Cyber threats aren’t just a big-business problem. In 2023, 41% of small businesses fell victim to a cyber attack[1] – a reminder that no company is too small to be targeted. This surge in attacks has driven many organizations to seek cyber insurance as a safety net. But getting covered isn’t as simple as buying a policy. Insurers have tightened their requirements after a wave of costly breaches, hiking premiums by 15–50% in recent years and even adding new exclusions[2]. Cyber insurance underwriters now grill applicants on their cybersecurity measures, effectively turning the application into a mini IT audit[3]. If your answers to security questions are “no,” you could face higher premiums or even denial of coverage[4].
Whether you run a small business, a healthcare clinic, or a local government office, it’s crucial to understand what underwriters look for. In this article, we’ll break down common questions insurers ask, explain how your IT security policies influence your premium, and offer tips for different industries. By the end, you’ll know how to make your organization both well-protected and insurable.
Why Underwriters Scrutinize Your Security
Cyber insurance underwriting is all about assessing risk. After paying out massive claims for ransomware and data breaches, insurers are now extremely cautious. They scrutinize organizations’ cybersecurity practices to ensure effective controls are in place[5]. In practice, that means when you apply for a policy, you’ll face detailed questions about your IT setup. Underwriters want to gauge how likely you are to suffer an incident – and how well you could contain one if it happens.
If you lack basic protections, the insurer sees a higher chance they’ll have to pay a big claim. In some cases, companies can even be deemed uninsurable until they improve their security. For example, the public sector learned this the hard way: municipalities have been hit by ransomware more than any other industry, yet many city governments still don’t have the “basic basics” like multi-factor authentication or data backups[6]. Insurers responded by refusing to cover many municipalities or charging sky-high premiums unless those basics are fixed[7]. In fact, some carriers won’t even offer any cyber policy to an organization that lacks certain controls (several insurers now flat-out decline coverage if a company isn’t using MFA)[8].
The takeaway? Underwriters ask tough questions because they have to. Your answers help them decide: Are they willing to insure you at all? If so, how much should your premium be to offset the risk? The more confident they are in your cybersecurity, the better terms you’ll get. Let’s look at which security measures they care about most.
Key Security Measures Underwriters Look For
When evaluating your application, underwriters are essentially checking for the presence of core cybersecurity controls. In fact, a 2025 industry report noted that most carriers now require proof of seven fundamental protections before offering coverage[9]. Below are those key measures and why they matter:
- 1. Multi-Factor Authentication (MFA) Everywhere: MFA means requiring a second step (like a code or app prompt) in addition to passwords. Underwriters expect MFA on critical logins – email accounts, VPN/remote access, admin accounts, cloud services, etc. It’s one of the first questions you’ll be asked, because compromised passwords are a top breach cause. Enforcing MFA system-wide greatly reduces the chance of an attacker breaking in with stolen creds. Indeed, some insurers now refuse to even quote a policy if MFA isn’t in place company-wide[8].
- 2. Endpoint Detection & Response (EDR): Insurers want to see that you have advanced anti-malware and monitoring on all computers and servers. EDR software watches for suspicious behavior (like ransomware encryption) and can automatically isolate infected machines. Underwriters may ask if you have EDR deployed to 100% of endpoints and if it’s actively managed 24/7[10]. This control helps catch threats that slip past traditional antivirus, minimizing damage from an intrusion.
- 3. Secure, Off-site Backups (Immutable Backups): A strong data backup strategy is essential, especially with ransomware. Underwriters will ask if you back up your critical data regularly, and more importantly how you do it. They’re looking for off-site or cloud backups that are kept offline or immutable (locked against changes) so hackers can’t encrypt or delete them. Many cyber insurers cite the “3-2-1-1-0” rule: 3 copies of data, on 2 different media, 1 off-site, 1 immutable, and 0 errors from test restores[11]. Expect to be asked if you test your backups (e.g. doing routine restore drills). Demonstrating that you can quickly recover your data means a ransomware attack won’t be a catastrophe – which makes you a safer bet to insure.
