Compliance
A CISSP-led walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the four controls that move premiums the most, and how to pass the application without overspending.
Cyber insurance for small business is no longer a niche product. It sits on the renewal checklist next to workers' comp and the BOP, and for most SMBs it is now a contractual requirement somewhere — a bank line of credit, an enterprise customer's vendor onboarding form, or a state regulator's safeguards rule.
The market a first-time buyer is walking into is not the market that existed five years ago. Premiums are up roughly 30 to 40 percent over the last three years across most SMB segments. Carrier scrutiny on controls is at an all-time high. The questionnaire is a controls audit dressed up as paperwork. The marketing brochure rarely matches the policy form.
This article covers what a cyber policy actually covers, what the 2026 questionnaire asks, the four controls that move the premium the most, what the policy will not pay, and the operational sequence to pass underwriting without overspending on tools that do not change a single answer. Obsidian Ridge does not sell insurance. We help SMBs pass the questionnaire honestly and operate the controls behind the answers.
A standalone cyber liability policy is two contracts stitched together. First-party coverage pays your losses. Third-party coverage pays losses your customers suffer because of you.
Where most SMBs cash claims. Typical covered costs:
The third-party section is where the lawsuits and the regulators show up. Typical covered costs:
Both sections together are the base policy. Almost every meaningful loss type beyond ransomware sits in a rider.
Base cyber policies sit underneath a stack of endorsements. The riders that matter most for a first-time SMB buyer:
The two non-negotiables for most SMBs are the crime rider with explicit social-engineering language and a system-failure endorsement if business interruption coverage matters. The base policy without the crime rider will not respond to a vendor-impersonation BEC, which is the single most common SMB cyber loss in the FBI IC3 2024 Annual Report.
Knowing the exclusions is more important than knowing the coverages, because exclusions decide what you do not collect when something goes wrong.
Read the exclusion section before you read the coverage section. The shape of the exclusions tells you what the policy is actually for.
Limits have stabilized after the hard market of 2022 and 2023. Current ranges by headcount, for businesses with decent controls in place:
Most carriers will price a $1 million policy in the $1,500 to $3,500 per year range if the named controls are operational and the prior 24 months are clean.
The aggregate limit is half the conversation. Sublimits are the other half. The ransomware sublimit is often 50 percent of the aggregate, the regulatory defense sublimit may be lower than the headline number, and the crime rider sublimit is usually $25,000 to $100,000 — orders of magnitude below the aggregate. A $1 million policy with a $500,000 ransomware sublimit and a $25,000 crime sublimit is a different product than the same policy at full limits.
If you have never filled out a cyber application, the structure is the same across nearly every carrier. The order varies. The questions do not. These twelve drive the offer:
A few carriers ask additional questions on DMARC, conditional access, patching cadence, and vendor management. Those move the premium at the margins. The twelve above decide whether you get an offer at all.
If you read nothing else in this article, read this section. Underwriters score everything, but four controls do most of the work on price.
If you have all four, you are in the standard rating bucket and the application becomes a paperwork exercise. If you have none, you are either declined outright or quoted with a 50 to 100 percent surcharge over standard and a ransomware co-insurance condition that effectively halves the payout when you need it.
The most expensive surprise in 2026 SMB policies is not the premium — it is the ransomware co-insurance clause. Many carriers now apply 50 percent co-insurance to a ransomware loss if the insured cannot demonstrate, at the time of loss, that the named controls were operating. Named controls are usually MFA on all surfaces, EDR or MDR with monitoring, immutable tested backups, and a written IR plan.
A $500,000 ransomware loss on a $1 million policy with 50 percent co-insurance pays $250,000. The other $250,000 is the insured's problem. If the carrier also finds material misrepresentation on the application, the entire claim can be denied.
The clause lives in the ransomware endorsement, not the declarations page. Read it before binding. Map each named control to evidence you can produce on the day of loss — restore logs, EDR console exports, conditional access policy exports — not the day of the application.
Beyond the standard exclusion list, a handful matter most for first-time SMB buyers:
Material misrepresentation on the questionnaire is grounds for the carrier to rescind the policy after a loss. The rescission is retroactive — premiums are returned and claims are denied.
