Many businesses believe they have cyber insurance. But when asked what that policy actually covers, the answer is often less clear.
It might be bundled into a general business policy. It might be listed as a “data breach” endorsement. It might even say “cyber” somewhere in the paperwork. But that does not always mean the business is properly protected when a real cyber incident happens.
That was one of the key points discussed in a recent webinar hosted by Lisa Niekamp-Urwin, CEO and Founder of Tomorrow’s Technology Today, along with Michael Secrist from Techrug. The conversation focused on a growing concern for business owners: cyber threats are increasing, insurance requirements are changing, and many companies do not know where their true gaps are until it is too late.
“We’re Too Small” Is No Longer a Safe Assumption
One of the most common things Lisa hears when talking with businesses is, “We don’t have anything hackers would want.”
But cybercriminals are not always after your company specifically. They may be after your connections.
Your vendors. Your customers. Your donors. Your financial relationships. Your email history. Your invoice process.
A small business can become the doorway into a much larger target. Cybercriminals often look for the easiest opening, and if your systems are easier to break into than someone else’s, they may use your business as the starting point.
Think of it like a spiderweb. Your business is connected to many other people and organizations. If a cybercriminal can get into one part of that web, they may be able to move outward from there.
That is why no business is too small to be targeted.
Cyber Insurance Needs to Be Written Correctly
Another major takeaway from the webinar was that not all cyber insurance policies are created equal.
Some businesses believe they are covered because cyber was added to their general business policy. But according to Michael, those add-ons often do not provide the level of protection business owners expect.
The problem is that cyber policies can vary widely. Some may not cover cyber extortion. Others may have lower limits hidden deep in the policy. Some may include coinsurance clauses, meaning the business is responsible for paying a portion of the claim.
For example, if a cyber event creates a $1 million loss and the policy includes a 20% coinsurance clause, the business could still be responsible for $200,000.
That is a painful surprise to discover after an incident has already happened.
A properly written cyber policy should account for real-world risks like ransomware, business interruption, social engineering, wire fraud, and recovery costs. It should also be reviewed by someone who understands cyber risk, not just general insurance.
The “Soft Costs” Can Be Just as Damaging
When people think about a cyberattack, they often think about stolen data or locked computers. But the financial impact can go much further.
If your business is down for several days or weeks, how much revenue would you lose?
Could your team still operate? Could you serve customers? Could you process payments, access files, send invoices, or manage orders?
Downtime can be one of the most expensive parts of a cyber incident. A strong cyber policy may help cover lost business income, forensic investigation, negotiation with attackers, recovery efforts, and other costs associated with getting back up and running.
But again, the key phrase is: if the policy is written correctly.
The Application Matters More Than You Think
One of the most important warnings from the webinar was about cyber insurance applications.
Many businesses fill out these forms quickly, often checking “yes” to security controls they think they have in place. But if a claim happens, those answers may be investigated.
If the application says the business has multi-factor authentication on email and remote access, but it was never actually turned on, the insurance company may deny the claim.
This is called material misrepresentation. In simple terms, it means the business said one thing on the application, but the reality did not match.
That is why Lisa strongly recommends involving your IT provider when completing a cyber insurance application. Your IT team should understand what is truly in place, what has been declined, and what still needs to be addressed.
The insurance agent understands the policy. Your IT provider understands the network. Both perspectives matter.
Cyber Insurance Requirements Are There for a Reason
The security controls listed on cyber insurance applications are not random. Insurance companies ask about them because they reduce risk.
Some of the common requirements discussed in the webinar included:
- Multi-factor authentication on email and remote access
- Security awareness training
- Endpoint detection and response tools
- Email protection and encryption for sensitive information
- Device encryption
- Clear verification processes for payments and account changes
These are not just technical boxes to check. They are practical safeguards that help prevent real losses.
For example, security awareness training helps employees recognize suspicious emails, texts, invoice changes, and payment requests. Even if some phishing tests feel obvious, they train people to pause and look more carefully. That habit matters.
Cybersecurity is not only about tools. It is also about behavior.
AI Is Making Scams More Convincing
The webinar also touched on how artificial intelligence is changing cybercrime.
Lisa shared an example of a colleague whose voice was spoofed using AI. A bad actor used a realistic voicemail to request a change in payment details. It sounded authentic enough that someone could have easily believed it.
This is why businesses need stronger verification habits.
If you receive a request to change bank information, pay an invoice, send funds, or share sensitive information, do not simply reply to the email or trust the voicemail. Use a known, verified phone number to confirm the request.
That one extra step can prevent a very expensive mistake.
Technology and Insurance Need to Work Together
One of the strongest points from the webinar was that cyber protection is not just about buying insurance, and it is not just about buying technology.
The two need to work together.
Insurance helps reduce the financial impact if something goes wrong. Technology and security controls help reduce the chance of something going wrong in the first place.
A strong approach includes both.
You want your IT provider, your insurance professional, and your internal leadership team all rowing in the same direction. Everyone should understand what protections are in place, what the insurance policy requires, and what the response plan looks like if an incident happens.
A Cyber Incident Is More Than an IT Problem
Lisa ended the webinar with an important reminder: until you have gone through a cyber incident, it is hard to understand the emotional impact.
It is not just frustrating. It can feel invasive.
Someone was inside your systems. They may have seen your files, your emails, your financial information, or your customer data. Just like a home burglary, the damage is not only about what was taken. It is also about the feeling that someone was somewhere they should not have been.
That is why preparation matters.
What Business Owners Should Do Next
Cyber insurance should not be treated as a checkbox. It should be reviewed carefully, alongside your actual cybersecurity controls.
Start by asking:
- Do we know exactly what our cyber policy covers?
- Is our coverage standalone or just an endorsement on another policy?
- Do we have MFA turned on for email and remote access?
- Are we doing regular employee security training?
- Do our answers on the cyber insurance application match reality?
- Would our policy cover downtime, ransomware, wire fraud, and recovery costs?
- Have our IT provider and insurance agent reviewed this together?
The goal is not to scare business owners. The goal is to help them avoid finding out the hard way that their coverage or security controls were not enough.
Cyber threats are not slowing down, and small businesses are not being ignored. The best time to review your protection is before an incident happens.
To watch the full webinar, click here!