Cyber Insurance for Small and
Mid-sized Organizations

What’s Covered … And What Isn’t

Cyber Question Mark with Shield




As cyber threats and cybercriminals continue to evolve, small to mid-sized organizations and city and county governments grapple with the challenge of staying cyber-secure. And cyber insurance is an important piece of the puzzle.

Cyber insurance has emerged as a critical shield against potential cyberattacks, offering coverage for a range of cyber incidents.

However, navigating the world of cyber insurance policies and coverages can be a frustrating process.

In this quick brief, we’ll explore the particulars of cyber insurance, explaining …

what’s covered and, perhaps more importantly, what isn’t?

We aim to empower you to make informed decisions when selecting a policy that best aligns with your organization’s unique needs and potential vulnerabilities.



The Crucial Role of Cyber Insurance

Small to midsized businesses and local government offices often need to pay more attention to their vulnerability to cyber threats. Unfortunately, this oversight can lead to dangerous and costly breaches as cyberattacks continue to rise, impacting organizations of all sizes.

In this section, we’ll explore the escalating cyber risks, the hefty price tag of cyber incidents, and the pivotal role cyber insurance plays in protecting your organization.


The Rise of Cyber Threats

Cyber Security Attacks

Cybercriminals increasingly target midsized organizations and local government offices, exploiting their limited resources and often-lax security measures.

Research suggests that 43% of cyberattacks are aimed at small businesses. Cybercriminals are also attracted to the wealth of sensitive data stored within local government systems, making them prime targets.



The Financial Fallout of Cyber Incidents

The consequences of a cyberattack can be financially crippling for SMBs and local government offices.

According to a study by the Ponemon Institute, the average data breach cost for small businesses in 2021 was $3.86 million. This hefty sum includes expenses related to incident response, business loss, and reputation damage.



The Protective Power of Cyber Insurance

In the face of these alarming statistics, cyber insurance emerges as a key component of your organization’s risk management strategy.

By providing coverage for a range of potential cyber incidents, cyber insurance can help mitigate the financial impact of an attack, securing your organization’s assets, reputation, and future.



Types of Cyber Insurance Policies: Understanding Coverage

What does cyber security not coverTo make an informed decision, it’s essential to understand the differences between primary, secondary, first-party, and third-party coverage.

This section will delve into these policy types and provide examples of incidents typically covered.


Primary vs. Secondary Coverage: The First Line of Defense

Primary cyber insurance coverage is your organization’s main safeguard against cyber risks. It’s designed to respond immediately to a covered incident, offering financial protection and support.

On the other hand, secondary coverage is intended to fill in the gaps left by the primary policy, covering additional expenses or specific scenarios not addressed by the primary policy.


First-Party vs. Third-Party Coverage: Who’s Protected?

First-party coverage focuses on your organization’s direct costs due to a cyber incident. Covered expenses include system repairs, data recovery, and business interruption costs.

Third-party coverage, meanwhile, addresses liabilities arising from claims made by external parties affected by a cyber event involving your organization. For example, this could include lawsuits, regulatory fines, or costs associated with notifying affected individuals.


What is Covered by Cyber Insurance


First-Party Coverage:

  • Data breach response and notification: Covers the costs related to investigating a breach, legal consultation, notifying affected parties, and providing credit monitoring services.
  • Cyber extortion and ransomware: Covers the costs of responding to a ransomware attack, including negotiation and payment of ransom demands and costs to restore systems and data.
  • Business interruption: Deals with the loss of income from a cyber event that disrupts normal business operations.
  • Digital asset restoration: Restores or replaces damaged, corrupted, or stolen digital assets, such as software, data, and other electronic files.
  • Crisis management and public relations: The costs of hiring a public relations firm to manage the organization’s reputation after a cyber event.


Third-Party Coverage:

  • Network security liability: This covers claims arising from unauthorized access to, or use of, a company’s computer systems, as well as the transmission of harmful malware to third parties.
  • Privacy liability: Claims resulting from the loss or disclosure of sensitive personal or corporate information, either electronically or through physical means.
  • Regulatory fines and penalties: This covers fines and penalties imposed by regulatory agencies for violating data privacy laws and regulations.
  • Media liability: Handles claims arising from copyright infringement, defamation, or invasion of privacy about digital content or online activities.
  • Errors and omissions: Deals with claims from failing to provide adequate cybersecurity measures or services and negligence in handling sensitive data.


Please note that the specific coverages can vary between policies and insurance providers. Therefore, it is essential to carefully review your policy and consult with your IT provider to ensure you have the appropriate coverage for your organization’s needs.




What is Not Covered by Cyber Insurance


cyber insurance questions


While cyber insurance provides essential protections, it’s crucial to understand that not all risks are covered.

In this section, we’ll explore common exclusions and situations where coverage is limited, emphasizing the importance of knowing your policy’s boundaries.




General Exclusions:

  • Bodily injury and property damage: Policies typically do not cover claims related to physical injuries or damage to tangible property resulting from a cyber event.
  • Contractual liabilities: Cyber insurance policies often do not cover liabilities arising from contractual agreements, such as indemnification or service level agreements.
  • Criminal acts and fraud: They generally exclude coverage for losses resulting from criminal acts or fraud committed by the policyholder or their employees.
  • War and terrorism: Losses stemming from acts of war, terrorism, or similar events are not covered by cyber insurance policies.


Specific Exclusions:

  • Unencrypted devices or systems: Cyber insurance do not cover losses from using unencrypted devices or methods, as these are considered inadequate security measures.
  • Outdated software or hardware: Policies may exclude coverage for losses arising from using outdated or unsupported software or hardware, as this can increase the risk of a cyber event.
  • Insider threats: Some policies may exclude coverage for losses caused by intentional or malicious acts committed by employees or other insiders.
  • Social engineering and phishing: While some policies may cover these types of attacks, others may exclude or offer limited coverage for losses from social engineering or phishing scams.
  • Reputational damage: Some cyber insurance policies may not cover the indirect costs of a cyber event, such as reputational damage or loss of customers.


It is crucial to thoroughly review your cyber insurance policy and consult with your provider to understand the specific exclusions that may apply to your organization.

Limited Coverage Situations: Tread Carefully

In addition to specific exclusions, some circumstances may limit your policy’s coverage.

For instance:

  • Sub-limits: Certain types of claims, like those involving regulatory fines or ransomware payments, may have lower coverage limits than the overall policy limit.
  • Waiting periods: Policies include periods before coverage is activated, particularly for business interruption claims.
  • Excess coverage: If you have multiple insurance policies, cyber insurance will provide excess coverage, meaning it comes into play after other policies have been exhausted.




In this quick guide, we’ve identified the main types of insurance. But more importantly, we’ve given you an overview of what cyber insurance covers and doesn’t.

As an experienced Managed IT Provider for over 25 years for small to midsized organizations and local governments, we are deeply involved in the security of our partners.

And cyber security has dramatically changed, making cyber insurance more necessary and valuable to protect your organization.

The future of cyber insurance is intertwined with the adoption of emerging technologies, such as AI, machine learning, and blockchain. These innovations could transform the insurance industry, providing more accurate risk assessments, enhanced policy management, and proactive threat detection.

Embracing these technologies can help organizations stay ahead of the curve and maintain a robust defense against cyber threats.


For a deeper dive into cyber insurance for your organization, check out our Ultimate Guide for Cyber Insurance.

The Ultimate Guide to Cyber Insurance

Thank you for your referral!