Cyber Insurance Is a Seatbelt, Not a Security Program

Executive summary

Cyber insurance is useful.

It is also easy to misunderstand.

A cyber policy is a seatbelt. You should probably wear one. It can reduce damage when something goes wrong. It may help pay for lawyers, forensics, notification, recovery work, business interruption, or third-party claims depending on the policy.

But a seatbelt is not a driving plan.

It does not steer the car. It does not maintain the brakes. It does not keep your eyes on the road. It does not decide who is allowed to drive, whether the tires are bald, whether the windshield is cracked, or whether everyone in the vehicle knows what to do in bad weather.

That is the right way for small businesses to think about cyber insurance.

Keep the seatbelt. Do not pretend it is the whole safety system.

The pain starts when a business treats insurance as a substitute for basic security. The incident happens, and now the company is trying to run operations, preserve evidence, answer customers, work with a broker, notify the carrier, find the policy, understand the deductible, determine which vendors are approved, prove what controls existed, explain why the application said MFA or backups were in place, and document losses while the business is already under stress.

That is not a clean recovery plan. That is a second incident sitting on top of the first one.

The better move is boring and powerful: build the basic hygiene before the claim. Know the critical systems. Turn on MFA where it matters. Keep admin access limited. Test backups. Write down the incident contacts. Keep a short evidence file. Make the insurance application truthful. Review coverage limits, sublimits, exclusions, notice requirements, and vendor rules with the right insurance and legal professionals.

Trawvid Sec does not replace your insurance agent, broker, or attorney. That is not the lane.

The lane is helping the business become a better driver before the crash: practical controls, risk assessment, security program development, incident readiness, access control, evidence-ready documentation, and a baseline the owner can actually operate.

Insurance transfers some risk after damage starts

A cyber policy can be part of a serious risk management program.

The mistake is treating it like prevention.

Insurance usually becomes useful after the bad event has already started. An account is compromised. A vendor is down. Ransomware has disrupted operations. Customer data may be exposed. A fraudulent payment has been sent. A lawyer is needed. Forensics are needed. Customers or regulators may need answers. The business has already lost time.

That matters because small businesses often have less slack than larger organizations. A large company can have a bad week and still have backup staff, cash reserves, outside counsel, separate IT leadership, and existing incident vendors. A small business can lose the same week and feel it in payroll, invoicing, production, sales, customer service, and owner attention immediately.

The FTC's cyber insurance guidance is useful because it separates first-party and third-party coverage. First-party coverage may address the business's own costs, such as legal counsel, recovery and replacement of data, customer notification, business interruption, public relations, cyber extortion and fraud, forensic services, and certain fees, fines, or penalties. Third-party coverage generally deals with liability when someone else brings a claim against the business.

Those are real categories.

They are not the same as staying operational.

A policy might help pay for forensics. It does not already know where your logs are. It might pay for legal counsel. It does not already know which customer data was stored in which system. It might cover some lost income. It does not keep employees productive while email, file storage, payroll, or the order system is down. It might help with notification costs. It does not restore customer confidence by itself.

Insurance is financial risk transfer. Security is operational risk reduction.

A small business needs both concepts separated.

Policies are customized, and the details matter

Cyber insurance is not one product with one clean answer.

The NAIC's cybersecurity topic page notes that most commercial property and general liability policies do not cover cyber risks and that cyber insurance policies are highly customized for clients. That one sentence should slow people down.

It means a business cannot assume "we have insurance" answers the real question.

The useful questions are more specific:

• Does the policy cover data held by vendors and other third parties?
• Does it cover attacks outside the United States if that matters to the business?
• Does it include business interruption, and what has to happen before that coverage applies?
• Is there contingent business interruption coverage for a vendor outage?
• Are there sublimits for ransomware, extortion, funds transfer fraud, business interruption, or third-party outages?
• Does the insurer have a duty to defend?
• Is there a breach hotline?
• Are there approved panel vendors the business must use?
• What notice deadline applies?
• What consent is required before hiring counsel, paying forensics, restoring systems, or negotiating with a threat actor?
• What deductible or retention applies?
• What exclusions could matter?

This is where a lot of small businesses get surprised.

They hear "covered" and think "paid." Those are not the same thing.

A covered event can still involve a deductible, waiting period, sublimit, documentation burden, vendor approval issue, legal review, claim negotiation, or uncovered category of loss. It can also involve losses the policy does not really repair: owner time, staff distraction, customer doubt, delayed projects, stress, opportunity cost, and the messy work of rebuilding trust.