If MFA is on most accounts but not on the CEO's mailbox because it broke her travel routine, the honest answer is "MFA is required on all email accounts except one executive exception." That answer raises the premium. It does not void the policy. The other answer — "yes" — saves the premium and loses the claim when the executive mailbox is the one that gets popped.
Honest answers, even when they raise the premium, are the only viable strategy. The premium delta from an honest "no" is almost always smaller than the deductible on the denied claim.
First-time buyers commonly spend in the wrong places. The following sound like security but do not change a single answer on a 2026 questionnaire:
Carriers score operating controls and evidence. Not invoices, not certificates, not vendor logos.
If you are reading this with a renewal application open, or a first-application quote request from your broker, work in this order. Each step unlocks the next.
Enable MFA on Microsoft 365 or Google Workspace tenant-wide via Conditional Access or context-aware access. Add MFA on every remote-access path the IT vendor uses — VPN, RDP, RMM, jump hosts. Add MFA on every privileged account, including break-glass accounts with a documented checkout procedure. This is the cheapest move and it materially lowers premium.
A managed detection and response service with a real 24/7 SOC checks the EDR box, the 24/7 monitoring box, and the documented escalation box at the same time. Adding identity threat detection on top covers the cloud productivity controls underwriters are starting to score separately. See Managed Detection and Response and Managed ITDR.
Pick a backup product that supports immutability natively — cloud object lock or air-gap. Schedule a monthly restore of a representative dataset. Keep the log. Carriers ask for the log at claim time. A backup that exists on paper but was never restored fails this control.
A 12-page written information security plan covering administrative, technical, and physical safeguards, with a named owner and a 12-month review date. A one-page incident response plan that names who calls the carrier hotline, who declares an incident, who talks to staff, and who decides about closing operations. Keep both short enough that someone will actually read them during a crisis.
A managed security awareness training program with quarterly phishing simulations and tracked completion rates. Carriers want completion data and click rates — not a training video shelved in a learning management system nobody opens. See Managed Security Awareness Training.
Five operational moves, six to ten weeks of execution time, and roughly 80 percent of the premium-moving controls on a 2026 questionnaire are now answered yes — with evidence.
The mechanics of buying a cyber policy for the first time:
Rough current pricing for businesses with the four named controls operational and a clean 24-month history:
A quote outside these ranges is a signal to ask why. Outliers below the range usually have low sublimits, high deductibles, or a co-insurance condition buried in the ransomware endorsement. Outliers above usually reflect missing controls or undisclosed prior incidents driving up the base.
Most SMBs see premium creep at renewal even when nothing changes. The way to flatten the curve is to demonstrate control improvements year over year — added ITDR, completed tabletop, tightened conditional access, raised SAT completion rate. The way to drop the premium is to switch carriers every two to three years. Get fresh quotes from two or three markets, present the current control evidence, and let competition do the work.
Carriers also share loss intelligence. A claim paid in a prior policy period invites a specific question at the next renewal: what changed since the incident? Answers like "we are more careful now" do not pass. Answers like "we moved to a 24/7 MDR provider in March, added MFA on the line-of-business admin accounts in April, and completed a tabletop in May" do.
The other 2026 reality: non-renewal is more common than it used to be when controls have slipped or after a claim. The firm has 30 to 60 days to find replacement coverage, and the next application asks about the prior non-renewal. The fix is operational, not paperwork.
We are not an insurance broker. We do not sell policies. We help SMBs operate the controls underwriters score, produce the evidence package the application asks for, and pass renewal without overspending on tools that do not move a single answer.
Our Foundation tier ($15/agent/month) plus Protected tier ($32/user/month) covers MFA enforcement, 24/7 MDR, ITDR on the productivity tenant, and the managed SAT program — the four heaviest premium-moving controls in 2026, operated and monitored, with the evidence package as a byproduct. See pricing.
For first-time buyers or renewing buyers staring at a questionnaire, the Cyber Insurance Readiness sprint is a two-week, fixed-fee engagement ($4,500) that maps your current state against the carrier questionnaire, identifies the gaps that will most likely block underwriting, and produces a clean evidence package to submit with the application. For a deeper walk through the underwriting controls, see the companion piece on the 22-control questionnaire.
