cyber Insurance FAQ
Get clear answers about cyber insurance costs, coverage, claims, and what your business needs.
Questions about cyber insurance? look here
- Understanding the fundamentals
- What’s covered and what’s not
- How to purchase and qualify
- Managing your policy and filing claims
- Tailored for different businesses
- Security practices and training
Cyber insurance protects businesses from financial losses resulting from cyber incidents like data breaches, ransomware attacks, and business email compromise. It’s a specialized insurance policy with two main coverage types: first-party costs (expenses you incur directly) and third-party liabilities (claims from others affected by a cyber incident).
First-party coverage generally includes incident response costs, business interruption losses, data restoration expenses, and cyber extortion payments. Understanding what cyber insurance covers is essential when evaluating policies for your business.
Third-party coverage addresses legal defense costs, regulatory fines, and damages to affected parties. Many policies also include valuable pre-breach services like risk assessments and employee training to help prevent incidents before they occur.
Cyber insurance premiums typically range from $1,200 to $7,500 annually for small to mid-sized businesses, with a median cost around $2,000-$4,000 per year for $1 million in coverage. However, cyber insurance premiums vary significantly based on several factors including your industry, company size, revenue, the sensitivity of data you handle, and your existing cybersecurity measures.
Businesses in high-risk industries like healthcare, finance, and technology typically pay more due to the sensitive data they handle. The cost of cyber insurance also depends on your claims history, coverage limits, and deductible amounts. Companies with strong security practices (such as multi-factor authentication, endpoint detection and response (EDR), and regular employee training) often qualify for lower premiums.
Yes, absolutely. Small businesses need cyber insurance now more than ever. 60% of small businesses that experience a cyber attack go out of business within six months. Small businesses are increasingly targeted by cybercriminals because they often lack the robust security infrastructure of larger enterprises, making them easier targets.
The financial impact of a cyber incident can be devastating even for minor incidents. The average cost of a data breach is $4.45 million globally, but even smaller incidents can cost $8,000-$12,000 for businesses with fewer than 50 employees, which is enough to seriously damage or destroy a small business. Small business cyber insurance provides not just financial protection but also access to expert incident response teams that most small businesses can’t afford on their own.
Yes, cyber insurance is absolutely worth it when purchased correctly. The question “is cyber insurance BS” reflects legitimate skepticism, but the value is real when you get the right policy.
Cyberattacks are not hypothetical. They happen daily to businesses of all sizes. With 30,000 websites hacked every day and the average breach costing $4.45 million, the financial risk is very real. Cyber insurance provides not just money to pay for incidents, but access to expert resources most businesses can’t afford on their own: forensic investigators, breach coaches, legal counsel, and crisis communication specialists who can be engaged immediately when an incident occurs.
However, cyber insurance is not a replacement for good security practices. It’s the safety net when those practices fail. Businesses that treat cyber insurance as a substitute for cybersecurity, rather than a complement to it, are making a costly mistake.
Several dangerous cyber insurance myths prevent businesses from getting adequate protection or understanding what their coverage actually provides.
- Myth #1: “My general liability or business owner’s policy covers cyber incidents.” Most traditional policies explicitly exclude cyber risks.
- Myth #2: “Cyber insurance is only for large companies or tech businesses.” Businesses of all sizes and industries are targets.
- Myth #3: “If I have good cybersecurity, I don’t need insurance.” Even Fortune 500 companies with sophisticated security teams get breached.
- Myth #4: “Cyber insurance is too expensive.” The cost of insurance is typically less than 2% of the potential breach costs.
- Myth #5: “Insurance covers everything cyber-related.” All policies have exclusions and limitations. Understanding what your policy actually covers is critical.
Cyber insurance is part of a comprehensive approach to managing digital risk, not a substitute for good security practices. Understanding what cyber insurance is and how it fits into your overall risk management strategy is essential for business owners.
Effective cyber risk management follows a hierarchy: first, prevent incidents through strong security controls and employee training; second, detect threats early through monitoring and logging; third, respond quickly with tested incident response plans; and fourth, transfer residual risk through insurance.
Think of cyber insurance as the final safety net after you’ve done everything possible to prevent and detect threats. The best insurance programs include pre-breach services that help you strengthen the first three layers.
Insurance is most valuable when it’s part of a broader strategy that includes regular security assessments, continuous monitoring, incident response planning and testing, business continuity planning, and vendor risk management. The 101 basics of cyber insurance and explaining cyber insurance resources can help you understand how insurance integrates with these other risk management practices.