The practical next step is to create an insurance reality file before the incident.

That file should include the policy, broker contact, carrier claim contact, breach hotline, notice instructions, approved vendors if known, deductible, key limits and sublimits, renewal date, application answers, and a plain-English note about what the business thinks is covered. That note should be reviewed with the insurance professional who owns the policy relationship and, when needed, legal counsel.

Trawvid Sec can help connect the security reality to that file: which systems matter, what controls are actually in place, what evidence exists, and where the application or renewal discussion needs better facts.

The claim can become a control-evidence problem

A bad insurance application can become its own problem.

This is not legal advice. It is operational common sense.

Cyber insurance applications often ask about security controls because the carrier is trying to price and understand the risk. The NYDFS Cyber Insurance Risk Framework says cyber insurers should assess each insured's cyber risk using information about governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security policies.

In plain English: the control questions are not decorative.

If the application asks whether MFA is used and the business says yes, the next question is "where?" Email only? Every admin account? Remote access? Payroll? Banking? Cloud file storage? Website administration? Accounting? Managed service provider access? Former employee accounts? Shared admin accounts?

If the application asks whether backups exist, the next question is whether they are recoverable. A backup that has never been restored is a belief, not evidence.

If the application asks about endpoint protection, logging, vulnerability management, training, or incident response, the same rule applies. The answer should match reality. If the answer is partially true, say what is partially true. If the answer is not true yet, fix it or make the limitation visible before somebody signs the application.

This is where small businesses get into trouble without intending to lie.

The owner thinks "we have MFA" because Microsoft 365 has MFA available. The IT vendor thinks "we have backups" because a backup product is installed. The office manager thinks "we have training" because someone forwarded a phishing reminder last year. The insurance application asks a binary question. Someone answers yes because yes feels close enough.

Close enough is a terrible evidence strategy.

The practical control is an insurance evidence map.

For each material application question, keep a short record:

• The exact question.
• The answer provided.
• The systems in scope.
• The control owner.
• The evidence that proves the answer.
• The known limitation.
• The date it was checked.

That does not have to be a giant compliance project. It can be a simple spreadsheet or short document. The point is to stop guessing.

If the business later has an incident, the evidence map helps leadership, the broker, counsel, forensics, and the carrier understand what was actually true at the time.

The payout may not equal the pain

The check, if it comes, may still be smaller than the damage.

Verizon's 2026 Breach Impact Study is useful because it is based on cyber insurance claim data instead of generic breach-cost theater. The dataset includes 69,683 U.S. cyber insurance claims, with 38,181 recorded losses paid out to policyholders, for incidents from January 1, 2019 through October 31, 2025.

The report also explains an important limitation: recorded claim amounts can understate economic impact when policy limits or sublimits are reached. Specific loss categories may have internal caps, such as contingent business interruption or extortion, and the dataset records the cap rather than the full loss for that category.

That is the part small businesses should sit with.

A claim record can show what the policy paid. That is not always the same thing as what the business suffered.

Verizon's SMB findings make the point sharper. For insured businesses under $25 million in revenue, the top 10 percent of cases reached about 3 percent of revenue, and the more extreme top 2.5 percent exceeded 7 percent of revenue. The SMB median impact was about $38,000, but medians can hide the events that hurt thin-margin companies most.

The business interruption data matters too. Verizon reports business interruption had the highest median among known loss types, around $90,000, with the extreme top 2.5 percent near $5 million. In manufacturing claims, business interruption was one of the largest loss drivers, with a median loss of $232,000 and 30 percent of all losses in that industry section of the report.

This does not mean every small business incident becomes a catastrophe.

It means a small business should not confuse "we have a policy" with "we can absorb the operational hit."

Insurance may help with some invoices. It does not give back the owner's week. It does not make a missed shipment disappear. It does not undo customer anxiety. It does not rebuild the invoice process. It does not tell staff which system to use when the normal one is down. It does not make a weak backup suddenly usable.

The cleaner the security baseline, the smaller the claim is likely to be and the easier the story is to tell.

The basic controls are not enterprise overhead

The right-sized security answer is not to build a giant program because insurance is complicated.

The answer is to make the first layer real.

CISA's Cross-Sector Cybersecurity Performance Goals are designed to help small and medium-sized organizations prioritize a limited number of essential actions with known risk-reduction value. NIST's Small Business Information Security: The Fundamentals is also written as a non-technical small-business reference, not an enterprise-control monument.