- 4. Prompt Patch Management: “Patch management” refers to how quickly you apply security updates to your systems and software. Underwriters often include questions like: Do you have a policy for installing critical patches within a certain timeframe? They want to hear that you don’t let known vulnerabilities linger unpatched. Many insurers look for a patching SLA (service-level agreement) – for example, applying critical updates within 1–2 weeks of release[12]. You might even be asked for proof, such as reports showing your patch compliance rate. Why do they care? Because unpatched software (e.g. an outdated VPN or server) is a common entry point for attackers. A solid patch regimen means fewer holes in your defenses.
- 5. Security Awareness Training & Phishing Tests: Human error is a huge factor in breaches, so underwriters check whether you educate your team. They may ask if you conduct regular cybersecurity awareness training for employees and phishing email simulations. Insurers want to know you’re building a “human firewall” – teaching staff how to spot suspicious emails, use strong passwords, and follow security policies. Ideally, you should be doing periodic phishing simulation tests and tracking results (e.g. % of employees who click vs. report the fake phish). Showing that your workforce is trained and phish-savvy can positively influence an underwriter’s view of your risk. (Some applications even ask for specifics, like “Do you conduct phishing tests at least quarterly?”[13]).
- 6. Access Controls & Least Privilege: This refers to how you manage user accounts and permissions. Underwriters commonly ask about your password policies (Are they strong? Do you enforce regular changes or use a password manager?) and about admin accounts. They want to see that you follow the principle of least privilege – meaning employees only have the access they absolutely need. For example, no shared logins and very few users with administrator rights. Any admin or privileged accounts should have MFA enforced and ideally be separate from normal user accounts[14]. Insurers also favor companies that periodically review user access and promptly remove accounts/privileges that are no longer needed. Tight access control reduces the odds that a hacker who steals one credential can “roam free” across your network.
- 7. Vendor and Third-Party Security: Many breaches start through a vendor or IT provider, so underwriters will inquire about your third-party risk management. They might ask if you vet the security of your IT service providers, or how you control vendor remote access to your systems. A strong answer is that you require vendors to use MFA and unique accounts, never shared logins[15], and that you limit what outside partners can do in your network. It’s also good to mention if you have a vendor cybersecurity policy or checklist. Insurers are looking for assurance that a supplier’s weakness won’t become your breach. Showing that you hold partners to high security standards (contracts, certifications, etc.) can satisfy underwriters that this risk is under control.
These seven areas cover the most frequently asked questions on cyber insurance applications. In fact, many insurers now make customers fill out a supplemental questionnaire specifically about ransomware controls, touching on all of the above (MFA, backups, EDR, etc.)[16]. The more of these boxes you can confidently check “Yes,” the better your standing. As one report summed it up: want a lower premium or any quote at all? Implement these basics[9].
How Your IT Policies Affect Your Premium
Having the right cybersecurity policies and tools not only helps you get coverage – it directly impacts how much you pay. Insurance underwriters use your security posture as a major factor in pricing your policy. Here are some ways your IT setup can make your cyber insurance premium higher or lower:
- Stronger Security = Potential Discounts or Better Rates. Insurers want to insure low-risk clients, so many will offer more favorable terms if you demonstrate strong cyber defenses. Businesses that continuously improve their “cyber hygiene” tend to access more favorable pricing and coverage limits[17]. For example, some carriers provide premium credits for having an incident response plan, up-to-date security certifications, or for passing a security audit. One insurance expert noted that monthly premiums can be “tempered significantly” by implementing proper processes, training, and robust security infrastructure[18]. In short, the safer you make yourself, the more you save – because you’re less likely to cost the insurer money with a claim.
- Compliance Can Be Non-Negotiable (and Beneficial). In regulated industries, underwriters often require compliance as a condition of coverage. For instance, a healthcare practice must be HIPAA compliant – if you’re not, a cyber policy may not pay out at all[19]. (When you sign a policy, you attest that you comply with applicable laws; if that turns out false, the insurer can void your claim.) The silver lining is that being in compliance can lower your premium. Meeting standards like HIPAA, PCI-DSS, NIST, or ISO 27001 signals that you have structured security in place. Since HIPAA-compliant organizations are inherently more secure, they reduce breach risk – insurers see that as “less liability,” which often means better rates[20]. Achieving a respected security certification (say ISO 27001 or a SOC 2 report) or maintaining regulatory compliance can therefore directly translate to cost savings on insurance[21].