Yes, most comprehensive cyber insurance policies cover ransomware attacks, but the extent of coverage varies by policy. Coverage typically includes the ransom payment itself, negotiation assistance, forensic investigation costs, legal fees, notification expenses, and business interruption losses.
However, insurers won’t automatically pay every ransom demand. The decision to pay depends on multiple factors including backup availability, potential data exposure, and legal considerations. Your policy should also cover the costs of engaging a breach coach immediately after an attack, ideally with a $0 deductible for this service. Additionally, some policies may require certain security controls like multi-factor authentication and regular backups to be in place for ransomware coverage to apply.
Social engineering fraud occurs when cybercriminals manipulate employees into voluntarily transferring money or revealing sensitive information through deception rather than technical hacking. Common examples include business email compromise (BEC), where attackers impersonate executives or vendors to trick employees into making fraudulent wire transfers.
Coverage for social engineering varies significantly between policies. Some cyber insurance policies include it as standard coverage, while others offer it as an add-on with limited sublimits (often $10,000-$250,000). Review your policy carefully, as some insurers exclude social engineering losses or cover them only under specific circumstances. Many businesses need to combine cyber insurance with commercial crime insurance to achieve comprehensive protection against these increasingly common attacks, which account for 70-90% of all malicious breaches.
First-party coverage protects your own direct losses and expenses, while third-party coverage protects you against claims from others. Understanding first-party versus third-party cyber coverages is essential when evaluating cyber insurance policies.
First-party coverage includes data restoration costs, business interruption income losses, cyber extortion payments, forensic investigation fees, notification expenses, credit monitoring for affected individuals, legal consultation, and public relations costs. These are costs you incur directly as the victim of an attack.
Third-party coverage protects you against claims and lawsuits from others who were harmed by a cyber incident involving your systems. This includes legal defense costs, settlements and judgments, regulatory fines and penalties, and damages to clients or partners whose data was compromised. For example, if your systems are breached and customer data is stolen, third-party coverage would address the lawsuits from those affected customers and any regulatory penalties for non-compliance with data protection laws.
The key difference is in their primary focus. Cyber insurance versus crime insurance becomes important when considering coverage for social engineering and funds transfer fraud.
Cyber insurance primarily covers losses from security failures, data breaches, network compromises, and malware attacks. It includes incident response services, forensic investigations, notification costs, legal fees, and business interruption. Crime insurance, on the other hand, specifically covers direct theft of money or securities, whether through computer fraud, wire transfer fraud, or social engineering.
Crime policies focus solely on monetary loss, without the broader incident response and liability coverage cyber policies provide. Many businesses need both policies for comprehensive protection, as social engineering losses may have limited coverage under cyber policies but are specifically addressed by crime insurance.
Business email compromise (BEC) represents one of the most financially damaging cyber threats, with losses exceeding $2.7 billion annually in the US alone. BEC attacks involve criminals impersonating executives, vendors, or business partners to manipulate employees into making fraudulent wire transfers or revealing sensitive information.
Coverage for BEC and social engineering varies significantly between cyber and crime policies. Cyber insurance may provide limited coverage for BEC under a “computer fraud” or “social engineering” sublimit, often capped at $100,000-$250,000. These sublimits are frequently far below the actual losses from successful BEC attacks.
Crime insurance policies, particularly those with social engineering endorsements, may offer higher limits specifically for fraudulent transfer scenarios. The critical difference is that cyber policies focus on the technology compromise aspect, while crime policies focus on the fraudulent transfer of money. Many businesses need both to ensure comprehensive protection against BEC threats.
Cyber threat insurance focuses on protecting businesses from specific cyber threats and attacks that could compromise their operations, data, and reputation. This coverage addresses the evolving landscape of cyber threats including ransomware, distributed denial of service (DDoS) attacks, malware, insider threats, and advanced persistent threats (APTs).
The distinction between general cyber insurance and cyber threat insurance is often subtle, with many comprehensive cyber policies incorporating threat-specific coverage as part of their standard offering. However, understanding the specific threats your business faces helps ensure your policy adequately addresses them.
For example, businesses heavily reliant on online operations need strong DDoS coverage, while those handling sensitive intellectual property need protection against industrial espionage and data theft. The key is matching your coverage to your specific threat profile based on your industry, data types, and attack surface.
