Small Business Cyber Insurance Checklist: Before You Buy

TL;DR

Buying cyber insurance without understanding your needs can leave you with inadequate coverage or unnecessary costs. This checklist helps you evaluate your risks, understand coverage options, and ask the right questions before purchasing a policy.

Before You Start Shopping

Know Your Risk Profile

Data Inventory

• What sensitive data do you collect? (PII, PHI, payment cards)
• How many customer records do you store?
• Where is data stored? (Cloud, on-premises, third-party)
• How long do you retain data?

Technology Assessment

• What systems process sensitive data?
• Do you use cloud services? Which ones?
• Do employees access systems remotely?
• What security controls are in place?

Third-Party Exposure

• Which vendors have access to your data?
• Do you have business associate agreements?
• What happens if a vendor is breached?

Document Current Security

Insurers will ask about:

• Multi-factor authentication
• Data encryption (at rest and in transit)
• Backup procedures and testing
• Security awareness training
• Incident response plan
• Vulnerability management
• Email security controls

Coverage Types to Evaluate

First-Party Coverage

Breach Response Costs

• Forensic investigation costs
• Legal counsel fees
• Notification costs (mail, email, call center)
• Credit monitoring services
• Public relations expenses

Business Interruption

• Waiting period before coverage applies
• How lost income is calculated
• Coverage duration limits
• Extra expense coverage

Cyber Extortion

• Ransom payment coverage
• Negotiation services
• Forensic investigation of attack
• System restoration costs

Digital Asset Restoration

• Data recovery costs
• System restoration
• Improved security post-incident

Third-Party Coverage

Liability Claims

• Customer lawsuits
• Class action defense
• Settlement coverage
• Attorney fees

Regulatory Actions

• Investigation defense costs
• Regulatory fines (where permitted)
• Compliance monitoring costs

Contractual Liability

• Vendor contractual obligations
• Customer contractual requirements
• PCI DSS obligations

Questions to Ask Your Broker

Coverage Scope

1. What specific incidents are covered?
2. What is explicitly excluded?
3. Are there sub-limits for specific coverage types?
4. Does the policy cover social engineering fraud?
5. Is ransomware covered separately, and what’s the limit?

Policy Terms

6. What’s the policy period and renewal process?
7. What’s the deductible/retention?
8. Are there coinsurance requirements?
9. What security requirements must we maintain?
10. What happens if we don’t meet security requirements?

Claims Process

11. What’s the claim notification timeline?
12. Do we need pre-approval for vendors?
13. What documentation is required for a claim?
14. How long does claim resolution typically take?
15. What’s the claims history for this policy?

Limits and Pricing

16. Is the limit per-incident or aggregate?
17. What would increase our premium at renewal?
18. Are there any retroactive dates?
19. Is there coverage for prior acts?
20. How does pricing compare to similar policies?

Red Flags to Watch For

Coverage Gaps

Broad Exclusions Avoid policies with:

• Vague “failure to maintain security” exclusions
• Broad war/nation-state exclusions
• Exclusions for unpatched systems without reasonable timeframes
• Exclusions for acts of employees (insider threats should be covered)

Sub-Limits Watch for:

• Low ransomware sub-limits (under $250K)
• Social engineering caps under $100K
• Regulatory investigation limits that won’t cover defense
• Business interruption limits that don’t match potential loss

Policy Structure Issues

Claims-Made vs. Occurrence

• Claims-made: Coverage only if claim made during policy period
• Occurrence: Coverage for incidents that occurred during policy period
• Know which you’re buying and implications

Retroactive Dates

• Claims arising before this date aren’t covered
• Ensure coverage for prior acts if switching carriers

Coverage Amount Guidelines

By Business Size

Annual Revenue	Records Stored	Recommended Limit
Under $1M	<10,000	$500K - $1M
$1M - $5M	10,000-50,000	$1M - $2M
$5M - $25M	50,000-500,000	$2M - $5M
$25M - $100M	500,000+	$5M - $10M

By Industry Risk

Increase limits for:

• Healthcare (2x base recommendation)
• Financial services (2x base)
• Legal services (1.5x)
• Technology companies (1.5x)

Pre-Purchase Checklist

Information to Gather

• Annual revenue and employee count
• Number of sensitive records
• List of systems and data locations
• Current security controls documentation
• Third-party vendor list
• Previous claims or incidents
• Industry compliance requirements

Documents to Request

• Full policy language (not just summary)
• Policy exclusions list
• Definitions section
• Claims reporting procedures
• Security requirement addendum
• Premium calculation breakdown

Comparing Quotes

Apples-to-Apples Comparison

Create a comparison matrix:

• Total premium
• Deductible/retention
• Limits (per-incident and aggregate)
• Sub-limits by coverage type
• Key exclusions
• Security requirements
• Claims process differences

Beyond Price

Consider:

• Carrier financial strength (AM Best rating)
• Claims handling reputation
• Policyholder service quality
• Risk management resources included
• Broker expertise and support

Working with Your Broker

What to Tell Them

• Complete and accurate security information
• Honest assessment of security gaps
• Business growth plans
• Compliance requirements
• Budget constraints

What to Ask Them to Do

• Get quotes from multiple carriers
• Explain coverage differences clearly
• Identify gaps between quotes
• Recommend coverage improvements
• Help with application accuracy

Next Steps

Use our cyber insurance calculator to estimate appropriate coverage levels for your business. Then use this checklist to evaluate your options and ensure you’re getting the right coverage.

자주 묻는 질문 (FAQ)

Q1: 중소기업도 사이버 보험이 필요한가요?

네. 전체 사이버 공격의 43%가 중소기업을 대상으로 하며, 소기업의 60%가 사고 후 6개월 내 폐업합니다.

Q2: 최소한으로 준비해야 할 서류는?

최근 3년 재무제표, IT 인프라 현황, 보안 통제 자체평가, 기존 사고 이력(있는 경우)입니다.

Q3: 온라인으로 바로 가입할 수 있나요?

매출 $5M 이하 기업은 일부 보험사의 온라인 가입이 가능합니다. 초과 시 브로커 상담이 필요합니다.

Q4: 보장 한도는 어떻게 결정하나요?

보유 개인정보 수, 연간 매출, 규제 요건, IT 예산을 기준으로 산정합니다. 매출의 2~5%에 해당하는 한도가 시작점입니다.

Q5: 사이버 보험과 기술오류보험(E&O)의 차이는?

E&O는 서비스 오류로 인한 고객 손실을 보장하고, 사이버 보험은 데이터 유출·랜섬웨어 등 보안 사고를 보장합니다. 둘 다 필요할 수 있습니다.

Q6: 갱신 시 주의할 점은?

보장 조건 축소(특히 랜섬웨어 하위한도), 프리미엄 인상률, 새로운 제외 조항을 반드시 확인하세요.

Related Guides

• Cyber Insurance Cost Calculator for Small Business
• Cyber Liability Coverage Gap Analysis
• Small Business Cyber Insurance Premium Estimator