- Poor Security = Higher Premiums (or No Coverage). The flip side is also true: if your protections are weak, insurers will charge accordingly. A company with numerous vulnerabilities and no cybersecurity program is far more likely to file a claim, so the carrier may quote a very high premium if they’re willing to insure it at all. We’ve seen this especially in high-risk sectors. For example, many municipalities found that without basic controls in place, insurers either declined coverage or only offered policies at exorbitant rates[7]. Even outside of government, an underwriter who isn’t confident in your security might impose an added surcharge or a higher deductible to compensate for the uncertainty. Essentially, you’ll pay more for insurance to “fill the gap” of not investing in security internally.
- Industry and Other Risk Factors. Underwriters also consider inherent risk factors that are outside your IT policy choices. Your industry is a big one – certain sectors are targeted by hackers more frequently or face larger potential losses. If you’re in a high-risk industry (say healthcare, finance, or education), you might face higher premiums than a low-profile business, all else being equal[22]. The size of your company (number of employees, revenue) can matter too; more employees can mean more points of vulnerability[23]. They’ll also look at how much sensitive data you hold – e.g. a medical clinic or an e-commerce retailer carries more risk than a hobby blog. And your claims history counts: if you’ve suffered past breaches or cyber claims, insurers may view you as a higher risk (similar to how a car insurer raises rates after accidents). All of these elements mix into the pricing formula. In short, underwriters weigh a combination of your security maturity and your inherent exposure when determining your premium[24].
Bottom line: Investing in solid IT security can pay for itself through lower insurance costs (not to mention reducing the chance of an incident in the first place!). By contrast, skimping on security will not only leave you more exposed to attacks, it will also drive up the cost of transferring that risk to an insurer.
Next, let’s look at a few specific scenarios – small businesses, healthcare practices, and local governments – to see how cyber insurance considerations can vary by context.
Cyber Insurance for Small Businesses
Small businesses often assume hackers won’t bother with them, but the data shows otherwise. Nearly half of SMBs experience cyber attacks each year[1], and these incidents can be devastating to a small company’s finances and reputation. Cyber insurance can literally save a small business from bankruptcy by covering costs like breach recovery, legal fees, customer notifications, and ransomware payments. It’s no surprise that over 50% of U.S. small businesses now carry cyber insurance in some form[25] – it’s become a mainstream best practice for SMB risk management.
For small business owners, the key is to balance cost and protection. Cyber insurance premiums for SMBs tend to be manageable – the average policy for a small business runs around $145 per month (roughly $1,740 annually) according to one analysis[26]. Your actual cost will depend on your size and industry, but also heavily on your security measures, as we’ve discussed. Many small companies worry they can’t afford enterprise-grade cybersecurity. The good news is that insurers mostly look for a handful of affordable, basic protections – the same ones we listed earlier (MFA, backups, antivirus/EDR, updates, training). Even budget-conscious businesses can implement these with a bit of planning. For example, many cloud services include MFA at no extra cost; good backup services and endpoint security software are available at small-business price points.
When applying for cyber coverage as an SMB, be prepared to answer questions like: – “Do you use multi-factor authentication for email and remote logins?” – “How often do you back up your data, and is it stored off-site?” – “Do you provide cybersecurity training to employees?” – “Do you have an IT service provider or internal IT staff managing your security?”
If your answer to many of these is “no,” an underwriter will likely view your business as a higher risk (remember, insurers see plenty of claims where an SMB got hacked due to one of these missing pieces). You might still get a policy, but the premium will be higher – or you could get a laundry list of security improvements as a contingency before the policy can take effect. On the other hand, if you can honestly say “yes, we do that,” to most of these questions, you’ll impress the underwriter and potentially earn a lower rate. It may even be worth investing in a few upgrades before you apply for insurance. For example, if you don’t have MFA enabled yet, doing so now could immediately make you eligible for better pricing on a policy.