Reputational damage coverage addresses one of the most serious but hardest-to-quantify impacts of a cyber breach: the erosion of trust and brand value. While some cyber policies explicitly include reputational harm coverage, it’s more commonly found through crisis management and public relations services.
This coverage typically pays for PR professionals to help manage media inquiries, public statements, and customer communications following a breach. Some policies provide coverage for advertising and marketing expenses to rebuild brand trust after an incident.
However, reputational damage coverage often has significant limitations: it may not cover the actual loss of business or customers (which would be business income loss), has relatively low sublimits ($50,000-$250,000), and requires the reputational harm to stem from a covered cyber incident. The most valuable aspect is often immediate access to crisis communication experts who can help minimize reputational damage through skillful handling of notifications and public response.
Standalone cyber policies provide significantly better protection than endorsements. Endorsing cyber insurance onto existing policies (like a Business Owner’s Policy or Package Policy) versus purchasing a standalone cyber policy is an important decision that affects coverage quality and breadth.
While endorsements may seem convenient and cost-effective, they typically provide significantly less coverage than standalone policies. Endorsement coverage is usually limited to $50,000-$250,000 compared to $1 million or more for standalone policies, may have substantial sublimits and exclusions, often lacks access to specialized incident response resources, and provides limited or no pre-breach services. Standalone cyber policies offer much more comprehensive protection with dedicated breach response teams, higher limits, fewer exclusions, and better post-incident support.
For most businesses with any significant cyber exposure, standalone cyber insurance is the better choice. Endorsements might be appropriate only for very small businesses with minimal digital footprint and limited sensitive data. When evaluating options, compare the total cost of a potential breach against the premium difference. The gap is usually obvious.
The right amount depends on several factors: your industry, the type and volume of sensitive data you handle, your revenue, and your risk exposure. Most small to mid-sized businesses start with $1-2 million in coverage, but businesses that handle large volumes of sensitive data or have significant regulatory exposure may need $5-10 million or more.
Consider the potential costs of a breach when determining how much cyber insurance you should buy: notification expenses (often $50-100 per affected individual), legal fees, regulatory fines, forensic investigations, public relations, business interruption losses, and potential lawsuits.
For specialized industries, coverage needs vary. Hedge funds and RIAs may need higher limits due to fiduciary responsibilities, while manufacturers and distributors face different risks. Your insurance broker can help assess your specific exposure and recommend appropriate coverage limits.
Most carriers now mandate specific security controls before they’ll even quote a policy. Cyber insurance underwriting requirements have become significantly more stringent as insurers respond to increasing claim frequency and severity.
The most common required controls include multi-factor authentication (MFA) on all accounts, especially for remote access and privileged users; endpoint detection and response (EDR) software on all devices; regular data backups with tested restoration procedures; a documented incident response plan; and regular employee security awareness training. Insurers also scrutinize patch management practices, asking about how quickly you deploy security updates and whether you have end-of-life systems. Companies without these baseline controls may find coverage unavailable or prohibitively expensive.
A thorough cyber insurance buyer’s guide helps you navigate the complex process of selecting the right policy. Start by understanding your organization’s specific cyber risk exposure, evaluating the types of data you collect and store, and assessing your current security controls.
The guide should cover essential policy components like first-party and third-party coverage, policy limits and sublimits, deductibles and retention amounts, and coverage triggers (claims-made vs. occurrence). It should also address critical questions to ask insurers about breach response procedures, the insurer’s incident response panel and their expertise, policy exclusions and limitations, and what happens during the renewal process. Industry-specific considerations are also important, as hedge funds, doctors, contractors, and technology startups all face unique risks requiring tailored coverage.
Getting a comprehensive cyber insurance quote requires providing detailed information about your business operations, data handling practices, and existing security controls. The quote process typically begins with a detailed application or questionnaire.
You’ll need to provide information about your business including industry and operations, annual revenue, number of employees, types of data collected and stored (PII, PHI, payment card data, etc.), and number of records. Security practices will be evaluated including MFA implementation, EDR/antivirus deployment, backup procedures and testing, employee training programs, and incident response plans.
You’ll also need to disclose claims history including any prior cyber incidents, current security assessments or penetration testing, and third-party security audits if applicable. Working with an experienced broker who specializes in cyber insurance ensures you receive competitive quotes from multiple carriers, understands coverage differences between policies, and can advocate for you during underwriting.
