Cyberattacks used to feel like something that happened to big corporations — banks, hospitals, government agencies. The reality in 2026 is very different. Small and medium businesses are now the primary targets of cybercriminals, precisely because they typically have less sophisticated security infrastructure than large enterprises while still holding valuable data and financial assets.
Cyber insurance has moved from a niche specialty product to a business essential. Here’s what it actually covers, why you need it, and how to choose the right policy.
Why Small and Medium Businesses Are High-Value Cyber Targets
Cybercriminals are rational actors. They target organisations where the effort-to-reward ratio is most favourable. Large enterprises have security teams, intrusion detection systems, incident response plans, and dedicated IT security budgets. Many SMBs have none of these, or have them only in rudimentary form. Yet SMBs still process payments, store customer data, hold employee records, and maintain business-critical systems that can be locked by ransomware.
A single ransomware attack can halt operations entirely for days or weeks. A data breach can expose customer personal and financial data, triggering regulatory notification obligations, potential fines, and liability to affected individuals. The financial consequences of a cyber incident without insurance can be catastrophic for a business without the reserves to absorb them.
What Cyber Insurance Actually Covers
First-Party Cyber Costs
First-party coverage addresses costs incurred directly by your business as a result of a cyber incident. These include forensic investigation costs to identify the breach and its scope, data recovery and system restoration expenses, business interruption losses during the period your systems are down, ransomware payment costs where legally permissible, and crisis communication expenses to manage the reputational impact of an incident.
Third-Party Cyber Liability
Third-party coverage addresses claims made against your business by customers, partners, or other parties whose data or systems were affected by an incident originating in your environment. If your customer database is breached and customer financial data is stolen, those customers may have legal claims against you. If a cyberattack that started in your system propagated to a business partner’s network, they may seek to recover their losses from you. Third-party cyber liability coverage responds to these claims and covers your legal defence costs.
Regulatory Fines and Penalties
Data protection regulations — GDPR in Europe, CCPA in California, and similar regimes globally — impose significant fines on businesses that fail to protect personal data adequately. Cyber insurance policies can cover regulatory investigation costs and, where permitted by law, regulatory fines resulting from a covered data breach. Coverage for regulatory fines varies by jurisdiction and policy, so review this provision carefully.
Notification and Credit Monitoring Costs
Most data protection regulations require businesses to notify affected individuals following a data breach. These notification obligations can be expensive — postage, call centre setup, dedicated microsite creation, and credit monitoring services for affected individuals can cost hundreds or thousands of dollars per affected person. Cyber insurance covers these mandated notification costs, which can otherwise create significant unbudgeted expense following an incident.
Ransomware — The Fastest-Growing Cyber Threat for SMBs
Ransomware attacks encrypt your business data and systems and demand payment — typically in cryptocurrency — for the decryption keys. Ransomware has become the most financially damaging category of cyber incident for small and medium businesses. Attackers have evolved sophisticated techniques for maximising pressure, including threatening to publish stolen data if ransom isn’t paid (double extortion) and disrupting backup systems before deploying encryption.
Cyber insurance can cover both the ransomware payment itself — where legally permitted — and the extensive costs of incident response, system restoration, and business interruption that accompany a ransomware attack. Engaging with your insurer immediately upon discovering a ransomware attack is critical, as many policies require insurer involvement before any ransom payment is made.
What Cyber Insurance Does NOT Cover
Cyber insurance has important exclusions that businesses need to understand. Coverage for acts of nation-state cyber warfare is commonly excluded following the development of specific war exclusion language across the market. Coverage for intentional acts by the business or its employees is excluded. Pre-existing security vulnerabilities that were known and not remediated before the policy was purchased may also affect coverage. Read your policy’s exclusions carefully and discuss them with your broker.
Cyber Security Requirements — What Insurers Now Expect
The cyber insurance market has hardened significantly in recent years in response to a surge in ransomware losses. Insurers now actively underwrite cyber security controls as part of the application process. Basic controls that are commonly required include multi-factor authentication on email and remote access systems, regular offline or immutable backups, endpoint detection and response tools, patching and vulnerability management programs, and employee security awareness training.
Businesses that cannot demonstrate these baseline controls may find cyber coverage unavailable or prohibitively expensive. Conversely, businesses with strong documented security controls can secure better coverage terms and more competitive premiums. Your cyber security investment directly affects your insurability.
How to Choose the Right Cyber Insurance Policy
Compare policies on the breadth of covered incidents, the specific costs covered within each category, coverage limits and sublimits for individual cost categories like ransomware payments, the retentions and deductibles that apply, and the quality of the insurer’s incident response team. Many cyber insurers provide access to a 24-hour breach response hotline and a panel of forensic investigators, legal advisors, and crisis communications specialists — this incident response support is as valuable as the financial coverage in the acute phase of an incident.
Work with a broker who specialises in technology and cyber insurance risks. The market is complex, policy wordings vary significantly, and the right coverage for a manufacturing business is very different from the right coverage for a professional services firm or an e-commerce retailer. Specialist advice here is genuinely worth the investment.