Many small businesses choose to partner with a managed IT services provider (MSP) – like Pinpoint Tech – to handle these security essentials. An MSP can implement and maintain strong cyber protections for you, effectively giving you enterprise-grade defense on an SMB budget. This not only helps prevent incidents, but also checks the boxes that insurance underwriters are looking for. It’s a proactive way to make sure your business is both secure and insurable. In short, SMBs absolutely need cyber insurance, but you’ll get the most value from it when you’ve taken steps to reduce your risk. A little effort on cyber hygiene can go a long way toward lower premiums and peace of mind.
Cyber Insurance for Healthcare Practices
Owners of medical and dental practices, clinics, and other healthcare organizations face unique cybersecurity and insurance concerns. Healthcare is considered a high-risk industry in the cyber insurance world – attackers prize patient data, and healthcare providers are often seen as soft targets. This means premiums for healthcare entities can be on the higher side compared to other businesses of similar size[22]. Additionally, healthcare breaches carry hefty regulatory consequences (fines under HIPAA, lawsuits, etc.), which insurers have to factor into their costs.
If you run a healthcare practice, compliance and security go hand-in-hand for insurance. Being HIPAA compliant isn’t just good practice – it’s effectively required by any cyber insurance policy you’ll get. Underwriters will ask if you’re HIPAA compliant and may even require proof or attestation. Remember that when you sign a cyber liability policy, you are promising that your organization follows applicable laws. If a breach happens and it turns out you weren’t actually in compliance, the insurer can deny your claim on grounds of misrepresentation[19]. (For example, if you claim all patient data is encrypted as HIPAA mandates, but it wasn’t and a breach occurs – you could be on the hook for the costs.) The first step is therefore to ensure you truly meet the HIPAA Security Rule requirements – things like encryption of electronic health records, access controls for systems, audit logs, and an up-to-date risk assessment.
The upside is that strong HIPAA compliance can reduce your premiums. Why? A clinic that has all the HIPAA-mandated security measures in place is inherently a lower risk. HIPAA requires a lot of the same controls insurers care about: encryption of data in transit and at rest, user authentication and unique IDs, audit trails, regular staff training on privacy, and incident response plans[27]. If you can demonstrate these, underwriters know you’re less likely to have a major breach. As one compliance firm put it, HIPAA-compliant organizations are “inherently more secure and therefore reduce your risk of being breached. Insurance carriers like this because you are less of a liability,” which can lead to lower premiums[20].
When applying for cyber insurance as a healthcare entity, anticipate questions such as: – “Do you encrypt laptops, servers, and databases that store PHI (Protected Health Information)?” – “Do you have an up-to-date HIPAA risk assessment and written policies in place?” – “Is multi-factor authentication used for EHR systems and remote access?” – “How do you back up patient data, and can you recover quickly without data loss?” – “Do you conduct regular HIPAA/security training for staff and have an incident response plan ready?”
Healthcare underwriters may also dig into specifics like whether you segment your network (to protect medical devices or billing systems), if you use secure email for PHI, and how you handle software updates on medical equipment. It can feel a bit invasive, but remember, they’re evaluating if you’ve minimized the many avenues through which a breach could occur.
For a practice owner, it’s wise to work closely with your IT and compliance partners to ensure you can confidently answer those questions. Often, clinics engage IT consultants or security firms (like Pinpoint Tech) to help implement needed safeguards – for instance, setting up encryption on all devices, instituting MFA on the EMR/EHR systems, or establishing secure offsite backups for patient records. These investments not only keep you in line with HIPAA, but they pay dividends in insurance: you’ll qualify for coverage more easily and avoid costly coverage exclusions. Plus, a breach in healthcare can be incredibly costly (IBM’s research often shows healthcare has the highest average breach cost of any industry), so the combination of good security + insurance is truly mission-critical.
In summary, cyber insurance for healthcare is all about showing you take patient data protection seriously. The underwriters’ questions will effectively double-check your HIPAA security efforts. If you can answer affirmatively and provide evidence of strong controls, you’ll not only secure a policy (with possibly friendlier premiums), but you’ll also be better prepared to prevent the breaches that the insurance is meant to cover. And that’s a healthy prognosis for your practice’s future.