The Coyle Group can help you navigate this process and secure appropriate coverage for your specific needs.
The best cyber insurance providers offer comprehensive coverage without excessive exclusions or sublimits that create gaps in protection. Several factors distinguish top-tier carriers from the rest.
Key characteristics include a dedicated cyber claims team with 24/7 incident response capability; a panel of experienced breach coaches, forensic investigators, and legal experts; clear, straightforward policy language without hidden exclusions; competitive premiums reflecting your actual risk profile; pre-breach risk management services included at no extra cost; financial strength ratings (A.M. Best A- or better) ensuring they can pay claims; industry-specific expertise and understanding of your unique risks; and reasonable underwriting requirements that balance security with practicality.
The provider should also have a track record of paying claims promptly and working collaboratively with policyholders during incidents. An experienced broker can help identify the carriers best suited to your specific industry and risk profile.
Cyber pre-breach services are proactive risk management tools provided by many cyber insurance policies before an incident occurs. These services help prevent breaches rather than just paying for them after they happen.
Common pre-breach services include vulnerability scanning and penetration testing to identify security weaknesses; security awareness training for employees to recognize phishing and social engineering; risk assessments evaluating your overall security posture; dark web monitoring to detect if your credentials or data are being sold; access to security advisories and threat intelligence about emerging risks; and incident response planning assistance.
These services are extremely valuable because prevention is always less expensive than recovery. Many insurers offer these at no additional cost as part of your policy because they reduce the likelihood of claims. Taking advantage of pre-breach services can also help you qualify for better premiums at renewal.
Purchase a cyber insurance tail policy when switching insurers, retiring, selling your business, or discontinuing operations. A tail policy (also called extended reporting period coverage) extends the time you have to report claims for incidents that occurred during your policy period but are discovered after the policy expires or is cancelled.
Cyber incidents often aren’t discovered immediately. The average time to detect a breach is 277 days. If you cancel your policy or switch carriers without tail coverage, you could be uninsured for breaches that occurred during your coverage period but weren’t discovered until after. Tail coverage is especially critical for businesses with “claims-made” policies (the most common type of cyber insurance), where coverage depends on when the claim is made, not when the incident occurred.
The cost typically ranges from 100-300% of your annual premium, depending on the length of the extended reporting period.
Most cyber insurance policies include a waiting period (also called a retroactive date) of 30-45 days, though it can range from 0-90 days. This waiting period excludes coverage for breaches that occurred before the policy’s inception date but weren’t discovered until after coverage began. This prevents businesses from purchasing insurance after they suspect or know about a breach.
If a breach occurred during this window but wasn’t discovered until later, it may not be covered. Some policies don’t have any waiting period for certain first-party coverages. Understand your policy’s specific waiting period provisions and retroactive dates, especially when initially purchasing cyber insurance or switching carriers. Full disclosure of any known incidents or suspicious activity during the application process is essential to avoid coverage disputes later.
Cyber insurance renewal requires active management to ensure you maintain appropriate coverage as your business evolves. It’s not a passive process. The renewal process typically begins 60-90 days before your policy expires.
Key renewal considerations include reviewing whether your coverage limits still match your current exposure, evaluating any changes to policy terms or exclusions, assessing new security controls you’ve implemented that might qualify you for better rates, disclosing any incidents or near-misses during the policy period (even if you didn’t file a claim), updating your employee count, revenue, and data volumes, and comparing your current carrier’s renewal terms against quotes from other insurers.
The cyber insurance market fluctuates significantly, with premiums and terms varying based on recent claims trends and capacity. Don’t assume your current carrier offers the best renewal terms. Shopping your renewal is often worthwhile. Also review any new underwriting requirements, as carriers frequently add requirements based on emerging threats. For example, many carriers now require EDR when they didn’t previously.
Common reasons include failure to meet underwriting requirements, known vulnerabilities, policy exclusions, late notification, and application misrepresentation. Understanding why cyber insurance might not pay out helps businesses avoid coverage gaps and claim denials.
If you represented that you had certain security controls in place (like MFA or EDR) during the application process but didn’t actually implement them, insurers may deny your claim. If you were aware of security gaps or vulnerabilities before the policy period and failed to address them, coverage may be denied.
