Is cyber insurance worth it for a small business?

Cyber insurance is worth it for most SMEs, but not for the reason people buy it, and not before you have done the cheap stuff first.

People buy it imagining a payout. The actual value, the part that earns its premium nine times out of ten, is the incident response that comes with it. When you have a breach at 11pm, the policy gives you a phone number that connects you to forensics, breach counsel, a negotiator and a PR firm who do this every week. A 30-person company has none of those on speed dial and would spend the first critical 48 hours just figuring out who to call. That panel access is frequently more valuable than the indemnity.

What you are actually buying

A cyber policy generally has two halves. First-party covers your own losses: incident response, forensics, business interruption, data restoration, cyber extortion, sometimes the ransom itself. Third-party covers your liability to others: claims from customers whose data leaked, regulatory defense, fines where they are legally insurable.

For most SMEs the first-party side does the heavy lifting, because the dominant costs of an incident (recovery, downtime, response) are your own costs, not lawsuits from others. The third-party side matters more the more sensitive the data you hold and the more litigious your jurisdiction. A US firm holding health data weights third-party far higher than a European manufacturer.

The price, and the new gatekeeping

Premiums for a small business are usually in the low thousands a year for a modest limit, scaling with revenue, sector risk and the limit you choose. That is the easy part to find out.

The harder reality since the ransomware loss-ratio blowup of 2020 to 2021: insurers got strict. The application is now a controls questionnaire. MFA everywhere, especially on remote access and email. Tested offline or immutable backups. EDR. An incident-response plan. Patch and access management. Miss enough of these and you either cannot get cover, or you get a thin policy with ransomware sub-limited to near uselessness.

This is actually a feature. The underwriting process drags reluctant businesses into doing the controls they should have done anyway, because now there is a renewal date and a discount attached. I have watched companies finally roll out MFA company-wide not because security asked nicely for two years but because the insurer made it a condition of cover.

The exclusions that bite at claim time

This is where the cynicism is earned. Policies pay out far more reliably than the internet folklore suggests, but the denials that do happen cluster around predictable causes, and they are worth knowing before you need to file.

The big one is misrepresentation. You attested on the application that you had MFA on all remote access. The breach came through an exposed VPN with no MFA. The insurer can argue you misrepresented your posture and deny the claim, and they will. Whoever fills in that form needs to actually know the environment, not optimistically tick boxes to get a lower premium. That optimism is uninsured.

Then the standard carve-outs: known and unpatched vulnerabilities (you knew, you did not fix, you are on the hook), prior known incidents, war and state-sponsored attack exclusions (which got a lot of attention after NotPetya litigation and are still genuinely contested), and failure to maintain the controls you claimed. Read the conditions, not just the limits. The limit tells you the best case. The conditions tell you whether you will ever see it.

So, worth it or not

Run the expected-loss math first. Work out your annual exposure across ransomware, breach, downtime, fraud and regulatory, then knock it down with the controls that pay for themselves. MFA, backups, EDR, an IR plan. These reduce your risk and your premium at the same time, so they come first regardless.

Whatever exposure is left after that is the tail: the low-probability, high-cost event you cannot economically engineer away. That residual is exactly what insurance is for. For most SMEs the residual is large enough, and the response panel valuable enough, that a policy is worth it. For a micro business with very little sensitive data and minimal revenue at risk, it can be marginal, and self-insuring the small stuff while you build controls is a defensible call.

What is not defensible is buying a policy instead of doing the controls. The insurer will not let you anyway, and even if they did, a payout does not give you your customers, your week, or your reputation back.

Estimate your exposure first so you know what you are actually transferring, and check the methodology for the numbers behind it. Buy insurance for the tail you cannot fix, not as a substitute for the basics you can.