Cyber Insurance for Local Governments
Local governments – including city and county administrations, law enforcement agencies, public utilities, etc. – have become prime targets for cyberattacks in recent years. Alarmingly, ransomware groups have attacked municipal governments more than any other sector, even more than healthcare or education[6]. These public entities often hold sensitive citizen data and manage critical services, making them attractive targets. Yet many smaller municipalities historically lacked the resources for robust cybersecurity; some didn’t even have basic protections like MFA, endpoint monitoring, or reliable backups in place[28].
This gap between threat level and preparedness created a crisis in the cyber insurance market for public entities. Insurers have reacted by drastically tightening their underwriting for governments. In fact, many commercial cyber insurers have pulled out of the municipal market entirely, and those that remain are much more selective[29][30]. A city with poor cyber hygiene may find no carrier willing to insure it. One panel of municipal insurance experts noted that if a city isn’t at least doing things like MFA and regular patching, it “faces the possibility of an uninsurable risk.”[31] In practice: – Many insurers are flat-out refusing to cover municipalities (particularly those with outdated security). – Some will offer coverage but at very high premiums or with reduced coverage limits[32][33]. – Almost all require that certain “best practice” cyber controls be in place as a condition of coverage[29]. For example, if a town has not implemented MFA for all users, several insurers have made it clear: no MFA = no policy[8].
Given this environment, local government officials need to approach cyber insurance as part of a broader strategy of improving cybersecurity readiness. Underwriters will be looking for the presence of specific critical controls in the municipality’s IT environment. Based on industry guidance, some must-haves for cities now include: – Multi-Factor Authentication (MFA) – especially for remote access to networks, email accounts for staff/officials, and any accounts with admin privileges[34][35]. MFA is often the first thing carriers ask about. – Daily or Real-Time Data Backups – with offsite storage and the ability to restore quickly. Insurers expect regular backups of key systems (at least daily) and isolated “offline” backups not connected to the network[35]. They may also expect tested disaster recovery plans, given the critical nature of government services. – Rapid Patch Management – a formal process to apply security updates (e.g. within 30 days for critical patches) on servers, workstations, and especially on legacy systems like SCADA or utility control systems[36]. Governments often run older software, so showing a plan to address those vulnerabilities is important. – Email Security and Filtering – measures like advanced email filtering (to block phishing emails) and email authentication protocols (SPF/DKIM) to prevent spoofing[37][35]. Many municipal attacks start with a phishing email to a city employee. – Restricted Administrative Access – ensuring that IT admin accounts are secured (MFA on admin accounts, no widespread admin privileges for regular staff, etc.)[37]. Underwriters want to see a strong handle on who can access critical systems. – Incident Response & Continuity Plans – having an up-to-date incident response plan and business continuity plan. While insurance provides financial backup, carriers prefer clients who have a playbook to quickly respond to and recover from an incident.
When a local government seeks cyber coverage, they should be prepared to answer detailed questions about all the above. The process might involve filling out extensive questionnaires and even interviews with underwriters. It can be helpful to conduct a self-assessment (or third-party security assessment) beforehand to identify gaps. Many municipal leagues and risk pools now offer cyber risk audits to their members for this reason.
For city managers and IT directors, the message from insurers is clear: invest in your cybersecurity or risk going uninsured. This has prompted many municipalities to allocate new budget for IT security roles, managed security services, and upgrades to aging systems. While tight budgets are a reality, the cost of a major cyber incident (and the cost of losing insurance coverage) can far exceed the upfront investment in security improvements. Some states and associations also provide grants or resources to help local governments shore up their cyber defenses, which can in turn make insurance attainable again.
In summary, cyber insurance for local governments is now heavily contingent on demonstrating baseline cybersecurity maturity. Underwriters will ask more probing questions here than perhaps any other sector – because the stakes are so high and, historically, the controls have been so lacking. The path to affordable coverage lies in proactively strengthening your cyber foundation: get the essential controls in place, document your policies, and possibly seek out specialized public-entity cyber insurance programs or pools that understand your situation. With improved security, municipalities can once again find coverage to protect their operations and constituents, even in this challenging market.
