Cyber Insurance for Small Business: The Honest Buyer's Guide for 2026
The Market Has Changed — and Most SMB Buyers Haven't Caught Up
Cyber insurance went through a brutal market correction starting in 2021. Carriers had spent the previous decade growing fast, undercutting each other on premiums, and writing policies that paid claims without questioning the underlying security posture. Then ransomware costs exploded, claims paid jumped from millions to billions per carrier per year, and the market remembered why underwriting standards exist.
Three years later, the SMB cyber insurance market looks completely different from the one most small business owners last shopped in.
Premiums are 30-100% higher than they were in 2021. Coverage limits are lower for the same dollar. Sub-limits and exclusions are more aggressive — especially around ransomware payouts, social engineering fraud, and "war exclusion" clauses. The underwriting questionnaires have ballooned from one page to twenty, with detailed questions about your specific controls. And — most importantly — carriers are auditing those questionnaires after a claim and denying coverage when the answers don't match reality.
If you bought your last cyber policy before 2023 and haven't paid close attention to the renewal, you may not actually have the coverage you think you have. This guide walks through what to actually evaluate, what to honestly answer on questionnaires, and how to negotiate from a position of preparation.
What Cyber Insurance Actually Covers (and What It Doesn't)
A typical SMB cyber policy in 2026 covers some combination of:
First-party coverage — costs you incur directly:
- Incident response — IR firm engagement, forensics, breach counsel. This is often the most valuable part of the policy. A typical IR engagement for a small business runs $50K-$300K, and your carrier already has IR firms on retainer at rates you couldn't negotiate on your own.
- Business interruption — lost revenue during downtime caused by a cyber event. Usually triggered after a 12-24 hour waiting period.
- Data restoration — costs to rebuild compromised data and systems.
- Cyber extortion — ransomware payment AND the costs around dealing with the demand. Many carriers now sub-limit this to $250K-$500K or exclude it entirely for OFAC-sanctioned threat actors.
- Customer notification — direct mail, credit monitoring, call centers required by state breach notification laws.
Third-party coverage — costs from claims against you:
- Privacy liability — class actions from customers whose data was exposed.
- Regulatory defense — defense costs for state AG or federal investigations (HIPAA, FTC, state UDAP, etc.).
- PCI fines — assessed by card brands after card-data breaches.
- Media liability — defamation, IP infringement, content claims.
What's usually NOT covered:
- Reputational damage — the long-term revenue impact of customers who didn't return.
- Acts of war or nation-state attacks — the "war exclusion" debate is real and unresolved. Some policies now have explicit cyber-war language; others rely on traditional war exclusions and let it get litigated.
- Pre-existing breaches — if a breach started before your policy began, it's not covered, even if you find it after the policy is in force.
- Voluntary parting — wire fraud where someone in your company knowingly authorized the wire (even if they were tricked). This is the "Business Email Compromise" sub-limit issue — read your specific policy language carefully.
- Failure to maintain controls — if you claimed MFA on all admin accounts and the breached account had no MFA, this is the basis for claim denial.
The 2026 Underwriting Questionnaire — What Carriers Actually Care About
Modern SMB cyber questionnaires typically run 60-100 questions. The ones underwriters weight heaviest:
-
MFA enforcement — On all admin accounts. On all email accounts. On all remote access. On all privileged service accounts. The bar is "yes, fully enforced, no exceptions" — partial implementations get marked as risk.
-
EDR deployment — Endpoint Detection and Response on every endpoint, with a managed SOC or MDR partner watching alerts. Antivirus alone is not enough.
-
Backup posture — Off-network, immutable, tested. The questionnaire will ask when you last tested a restore. "Never" is a problem.
-
Email security — DMARC at p=quarantine or p=reject. Anti-impersonation features enabled. Phishing simulation program.
-
Patch management — OS and high-risk app patches within 30 days. Documented process.
-
Privileged access — Local admin removed from end-user accounts. Dedicated admin workstations or just-in-time access for privileged work.
-
Incident response plan — Written, current, with IR firm contact info.
-
Security awareness training — Annual minimum, ideally quarterly with phishing simulations.
-
Network segmentation — Critical systems separated from general business network.
-
Vendor security — Vendor master file controls, callback verification for new beneficiaries (this is the BEC-prevention question).
Each "yes" on these reduces your premium. Each "no" either increases it, adds an exclusion, or makes some carriers refuse to quote you at all.
The Honesty Trap
Here's the thing most SMB buyers don't fully appreciate: lying or stretching on the questionnaire is the single biggest cause of claim denial.