To walk through your specific situation with a CISSP-led team before applying, book a briefing. The assessment tool gives you a faster posture snapshot against the controls underwriters care about, if you want a read before committing to anything.
Cyber insurance is not a substitute for controls. It is a backstop for the residual risk that remains after the controls are doing their job. First-time buyers who treat the policy as the plan tend to learn the expensive way that the controls warranty in the fine print is doing more work than the declarations page. The fix is operational, and it is cheaper than the renewal surcharge on a claim year.
Start with MFA, MDR, a tested backup, and an honest answer to twelve questions. The rest of the application gets easier from there.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
If you hold customer data, send wires, accept card payments, or rely on email and a handful of cloud apps to operate, the answer is yes. General liability and errors-and-omissions policies do not respond to forensics, ransomware, breach notification, regulatory defense, or wire fraud. The premium for a $1 million policy at a 10-person business is typically smaller than the deductible on a single uninsured incident, and many enterprise customers and banks now require a current cyber certificate of insurance as a contractual condition.
Two buckets. First-party covers your losses — forensic investigation, legal counsel, breach notification, credit monitoring, business interruption, ransom payment where legal, and data restoration. Third-party covers losses you cause others — regulatory defense and fines, PCI penalties, customer lawsuits, and network security liability. Add-on riders typically cover social engineering and wire fraud, reputation harm, hardware bricking, and outage events that are not the result of an attack.
Rough current ranges by headcount. One to ten employees: $250,000 to $1 million aggregate. Eleven to fifty employees: $1 million to $3 million. Fifty-one to two hundred fifty employees: $3 million to $10 million. A $1 million policy at a business with decent controls usually prices between $1,500 and $3,500 per year. Sublimits — especially the ransomware sublimit — often matter more than the headline aggregate.
Yes. There is no third-party audit requirement. What carriers require is an honest answer to roughly twelve underwriting questions on a self-attestation. The answers must hold up if the policy is ever invoked, so the practical effort is to make sure the controls you attest to are actually in place. That is operational work, not an audit.
If your controls are already in place, completing the questionnaire and binding coverage typically takes two to four weeks end to end. If you have gaps to close — adding MFA, deploying MDR, documenting backups — plan four to eight weeks to remediate before applying, then another two to four weeks to quote and bind. Applying with gaps usually results in a non-quote or a heavily surcharged offer.
Non-quote is increasingly common when MFA, EDR, or tested backups are missing. The fix is not shopping harder. It is closing the control gaps that triggered the decline, then re-quoting in 30 to 60 days with documentation in hand. Many carriers will reconsider on the same fiscal year once the named controls are operational and evidenced.
Base premium is driven by revenue, employee count, industry, sensitive-record count, and prior incident history. From that base, named controls — MFA on email and remote access, EDR or MDR, immutable tested backups, identity threat detection on the productivity tenant — adjust the premium by a combined 50 to 80 percent. Regulated verticals like healthcare, financial services, and legal carry a 30 to 100 percent base loading on top.
Most business owner's policies (BOPs) include a small cyber endorsement, typically $25,000 to $100,000, which is rarely enough to cover a real incident. Forensics and legal alone often exceed $50,000 in the first week. Treat the BOP endorsement as a floor, and add a standalone cyber liability policy with limits sized to your exposure.
Sometimes, and with conditions. Payment must be legal under OFAC sanctions rules, the carrier almost always requires pre-approval through its incident response panel, and many 2026 policies apply 50 percent co-insurance to the ransom and related sublimits if the insured cannot demonstrate that named controls — MFA, EDR or MDR, immutable backups, and a documented incident response plan — were operating at the time of loss.
Related reading
What cyber insurance for CPA and tax firms actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleThe 22 cyber-insurance underwriting controls that move premiums in 2026 — what each one asks, why carriers care, and how to answer without overcommitting your stack.
Read articleWhat IRS Publication 4557, IRS Publication 5708, the FTC Safeguards Rule, AICPA SSTS Section 1.3, and the state breach laws actually require of CPA firms in 2026 — the technical safeguards, the documented program, and where most firms get it wrong.
Read article