Buying cyber insurance doesn’t have to be confusing. This step-by-step guide walks you through the entire process, from understanding what you need to signing your policy.

What you’ll learn:

• ✅ How to determine the right coverage amount
• ✅ What to look for (and avoid) in a policy
• ✅ How to get the best price
• ✅ Red flags that indicate a bad policy
• ✅ Step-by-step application process

Quick Start: Compare Quotes Now

If you’re ready to get quotes right away:

Step 1: Determine If You Need Cyber Insurance

Who Needs Cyber Insurance?

You definitely need cyber insurance if:

• You store customer data (names, emails, payment info)
• You process credit card payments
• You’re subject to HIPAA, PCI-DSS, or GDPR
• You rely on technology for daily operations
• Your clients require it contractually

You might not need it if:

• You have zero digital operations
• You don’t store any customer data
• You have no online presence whatsoever

Reality check: 60% of small businesses that suffer a cyber attack close within 6 months. The average data breach costs $4.45 million (IBM, 2023). Even “small” incidents cost $50,000+ when you factor in legal, notification, and recovery costs.

Quick Self-Assessment

Answer these questions:

1. Do you collect customer email addresses? → You need coverage
2. Do you accept credit cards? → You need coverage
3. Do you use email for business? → You need coverage (email compromise is the #1 attack vector)
4. Do you have employees? → You need coverage (employee errors cause 88% of breaches)

If you answered “yes” to any of these, cyber insurance should be part of your risk management strategy.

Step 2: Understand What Cyber Insurance Covers

First-Party Coverage (Your Costs)

Third-Party Coverage (Lawsuits & Claims)

What’s NOT Covered

Most policies exclude:

• 🚫 Prior known incidents (pre-existing breaches)
• 🚫 Intentional acts by owners/executives
• 🚫 War and terrorism (nation-state attacks often excluded)
• 🚫 Infrastructure failures (power grid, internet backbone)
• 🚫 Physical damage from cyber attacks
• 🚫 Failure to maintain security (policy conditions)

Step 3: Determine Your Coverage Amount

The Formula

A good starting point:

Minimum coverage = Annual revenue × 0.03 to 0.05

Industry Adjustments

Some industries need higher limits:

• Healthcare: +50% (HIPAA exposure)
• Financial services: +50% (regulatory exposure)
• E-commerce: +25% (payment data)
• Professional services: +25% (client data)
• Government contractors: As required by contract

Sublimit Warning

Watch out for sublimits - caps on specific coverage types. A $1M policy might have:

• $100K sublimit for ransomware (way too low!)
• $50K sublimit for business interruption
• $250K sublimit for regulatory fines

Always check sublimits match your risk profile.

Step 4: Gather Your Application Information

Before requesting quotes, compile this information:

Business Basics

• Legal business name and DBA
• Industry/NAICS code
• Years in business
• Annual revenue
• Number of employees
• Physical locations

Technology Profile

• Number of endpoints (computers, mobile devices)
• Cloud services used (Microsoft 365, Google Workspace, AWS)
• Types of data stored (PII, PHI, financial, payment)
• Number of records containing sensitive data
• Website and e-commerce presence

Security Controls

• Multi-factor authentication (MFA) status
• Endpoint detection and response (EDR) software
• Backup frequency and testing schedule
• Security awareness training program
• Patch management process
• Incident response plan

History

• Previous cyber incidents (past 5 years)
• Current or past cyber insurance
• Any regulatory investigations

Step 5: Get Multiple Quotes

Recommended Providers

How Many Quotes?

Get at least 3 quotes. Pricing varies by 40%+ between carriers for identical coverage.

What to Compare

Don’t just compare price. Create a comparison spreadsheet with:

Step 6: Review the Policy Carefully

Red Flags to Watch For

🚩 Extremely low sublimits - Ransomware sublimit under $250K is insufficient 🚩 Long waiting periods - More than 12 hours for business interruption 🚩 Narrow definitions - “Computer system” that excludes cloud services 🚩 Excessive exclusions - Social engineering excluded entirely 🚩 No retroactive coverage - Won’t cover undiscovered past breaches 🚩 Coinsurance clauses - You pay percentage of every claim

Green Flags to Look For

✅ Full ransomware coverage with adequate sublimits ✅ Broad social engineering coverage including wire fraud ✅ Business interruption with short waiting period ✅ Regulatory coverage including HIPAA/GDPR ✅ Choice of vendors (not locked to insurer’s panel) ✅ Prior acts coverage with reasonable retroactive date

Questions to Ask Your Carrier

1. “What triggers the waiting period for business interruption?”
2. “Are cloud service outages covered?”
3. “What security controls must I maintain during the policy period?”
4. “Can I choose my own incident response vendor?”
5. “How does the claims process work at 2 AM on Saturday?”

Step 7: Reduce Your Premium

Proven Ways to Save

Don’t Skip These (Even to Save Money)

Never sacrifice these coverages for a lower premium:

• Ransomware coverage
• Business interruption
• Social engineering/wire fraud
• Regulatory defense
• Legal defense costs

Step 8: Complete the Application

Application Tips

1. Be honest. Misrepresentation can void your policy.
2. Be consistent. Use the same answers across all applications.
3. Be thorough. Empty fields can delay approval.
4. Document everything. Save copies of your application.

Common Application Questions

About your security:

• Do you use MFA for email access?
• Do you have endpoint protection on all devices?
• How often do you back up critical data?
• When was your last backup test?
• Do you have an incident response plan?

About your data:

• What types of PII do you collect?
• How many records do you maintain?
• Do you process payment card data?
• Where is data stored? (on-premise, cloud, both)

About your history:

• Have you experienced a cyber incident?
• Have you been named in a lawsuit related to data?
• Have you ever been denied cyber coverage?

Step 9: Bind the Policy

Before You Sign

✅ Verify all business information is correct ✅ Confirm coverage limits and sublimits ✅ Review all exclusions ✅ Understand your security obligations ✅ Know your claims reporting requirements ✅ Save the policy document securely

After You’re Covered

1. Share emergency contacts with key staff
2. Document your 24/7 claims hotline
3. Review security requirements you must maintain
4. Calendar your renewal date (60 days before)
5. Update your incident response plan with insurance info

Next Steps

Ready to Get Covered?

Want to Prepare First?

Have Questions?

Check our comprehensive FAQ or read our detailed guides:

• Understanding Cyber Insurance Coverage
• Ransomware and Cyber Insurance
• Social Engineering Coverage Guide

Last updated: January 2025. This guide is for informational purposes only and does not constitute insurance advice. Consult with a licensed insurance professional for guidance specific to your situation.