When you have an incident, the IR firm's report is going to detail exactly what controls were in place at the time of the breach. The carrier's adjuster compares that report to your questionnaire. If you claimed MFA on all admin accounts and the breached account had no MFA, the carrier has a documented basis to deny — and they will use it.
This isn't a hypothetical. Insurance industry data from 2023-2024 shows roughly 15-30% of cyber claims are denied or paid at reduced amounts due to questionnaire discrepancies. The discrepancy is almost always small (one account without MFA, one server without EDR), but the policy language often makes that small discrepancy a coverage-negating one.
What to do instead:
- Answer accurately. "Partially" is a valid answer with a remediation plan attached.
- Document remediation. If MFA isn't fully deployed yet but you're working on it, attach a written rollout plan with target dates.
- Get the broker to help. A good broker will tell you which "no" answers to fix before submitting, and which carriers are more lenient on which controls.
- Don't sign anything you wouldn't repeat under deposition.
How to Negotiate Your Renewal
Six things that move premium more than anything else:
-
Run an external posture scan before submitting. Carriers increasingly run their own external scans of your domain during quoting. They see what attackers see. If your DMARC, TLS, and security headers look weak from the outside, you're getting marked as risky regardless of your questionnaire answers. Run the free Breach Horizon Exposure Report on your domain and fix HIGH-severity findings before submitting. Carriers can tell.
-
Document specific controls in detail. Don't just say "we have EDR." Say "CrowdStrike Falcon Go deployed on 47 of 47 endpoints, MDR alerts handled by [MSP name] with 24/7 coverage, last quarterly review on [date]." Specificity earns credibility.
-
Show training metrics. "We run quarterly phishing simulations. Click rate has dropped from 18% to 4% over the past year." Concrete numbers beat vague claims.
-
Have an IR plan and share it. Carriers prefer policyholders who already know who they'll call at 2am.
-
Bundle with other commercial coverage. Standalone cyber is the most expensive. Bundled with general liability or E&O often gets you 10-20% off.
-
Be willing to walk. Get quotes from 3-4 carriers. The cyber market has wide variance — same risk, same coverage, can quote 30%+ apart between carriers. Your broker should be running this for you.
What Coverage Should You Actually Buy?
Industry guidance for SMBs in 2026:
| Company Revenue | Recommended Limit | Typical Premium | |---|---|---| | Under $5M | $1M | $1,500-$5,000/yr | | $5M-$25M | $2-5M | $5,000-$25,000/yr | | $25M-$100M | $5-10M | $20,000-$75,000/yr | | $100M+ | $10M+ | Custom |
These ranges assume average controls and non-regulated industries. Healthcare, financial services, and legal typically pay 1.5-2x these numbers because of the data sensitivity.
A common SMB mistake: buying the cheapest policy at the lowest limit. Cyber claims have a fat-tail distribution. The median small business incident costs around $30K, but the 95th percentile is around $500K. You want enough coverage to handle the tail event, not the median one.
Quick-Reference Checklist Before Your Next Renewal
- [ ] Run the Breach Horizon Exposure Report on your primary domain — fix HIGH-severity findings before submitting
- [ ] Pull your last IR plan and confirm it's current; update with IR firm and counsel contact info
- [ ] Verify MFA enforcement on every admin account, every email account, every remote access service
- [ ] Confirm EDR is deployed on every endpoint (no exceptions for the CEO's laptop)
- [ ] Test a backup restore in the last 6 months; document the date, what worked, what didn't
- [ ] Review your DMARC status — escalate to p=quarantine or p=reject if you're still at p=none
- [ ] Get quotes from at least 3 carriers; share controls documentation with each
- [ ] Read the policy language on ransomware sub-limits, social engineering fraud, and war exclusion
- [ ] Ask your broker about claim denial rates for the carriers you're considering — if they don't know, ask a different broker
Final Word
Cyber insurance is one of the few security investments where the payoff is immediate and the math is unambiguous: even minimal coverage gets you 24/7 access to an incident response firm, which is what actually saves you during a real incident. The trick is buying coverage that will actually pay out — which means answering questionnaires honestly, documenting the gaps with remediation plans, and choosing carriers whose policy language doesn't have hidden exclusions.
If you're up for renewal in the next 90 days, the 30 minutes you spend running our free Exposure Report and reviewing your DMARC status before submitting your questionnaire will likely save you more on premium than any other half-hour you'll spend this quarter. The fix path is documented in our DMARC setup guide. Most carriers won't see the difference for 30-60 days, but the carriers that do active reconnaissance will catch the improvement on day one.
See what attackers see — before they do.
Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.