Cyber Risk Assessment: The Small Business Scorecard

ByGordon Coyle Reading Time: 7 minutes

Quick Answer

A cyber risk assessment helps small businesses measure their real security gaps before those gaps turn into breaches or coverage problems. By scoring areas like MFA, employee training, backups, vendors, and incident response, a business can identify its weakest controls, improve insurance readiness, and reduce cyber exposure.

A business owner completes a cyber risk assessment scorecard on a clipboard beside a laptop, evaluating security controls across eight categories for small business cyber liability.

Most small business owners have a rough sense of their physical risk exposure. They know whether their building is in a flood zone, whether their equipment is aging, whether their liability limits match the size of the contracts they sign. They have that intuition because fire, theft, and liability are risks they can see.

Cyber risk is different. It is invisible until it is not. The gap between “we haven’t had a problem” and “we have a serious problem” can close in hours, and the warning signs are invisible to anyone who is not actively looking for them. That is why cyber risk assessment, a structured, scored evaluation of where your business actually stands, is not a step you skip.

This guide is a working cyber risk assessment scorecard for small businesses. It covers eight categories, tells you what to look for in each, and gives you a framework for understanding your overall exposure. It is not a technical audit. It is a business owner’s tool for identifying gaps before they become claims.

Why a Cyber Risk Assessment Matters Before You Buy or Renew Insurance

Cyber liability insurance is not one-size-fits-all. The coverage you qualify for, the premium you pay, and the conditions attached to your policy all depend on the security posture of your business at the time of application. Many small business owners complete an insurance application without having done a real cyber risk assessment, answering the questionnaire optimistically and receiving a policy that reflects what was reported rather than what actually exists.

A cyber risk assessment completed before you apply or renew does three things: it tells you where you genuinely stand, it helps you close gaps before they affect your coverage terms, and it ensures your application accurately reflects your actual security posture. When a breach occurs and the insurer reviews the claim, any discrepancy between what was reported and what actually existed can create a coverage dispute at the worst possible moment.

Book a Call

The 8 Categories of the Small Business Cyber Risk Assessment Scorecard

Eight categories cover the full range of controls that insurers evaluate, regulators expect, and attackers probe. Score yourself honestly in each. The categories with the lowest scores are your highest-priority remediation targets before your next renewal.

Each category contains five scored checkpoints for a total of 40 points across all eight categories. The NIST Small Business Cybersecurity Corner and the CISA Small Business Resources library provide free supporting frameworks for each category below.

A printed cyber risk assessment scoring matrix showing eight security categories including access control, employee training, and backup recovery on a clean office desk.

1. Access Control and Authentication

MFA status on all email, remote access, and admin accounts. Only 13% of small businesses require MFA across all systems. This is the highest-weight category in most underwriting questionnaires and the highest-impact control available.

2. Employee Training and Awareness

Documented training for all employees in the last 12 months, new hire training before system access, phishing simulations conducted, and training completions logged. See the cybersecurity training program instruction manual for the full framework.

3. Endpoint Security and Device Management

Active endpoint protection on all devices, device password requirements, full-disk encryption on laptops, MDM for any BYOD device, and a procedure for reporting lost or stolen devices. See the device security training guide.

4. Data Backup and Recovery

Daily backups stored offsite or in isolated cloud storage, backup restorability tested quarterly, backup system isolated from the primary network, and documented recovery time objectives. Businesses without tested isolated backups are high-risk for ransomware sublimit exclusions.

5. Network Security

Business-grade firewall actively managed, separate networks for business versus guest devices, VPN required for remote system access, WPA2 or WPA3 wireless encryption, and default credentials changed on all network equipment.

6. Vendor and Third-Party Risk

Current list of all vendors with system or data access, SOC 2 or equivalent reviewed for sensitive-data vendors, data security requirements in vendor contracts, and a process for terminating vendor access when the relationship ends.

7. Incident Response Preparedness

A written incident response plan exists, key employees know their roles, the cyber insurer’s hotline number is accessible without needing email, and the plan has been reviewed in the last 12 months. Businesses without response plans pay significantly more for breach response at market rates.