Common exclusions include acts of war, prior known incidents, intentional acts, losses from discontinued products or services, and losses outside the coverage territory. Most policies require prompt notification of incidents, often within specific timeframes. Late reporting can jeopardize coverage. Providing inaccurate information about your security practices, data types, or claims history can void coverage.
Real cyber insurance claims examples illustrate how policies respond to actual incidents and what costs are involved.
- Example 1: A mid-sized professional services firm experiences a ransomware attack that encrypts all systems. The claim covered: $125,000 ransom payment, $85,000 in forensic investigation and remediation, $40,000 in legal fees, $180,000 in business interruption losses over two weeks, and $30,000 in public relations and client notification costs. Total claim: $460,000.
- Example 2: A healthcare provider suffers a phishing attack leading to unauthorized access to 50,000 patient records. The claim covered: $250,000 in HIPAA regulatory fines, $200,000 in notification and credit monitoring for affected patients, $150,000 in legal defense against class action lawsuit, $75,000 in forensic investigation, and $50,000 in public relations. Total claim: $725,000.
- Example 3: A business falls victim to a business email compromise where an employee wires $350,000 to fraudsters impersonating a vendor. With social engineering coverage, the policy covered $300,000 (within the sublimit). These examples demonstrate why adequate limits are essential.
Cyber insurance for hedge funds and investment firms requires specialized consideration due to unique regulatory and fiduciary risks. Hedge funds are attractive targets because they hold valuable financial data, have access to significant capital, and face stringent regulatory requirements under SEC rules.
Hedge funds need coverage that addresses wire transfer fraud and social engineering (particularly funds transfer fraud), unauthorized access to trading systems and algorithms, theft of proprietary investment strategies, regulatory fines from SEC and other regulators, and business interruption that could affect fund performance.
Many hedge funds need higher policy limits ($10 million or more) due to the potential magnitude of losses and regulatory exposure. Startup hedge funds may face higher premiums initially due to less established security infrastructure, but implementing strong controls early can help manage costs as the fund grows.
Cyber insurance for wealth managers and financial planners is essential due to their fiduciary responsibilities and the sensitive financial information they manage. These professionals face significant liability if client data is compromised or if they fall victim to social engineering schemes that result in unauthorized transfers of client funds.
Key coverage considerations include errors and omissions (E&O) exposure if poor cybersecurity leads to client losses, regulatory fines from SEC, FINRA, or state regulators, notification costs for potentially thousands of clients, and reputational harm coverage to address the trust damage that occurs after a breach.
The intersection between cyber insurance and Tech E&O is particularly important for these professionals, as claims may involve both technology failures and professional service errors. RIAs typically need $2-5 million in cyber coverage, with higher limits for larger practices or those managing high-net-worth client portfolios.
Cyber insurance for contractors addresses growing digital risks as construction companies digitize operations, accept digital payments, and manage employee and vendor information. Contractors might think cyber insurance is less critical than for technology companies, but they face significant cyber risks.
Contractors are targeted for business email compromise schemes where fraudsters impersonate suppliers or subcontractors and redirect payments to fraudulent accounts. They also face risks from ransomware attacks that can shut down project management systems, payroll processing, and bidding systems. Many general contractors store sensitive information about subcontractors, employees, and clients that could be compromised.
Additionally, construction companies face supply chain risks as they increasingly depend on cloud-based project management and communication platforms.
Cyber insurance helps address these risks with coverage tailored to the construction industry’s unique needs, typically at more affordable premium rates than technology-focused businesses due to their different risk profile.
Technology companies face elevated risk from multiple angles. Cyber insurance for tech firms involves unique considerations because they’re attractive targets due to valuable intellectual property, customer data, and often-privileged access to their clients’ systems.
Tech companies need to carefully consider the intersection between cyber insurance and technology errors and omissions (E&O) coverage. Tech E&O versus cyber insurance addresses different risks: E&O covers professional liability for errors in your services or software, while cyber covers data breaches and security failures. Many tech companies need both.
Additionally, technology startups should secure cyber insurance early, as many investors and clients now require proof of coverage before partnerships or contracts. Coverage limits for tech firms often need to be higher ($5-10 million or more) due to the potential scope of damages if a security failure affects multiple clients. The key is demonstrating strong security practices during underwriting to secure favorable terms.
Healthcare providers face critical exposure due to HIPAA requirements and the high value of protected health information (PHI). Cyber insurance for doctors and other healthcare providers is essential because healthcare records can sell for 10-50 times more than credit card numbers on the black market due to their comprehensive personal information.
