire you filled out during underwriting. If you stated that you have MFA enabled, endpoint detection deployed, and backups maintained — and you don't — the claim can be denied for material misrepresentation. Insurance companies audit claims aggressively. They will check.
- Regulatory fines and penalties: Many policies cover the cost of breach response but exclude regulatory fines imposed by GDPR, CCPA, HIPAA, or other frameworks. The response costs might be $200,000. The regulatory fine could be $2 million. Your policy covers the small number.
Claims Denial Reality
A report by Sophos found that while 83% of mid-sized organizations have cyber insurance, only 64% of those who filed claims received the full payout. The rest received partial payouts, had claims denied, or experienced delays that forced them to fund recovery out of pocket during the most critical period. The insurance industry's incentive is to collect premiums and minimize payouts. Your incentive is the opposite. These incentives don't align when you need them most.
What Insurance Can't Cover
Even when the policy pays out exactly as expected, there are losses that no insurance policy can compensate:
Reputational Damage
Your insurance will pay for a PR firm. It won't rebuild the trust that took 20 years to earn and 24 hours to destroy. Customers who learn their data was compromised don't check whether your insurance covered the breach response. They check whether they can trust you with their data again. Many decide they can't. A study by the Ponemon Institute found that 31% of customers discontinue their relationship with a breached company. No insurance payout compensates for that lost lifetime value.
Operational Disruption
Your policy may cover "business interruption" — but the coverage typically has waiting periods (24-72 hours before it kicks in), caps on daily payouts, and maximum coverage periods. A ransomware attack that takes your systems offline for two weeks doesn't cost what the insurance formula says it costs. It costs the deals that fell through while you were offline. The customers who switched to a competitor. The employees who spent weeks in manual-process hell and started updating their resumes. The compound effects of operational disruption are incalculable and uninsurable.
Employee and Leadership Distraction
A significant breach consumes the leadership team for weeks or months. The CEO is managing crisis communications. The CFO is managing cash flow. The CTO is managing remediation. Nobody is managing the business. The opportunity cost of pulling your entire leadership team off of growth activities for 60-90 days doesn't appear on any insurance claim form. But it's often the most expensive consequence of all.
What Insurance Companies Actually Want You to Have
Here's a useful framing: if your insurance company requires certain security controls before they'll underwrite your policy, those controls are the minimum you should have regardless of insurance. The insurer isn't being generous with advice. They're defining the baseline below which the risk is unacceptable — even to a company that profits from accepting risk.
Most cyber insurance applications now require:
- Multi-Factor Authentication (MFA) on email, VPN, and administrative accounts
- Endpoint Detection and Response (EDR) on all devices
- Regular patching cadence with critical patches applied within 30 days
- Offline or immutable backups that survive a ransomware encryption
- Email filtering with anti-phishing capabilities
- Security awareness training for all employees
- Incident response plan documented and tested
- Privileged access management with least-privilege principles
If you have all of these controls, you have a solid security baseline. If you don't, you're probably paying higher premiums for coverage that might be denied when you need it. The controls cost less than the premium increase. Implement them, and you get better security and lower insurance costs.
The Right Relationship With Cyber Insurance
Insurance has a role. It's just not the role most people assign it. Here's the correct framing:
Layer 1: Prevention — Invest in the security controls that stop breaches from happening. This is your primary defense. MFA, EDR, patching, email security, access management, training. Most attacks are stopped here.
Layer 2: Detection and Response — Invest in monitoring and incident response capabilities that catch breaches quickly and limit damage. The difference between a $50,000 incident and a $5 million incident is usually detection speed.
Layer 3: Insurance — For the residual risk that survives Layers 1 and 2, insurance provides financial cushioning. It helps with breach response costs, legal fees, notification expenses, and business interruption losses. It's the safety net under the safety net. Valuable. But never the first line of defense.
The Bottom Line
Your cyber insurance policy is not protecting you the way you think it is. The exclusions are wider than you expect. The claims process is slower than you need. And the losses that actually kill businesses — reputation, trust, operational momentum, leadership distraction — aren't on any claim form.
Stop treating insurance as your security strategy and start treating it as your residual risk transfer. Build the controls first. Invest in prevention and detection. Then — and only then — does insurance make sense as the financial backstop for what slips through. The companies that survive breaches aren't the ones with the biggest policies. They're the ones that built the defenses that made the breach survivable in the first place. Insurance pays the bills. Security keeps the business alive.
-Rocky
#CyberInsurance #Cybersecurity #RiskManagement #ITStrategy #SMBSecurity #BreachResponse #InsurancePolicy #SecurityControls #BusinessContinuity #EngineeringDreams