8. Cyber Liability Insurance Coverage

Standalone cyber liability policy (not just an endorsement), limits adequate for your data volume, first-party and third-party coverage both present, ransomware sublimits adequate, BYOD devices not excluded, and timely notification requirements understood. Visit The Coyle Group’s cyber insurance hub.

How to Interpret Your Cyber Risk Assessment Score

Eight categories, five checkpoints each, forty total points. Where you fall on that scale maps to a risk profile that insurers use in underwriting and that reflects your actual breach probability. The most actionable use of your score is not the total number, it is identifying the one or two categories where you scored lowest and addressing those specifically.

Score Range

Risk Profile and Next Steps

35-40

Strong foundational controls across all eight categories. Well-positioned for favorable cyber liability terms.

25-34

Solid coverage in most areas with meaningful gaps in one or two categories. Prioritize the lowest-scoring areas before your next renewal.

15-24

Multiple material gaps. Insurers will flag these in underwriting, expect exclusions, higher premiums, or lower limits until gaps are addressed.

Below 15

Fundamental control gaps across most categories. Cyber liability coverage may be difficult to obtain at reasonable terms until remediation is complete.

Contact Us

Frequently Asked Questions About Cyber Risk Assessment

Annually at minimum, and immediately before any cyber liability policy application or renewal. The assessment should also be triggered by significant changes: new systems, new remote work arrangements, new vendors with data access, or any security incident. Threats evolve and underwriting requirements change. An assessment accurate 18 months ago may not reflect your current exposure.

No. A cybersecurity audit is a technical review of your infrastructure, often conducted by an external security firm using automated tools and manual testing. A cyber risk assessment is a business-level evaluation of your controls, policies, and practices. Audits are more thorough and more expensive. Assessments are appropriate for small businesses evaluating their posture and insurance readiness. An audit may be warranted if your assessment reveals significant gaps or if your industry requires it.

Yes, directly. Insurers use assessment inputs — specifically the security questionnaire that accompanies every cyber liability application — to price and structure coverage. Businesses that demonstrate MFA, documented training, tested backups, and incident response planning consistently receive better terms. The premium differential can be meaningful at the coverage limits appropriate for small businesses.

Prioritize by impact per effort. MFA implementation is high-impact and relatively easy to implement across most common business platforms. Documented employee training requires more effort but has high impact on both breach rate and insurance terms. Backup testing is often as simple as running a recovery test on a backup file. Address access control, training, and backup in that order if resources are limited.

A self-assessment scorecard like this one is a starting point and a useful tool for identifying obvious gaps. It is not a substitute for a professional risk review, particularly if your business handles sensitive customer data, operates in a regulated industry, or is evaluating coverage with limits above $1 million. The Coyle Group conducts no-cost cyber risk reviews for businesses evaluating their coverage needs.

Vendor and third-party risk. Small business owners spend significant energy on their own controls and relatively little time evaluating the security posture of vendors, software platforms, and service providers with access to their systems and data. A payroll provider breach, a point-of-sale software vulnerability, or a compromised managed services vendor can produce a claim just as significant as a direct attack — and many small business policies have sublimits or exclusions for third-party-caused incidents.

The Bottom Line on Cyber Risk Assessment

The businesses that are blindsided by breaches are not always the ones with the worst controls. They are often the ones who never completed an honest assessment of where they actually stood. Knowing your gaps before an attacker finds them is basic risk management. Use the scorecard above, score yourself honestly, identify the lowest-scoring categories, and address them before your next renewal. If the results reveal exposures you are not sure how to interpret in terms of your insurance coverage, that is exactly the conversation The Coyle Group is built to have. Explore The Coyle Group’s cyber insurance hub, review the cybersecurity awareness training overview for employee-side controls, and browse the full Insurance By Coverage hub for related commercial coverage topics.

About the Author

This article was written by Gordon B. Coyle, CPCU, ARM, AMIM, PWCA, CEO of The Coyle Group, who has over 40 years of experience working with business owners of all sizes and industries across the US, solving their insurance challenges.

Check Out Our Blogs