Conclusion & Next Steps
Cyber insurance underwriters may seem like they’re putting you through an exam – and in a way, they are. But all of these questions boil down to one thing: encouraging best practices. By asking “Do you do X, Y, Z security step?” insurers are essentially pointing you toward the actions that will most reduce your risk of a cyber incident. In the end, you benefit from implementing those measures, not just through lower premiums, but through a stronger security posture that can prevent disasters in the first place.
For businesses and organizations in North Missouri and beyond, navigating cyber insurance can be a lot to tackle alone. The good news is, you don’t have to. Pinpoint Tech is here to help demystify the process and bolster your IT defenses. As a managed IT and cybersecurity provider, we work with companies to get all the recommended safeguards in place – from setting up MFA and backups to training your team and developing response plans. We can perform a cyber insurance readiness assessment to see where you stand with the controls underwriters expect, and then assist in closing any gaps.
Protecting your business is our passion, whether that’s through preventing attacks or making sure you have the right coverage if the worst happens. If you’re unsure about how your current IT policies measure up, or if you’re preparing for a cyber insurance application and want expert guidance, let’s talk. Give Pinpoint Tech a call for a friendly, no-obligation consultation. We’ll help you ensure that when the underwriters come knocking with questions, you have all the answers – and a secure, thriving business to show for it.
[Your cybersecurity is not just an IT expense; it’s a strategic investment in your company’s resilience.]
FAQs
What security questions do cyber insurance underwriters typically ask?
Cyber insurance applications often include a detailed questionnaire about your IT security. Underwriters will ask if you have implemented key protections such as multi-factor authentication, off-site data backups, and endpoint security software on all systems. They’ll inquire about your patch management (how quickly you install updates), whether you conduct employee cybersecurity training and phishing simulations, and if you have an incident response plan. Essentially, they want to gauge if you have the fundamental controls to prevent or contain cyber attacks. For example, you can expect questions like, “Do you require MFA for remote access?”, “Are your backups immutable (protected from deletion)?”, or “Do you use EDR (Endpoint Detection and Response) on all computers?” – among many others[16]. Being prepared with solid “yes” answers (and evidence to back them up) will greatly improve your chances of securing a policy.
What factors influence the cost of a cyber insurance premium?
Cyber insurance premiums are calculated based on a mix of your organization’s risk profile and security posture. Key factors include: Industry (high-risk sectors like healthcare or finance may pay more), company size (more employees or revenue can mean a higher premium), and the sensitivity/volume of data you handle (e.g. storing lots of personal data = higher risk). Insurers also look at your claims history – if you’ve had prior cyber incidents or claims, that can raise your rate. Crucially, your level of cybersecurity plays a big role: companies with strong controls (firewalls, MFA, etc.) often get better rates than those with poor security, because they’re seen as less likely to have a breach. Additionally, the coverage limits and deductible you choose will affect the price. In short, underwriters weigh both inherent factors (industry, size, data) and how well you’re managing cyber risk when determining your premium[24].
How can I lower my cyber insurance premium?
The best strategy to reduce your premium is to lower your cyber risk – which you do by improving your security. Most insurers offer better rates (or at least won’t surcharge you) if you can show strong defenses. Implementing the core controls – things like MFA on all accounts, next-gen antivirus/EDR on systems, encrypted offsite backups, network firewalls, and regular employee training – will make you a more attractive (and thus less expensive) customer to insure[17][18]. It’s also wise to document your policies and even obtain security certifications or third-party audits if possible; achieving standards like ISO 27001 or maintaining HIPAA compliance can sometimes earn you discounts[21]. Another tip: ask your broker or insurer about bundling (some give multi-policy discounts if you buy cyber insurance along with, say, your general liability coverage) or savings for paying annually in full. Always shop around and get quotes from multiple carriers – some may rate your particular industry or security measures more favorably than others. Over time, continually improving your IT security and having a claim-free record are the surest ways to keep premiums manageable.
Do small businesses really need cyber insurance?