Healthcare providers face mandatory notification requirements under HIPAA for breaches affecting more than 500 individuals, which can cost $50-150 per patient to properly execute. They also face substantial regulatory fines from the Office for Civil Rights (OCR), which can reach millions of dollars for HIPAA violations. Healthcare cyber insurance should specifically address HIPAA breach response requirements, OCR regulatory defense and fines, notification costs for potentially thousands of patients, and business interruption from ransomware affecting electronic health records (EHR) systems.
Medical practices should ensure their coverage includes access to HIPAA-experienced breach counsel who can guide them through the complex regulatory requirements following a breach.
Cyber breaches typically follow a predictable pattern across several stages. Understanding the anatomy of a cyber breach helps businesses recognize attacks earlier and respond more effectively.
First is the initial compromise, where attackers gain access through methods like phishing emails, exploiting unpatched vulnerabilities, or compromised credentials. Next comes the establishment phase, where attackers install malware, create backdoors, and establish persistence in your systems.
The lateral movement stage involves attackers navigating through your network to find valuable data or systems. During reconnaissance, they identify and catalog sensitive information, databases, or financial systems. The exfiltration phase involves stealing data, often over weeks or months to avoid detection.
Finally, attackers may deploy ransomware or use stolen data for extortion. Understanding these stages helps businesses implement better detection mechanisms and respond faster when incidents occur.
Phishing attacks remain the most common entry point for cyber breaches, with 70-90% of all successful cyber attacks starting with a phishing email. Prevention is essential, but having insurance coverage when protection fails is equally important.
Prevention strategies include employee security awareness training teaching staff to recognize suspicious emails, implementing email filtering and anti-phishing technology, using multi-factor authentication to prevent compromised credentials from providing access, conducting regular simulated phishing tests to identify vulnerable employees, and establishing clear protocols for verifying unusual requests, especially involving money transfers.
When prevention fails, comprehensive cyber insurance should cover losses from successful phishing attacks including malware installation, data theft, and social engineering fraud. However, some policies may have limitations or exclusions for phishing-related losses if you failed to implement basic security controls. Demonstrating that you have robust anti-phishing measures in place can help secure better coverage terms and lower premiums.
A cyber risk scorecard helps businesses and insurers objectively evaluate cybersecurity posture and identify gaps that need attention. These scorecards assess various security domains to provide an overall risk rating.
Critical metrics include patch management (percentage of systems with current security updates), endpoint protection (EDR/antivirus coverage across devices), access controls (MFA implementation rates, privileged access management), data protection (encryption status, backup frequency and testing), network security (firewall configuration, network segmentation), employee training (completion rates, phishing simulation results), incident response preparedness (documented plan existence, testing frequency), and vulnerability management (scan frequency, remediation speed).
Insurance underwriters increasingly use standardized risk scorecards to evaluate applications and determine premiums. Businesses with strong scorecard results qualify for better rates and terms. Some insurers provide annual scorecard assessments as a pre-breach service to help policyholders track improvement over time and maintain strong security posture.
Cyber risk employee training is one of the most cost-effective security investments because employees are both the weakest link and the strongest defense. 95% of cybersecurity breaches are caused by human error, making training essential.
Effective training programs should cover best practices including recognizing phishing and social engineering attempts, creating and managing strong passwords, identifying suspicious links and attachments, proper handling of sensitive data, reporting security incidents promptly, and safe practices for remote work and personal devices.
Training shouldn’t be a one-time event but an ongoing program with quarterly or semi-annual refreshers. Many cyber insurance carriers provide free training platforms as a pre-breach service. Creating a comprehensive cyber risk instruction manual for effective employee training helps standardize your approach and demonstrates to insurers that you take security seriously, which can positively impact your premiums.
Running end-of-life (EOL) systems creates significant vulnerabilities that can affect insurance coverage. The cyber risk associated with Windows 7 end-of-life exemplifies this broader issue. When Microsoft ended support for Windows 7 in January 2020, systems running this operating system stopped receiving security updates, leaving them vulnerable to newly discovered threats.