The first layer should be simple enough to run and concrete enough to prove:

Critical account inventory

List email, file storage, payroll, banking, accounting, domain registrar, website admin, CRM, payment processors, remote access, endpoint management, backup, and any system that holds customer, employee, financial, operational, regulated, or contract-sensitive data.

For each system, identify the owner, admin users, MFA status, recovery email, recovery phone, vendor contact, and whether logs or exports are available.

The evidence artifact is the account inventory. Without it, the business is guessing during the claim.

MFA that covers the paths that matter

Do not stop at "MFA exists."

Confirm it is enforced on primary email, administrative accounts, remote access, payroll, banking, accounting, cloud file storage, domain registrar, website admin, and any vendor portal that can access sensitive data or business operations.

The evidence artifact is an MFA export, screenshot, policy record, or admin setting review with a date and owner.

Backup and restore proof

A backup strategy is not real until the business has restored something.

Pick a critical file set or system. Restore it. Record what was restored, where it came from, who did it, how long it took, and what failed.

The evidence artifact is the restore test note.

Payment-change verification

Business email compromise is not solved by insurance paperwork.

Create a rule for vendor bank changes, ACH changes, wire instructions, payroll direct deposit changes, and unusual payment requests. Require verification through a known second channel, not a reply to the request.

The evidence artifact is a short payment-change procedure approved by leadership.

Incident contact path

Write down who is called first when email is compromised, ransomware appears, customer data may be exposed, money is misdirected, or a critical vendor goes down.

Include the owner, IT support, broker, carrier hotline, outside counsel if used, bank fraud contact, and law enforcement reporting path. NYDFS notes that cyber policies should include law enforcement notice requirements and that prompt notice can help victims, including in some business email compromise scenarios.

The evidence artifact is the incident contact sheet.

Insurance application evidence

Keep the application answers and the evidence behind them together.

If the business says "yes" to MFA, backups, endpoint protection, training, incident response, encryption, or vendor controls, keep the proof. If the answer is partial, document the partial scope.

The evidence artifact is the insurance control map.

What Trawvid Sec should help with before renewal

A small business does not need to wait for a claim to get value from cybersecurity advisory help.

The best time is before renewal, before a customer questionnaire, before a contract requirement, before a system migration, before the next hire, and before the incident.

A practical engagement should start with business shape, not fear:

• Which systems stop revenue if they go down?
• Which accounts can move money?
• Which systems hold customer, employee, financial, regulated, or contract-sensitive data?
• Which vendors can access important systems or data?
• Which admin accounts are shared, stale, or overprivileged?
• Which insurance application answers need evidence?
• Which controls reduce the most risk in the next 30 to 90 days?

The first outputs should be boring on purpose: account inventory, risk register, control evidence map, backup restore note, payment-change rule, incident contact sheet, and a short remediation roadmap.

That is not insurance advice. That is security program development and risk reduction.

It helps the broker and carrier relationship because the business can answer questions with better facts. It helps leadership because they can choose priorities instead of reacting to noise. It helps operations because the first fixes usually reduce everyday friction too: fewer shared accounts, cleaner offboarding, clearer ownership, better recovery paths, and less mystery when something breaks.

This is the difference between wearing a seatbelt and driving blind.

The seatbelt still matters.

But the driver needs mirrors, brakes, maintenance, rules, and enough discipline to use them before the impact.

The practical takeaway

Cyber insurance should be part of the conversation.

It should not be the plan.

A policy may help pay for pieces of a cyber incident. It may provide access to a hotline, legal counsel, forensics, recovery services, notification support, business interruption coverage, or liability coverage depending on the policy. Those are useful tools.

But the hard parts of an incident are still operational.

Can you log in? Can you recover? Can you prove what happened? Can you identify which customer data was involved? Can you keep taking orders? Can you pay employees? Can you stop a fraudulent wire? Can you tell the carrier what controls were actually in place? Can you answer a customer without sounding like the business is discovering its own environment for the first time?

That is where basic hygiene wins.

Do not overbuild. Do not pretend insurance is useless. Do not let the application become fiction. Do not wait for the claim to discover the business has no evidence.

Start with the baseline:

• Critical account inventory.
• MFA on the paths that matter.
• Admin access cleanup.
• Backup restore testing.
• Payment-change verification.
• Incident contact sheet.
• Insurance control evidence map.
• A 30, 60, and 90 day remediation plan.

That is the better-driver work.

Insurance is the seatbelt.

Build the security program so the business is less likely to need it, and more prepared if it does.