Yes, absolutely. Small businesses are just as susceptible – if not more – to cyber attacks as larger firms. In fact, almost half of small businesses experience a cyber incident in a given year[1]. And when a small company gets hit (by ransomware, data breach, wire fraud, etc.), the financial impact can be crippling because they don’t have the extensive reserves or IT teams that bigger companies do. Cyber insurance is crucial for covering those potentially ruinous costs – it can fund things like professional incident response, data recovery, notifying affected customers, legal defense, regulatory fines, and so on. Without insurance, an out-of-pocket hit from a cyberattack could easily put a small business under. It’s also worth noting that many SMBs are required by partners or customers to carry cyber insurance nowadays as part of contracts. The good news is, policies for small businesses are generally affordable (many are just a couple thousand dollars per year), and as we discussed, you can keep the price low by maintaining good security practices. Think of cyber insurance for an SMB like fire insurance – you hope to never need it, but if disaster strikes, it’s a lifeline that could save your business.
What if I can’t meet all the security requirements an insurer asks for?
Many organizations – especially smaller ones – might not initially meet every single security criteria an insurer’s questionnaire asks about. Don’t be discouraged; you can often negotiate or improve over time. If you’re lacking in some areas (say, you haven’t implemented encryption or you don’t have an in-house IT team), the insurer may still offer coverage but with certain exclusions or conditions. For example, they might exclude coverage for ransomware events until you verify that you’ve deployed MFA and backups. In some cases, insurers provide a grace period: they’ll issue a policy but require you to address specific security gaps within a set time frame. Honesty is important – never lie on an application. If you say you have a control that you don’t, it can void your coverage when you go to file a claim (that’s considered misrepresentation)[19]. It’s better to tell the underwriter, “We’re not doing X currently, but we plan to implement it,” and see if they can work with you. Often, they will quote a premium assuming you’ll improve those areas. You can then invest part of that insurance safety net into actually boosting your security. Over the course of a year, aim to meet those requirements before your renewal – you’ll be in a stronger position to negotiate a better rate with proof of your new safeguards.
How much does cyber insurance cost for a small or mid-sized business?
The cost of cyber insurance can vary widely based on the factors we discussed (industry, size, security, coverage amount). But to give a rough idea: a small business might pay anywhere from a few hundred to a few thousand dollars per year for a cyber policy. A commonly cited figure is around $1,500–$2,000 per year for a $1 million coverage policy for an SMB with decent security – roughly $125–$175 per month[26]. Very small businesses (sole proprietors, etc.) might find policies for under $1,000 annually. On the other end, a mid-sized company with higher revenues or in a riskier sector could see premiums in the $5,000–$10,000+ per year range. Remember that coverage limits matter: a policy with $3 million in coverage will cost more than one with $250k. Also, if your business has a history of cyber incidents or lacks basic security, insurers might quote above-average rates. It’s best to consult with a broker who can get multiple quotes. They’ll find a policy that fits your budget and risk profile. And while cyber insurance isn’t cheap, consider the cost of a cyber catastrophe (which can easily reach tens or hundreds of thousands in losses) – in that context, the premiums are a worthy investment in protecting your business.
Sources
- Insurance Business America – Small Biz Cyber Stats (2024): Gia Snape, Despite awareness, small businesses still highly vulnerable to cyber attacks. Reports that 41% of small businesses had a cyber attack in 2023 (up from 38% in 2022)[1], and over half now carry cyber insurance coverage[25]. (URL: insurancebusinessmag.com)
- Stamm Tech – Cyber Insurance Controls (2025): “Cyber Insurance in 2025: The 7 Controls Carriers Expect (and How to Get Bind-Ready in 30 Days).” Explains that due to ransomware losses, cyber insurance applications now resemble a security audit – if you answer “no” on key controls like MFA, EDR, backups, etc., quotes may be expensive or unavailable[3]. Lists seven baseline security measures most insurers require (MFA, EDR, immutable backups, patch management, phishing training, least-privilege admin, vendor access controls)[9].
- Arthur J. Gallagher (AJG) – Ransomware Impact on Cyber Insurance (2021): John Doernberg, “Ransomware Causes Cyber Insurers to Raise the Bar.” Describes how a surge in ransomware claims led insurers to increase premiums by 15–50% and impose stricter underwriting with more probing questions[2][38]. Emphasizes that coverage and pricing became very sensitive to the quality of security answers.