Running EOL operating systems creates multiple problems: security vulnerabilities will never be patched, compliance frameworks like PCI-DSS prohibit EOL systems, insurance underwriters view EOL systems as unacceptable risks, and claims arising from breaches involving EOL systems may be denied due to known vulnerabilities. Most cyber insurance applications now explicitly ask about EOL software, and having EOL systems can result in coverage denial or significantly higher premiums. If you must maintain legacy systems temporarily, you should isolate them from your network, implement compensating controls, create a documented upgrade plan with timeline, and discuss with your insurer whether any coverage is possible. The best solution is always to upgrade or replace EOL systems promptly.
Small businesses should focus on high-impact, cost-effective measures. Small business cyber protection requires balancing comprehensive security with limited budgets and resources.
Priority protections include implementing MFA on all accounts (free or low-cost and highly effective), deploying EDR/antivirus on all devices ($5-15 per device per month), conducting monthly or at least quarterly employee phishing training (many free options available), maintaining tested backup processes with off-site or cloud backup (critical for ransomware recovery), keeping all software and systems patched and updated, using a password manager to enforce strong, unique passwords, implementing email filtering to reduce phishing attempts, and establishing basic access controls so employees only access what they need.
These fundamental controls are also what cyber insurance underwriters require, so implementing them not only reduces your risk but also makes insurance available and affordable. Even small investments in these areas can significantly reduce your cyber risk and demonstrate to insurers that you take security seriously.
Three critical areas deserve immediate attention. Beyond insurance, implementing practical cyber security risk tips can significantly reduce your likelihood of experiencing a costly incident.
First, secure your perimeter by implementing strong email security with anti-phishing filters, requiring MFA on all remote access and cloud applications, and maintaining current firewall and network security configurations.
Second, protect your data through encryption of sensitive data at rest and in transit, regular automated backups with tested restoration procedures, and strong access controls ensuring employees only access data they need for their role.
Third, prepare your people with regular security awareness training emphasizing current threats, simulated phishing tests to identify vulnerable employees, and clear incident reporting procedures so employees know what to do if they suspect something is wrong.
These three areas (perimeter security, data protection, and people preparation) form the foundation of a strong security posture that also satisfies most cyber insurance underwriting requirements.
Still Have Questions?
Cyber insurance can feel complicated, and every business is different. If we didn’t cover something here or you want to talk through your specific situation, we’re here to help. Give us a call or send us an email, we’ll give you straight answers without the jargon.
more contact information
95+
Years of Family Legacy in Insurance
40+
Years Personal Experience
95%
Client Retention Rate
600+
Educational Videos
Here’s how to take the next step
Schedule Your Insurance Confidence Assessment
In our 30-minute call, you’ll discover:
- Whether your current coverage matches your actual risks
- If you’re getting fair value for what you’re paying
- How your service experience compares to what’s possible
- What questions you should be asking but probably aren’t
Not ready for a call?
Get Free Access to Our Gated Video:
“How to Finally Feel Confident in Your Coverage. “
And discover the exact system we use to help business owners eliminate hidden coverage gaps, stop overpaying, and finally feel confident in their protection.
What Peace of Mind Looks Like
Trusted by business owners across the U.S.
The Coyle Group is 1st class! Gordon and his team are knowledgeable, responsive, and attentive to detail. Gordon is that rare breed of professional who genuinely cares for his clients and works hard to exceed their expectations. I highly recommend them.
Jeff CartonPartner, Denlea & Carton, LLP
Gordon Coyle is an experience, knowledgeable insurance professional with decades of experiences. He and his team work with their clients to ensure that they are adequately protected in an efficient and cost-effective manner.
Michael D. StegerPresident, Law Offices of Michael D. Steger, PC
I was working with another broker and having difficulty acquiring General Liability coverage. A colleague recommended The Coyle Group. They were able to get coverage bound in just a couple of business days and a policy issued in ten days, and with a solid carrier at a competitive premium. Truly impressive results, plus it was a pleasure working with them. I highly recommend the Coyle Group!
Tim McCarthyDirector of Operations, Dalmatian Company LLC
If any business is looking to work with an insurance brokerage firm that is not only excellent at what the firm does, but one that deeply values the needs of the clients, then The Coyle Group is the firm for you. Give them a call and see for yourself. I can assure that you will quickly agree.
Dahiema GrantAccountant, DSG Advisory CPA
Want to know more?
See related blogs
The Crowdstrike Debacle and Cyber Insurance
Tech E&O vs. Cyber Insurance: What You Need to Know
First Party vs Third Party Cyber Insurance: What’s Covered, What’s Missing, and What You Actually Need