- Marsh – US Cyber Insurance Market Update (Q4 2024): “Underwriting scrutiny continues – cyber hygiene essential.” Notes that insurers are scrutinizing organizations’ cybersecurity practices to ensure effective controls[5]. Companies that demonstrate improved cyber hygiene can access more favorable terms and pricing[17]. Encourages businesses to maintain strong controls to enjoy greater flexibility in coverage.
- Compliancy Group – Cyber Insurance and HIPAA (2022): Monica McCormack, “Cybersecurity Insurance Coverage: If You’re Not Compliant, They Won’t Pay.” Explains that being HIPAA compliant is both required for healthcare cyber coverage and can lower premiums, since HIPAA security measures reduce breach risk[20]. Warns that if a healthcare organization attests to compliance but isn’t actually compliant, an insurer can deny claims (policy voided for misrepresentation)[19]. Includes expert quote that premiums can be “tempered significantly” by implementing proper processes, training, and robust security infrastructure[18].
- Mad Devs – Cyber Insurance Explained for SMBs (2024): Maksim Pankov, “Cyber Insurance Explained: Coverage, Benefits, and Key Considerations.” Provides an overview of factors affecting cyber insurance cost: industry, coverage type, number of employees, policy limits, and past incidents[24]. Cites an average cyber insurance cost for small businesses of ~$145 per month[26]. Advises that demonstrating strong security (e.g. obtaining ISO 27001 or SOC 2 certification) can help keep premiums low[39].
- VC3 (Municipal IT Blog) – Cyber Insurance for Municipalities (2022): “Municipal Leagues Say Cities Must Get Cyber Insurance and Implement Best Practices.” Highlights the cyber insurance challenges for local governments. Notes that ransomware attacks hit municipalities more than any other industry and many cities lack basic controls[6]. As a result, many insurers see cities as uninsurable: some have left the market, others only offer coverage if strict cyber best practices are in place[29]. Specific insight that some carriers won’t provide any coverage to municipalities that don’t have MFA, etc.[8]. Recommends top controls for cities (MFA, patching, daily backups, isolating backups, email filtering, etc.) to be eligible for affordable coverage[37][36].
- Woodruff Sawyer – Cyber Insurance Trends Survey (2025): Dan Burke, “Cyber Insurance in 2025: What to Expect.” Shares survey data from underwriters: 48% predict cyber insurance premiums will increase, though 53% expect coverage terms to expand[40]. Confirms that ransomware remains the top concern, and underwriters are slightly less pessimistic about risk increase than prior year. Emphasizes the continuing need for strong security measures and underwriting scrutiny, despite some market stabilization in pricing.
[1] [25] Despite awareness, small businesses still highly vulnerable to cyber attacks | Insurance Business America
[2] [38] Cyber Insurance in the Fight Against Ransomware | AJG United States
https://www.ajg.com/news-and-insights/cyber-insurance-fight-against-ransomware/
[3] [4] [9] [10] [11] [12] [13] [14] [15] Cyber Insurance in 2025: The 7 Controls Carriers Expect (and How to Get Bind-Ready in 30 Days) | Stamm Tech
[5] [17] Q4 2024 update on the US cyber insurance market | Marsh
https://www.marsh.com/en/services/cyber-risk/insights/cyber-market-update-q4-2024.html
[6] [7] [8] [16] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] Municipal Leagues Say Cities Must Get Cyber Insurance and Implement Best Practices
[18] [19] [20] [27] Cybersecurity Insurance Coverage: If You’re Not Compliant, They Won’t Pay
https://compliancy-group.com/cybersecurity-insurance-coverage-if-youre-not-compliant-they-wont-pay/
[21] [22] [23] [24] [26] [39] Cyber Insurance Explained: What SMBs Need to Know
https://maddevs.io/blog/cyber-insurance-explained/
[40] Cyber Insurance in 2025: What to Expect | Woodruff Sawyer
https://woodruffsawyer.com/insights/cyber-looking-ahead-guide