Skip to main content

GLOSSARY · General IT

Cyber Insurance

Insurance product that covers financial losses from cyber incidents — ransomware, breach response, business interruption, regulatory fines. Underwriting requirements have tightened sharply since 2020.

Detailed definition

Cyber Insurance is the financial backstop for a category of risk that conventional general-liability and property policies don’t cover well. Ransomware ransoms, breach-notification costs, forensic-investigation fees, business-interruption losses, regulatory fines, and third-party liability after a breach are all in scope of a cyber policy. The premium tradeoff has changed dramatically — what was a cheap add-on five years ago is now a meaningful annual cost with stringent underwriting requirements attached.

What a cyber policy typically covers

  • Ransomware response — ransom negotiation and payment (where legal), decryption assistance
  • Forensic investigation — incident response firm to scope and contain the breach
  • Breach notification — required notifications to affected individuals, regulators
  • Credit monitoring — offered to affected individuals
  • Business interruption — lost revenue during operational downtime
  • Data restoration — costs to rebuild affected systems and data
  • Regulatory defense — legal costs for responding to HIPAA, state AG, FTC investigations
  • Third-party liability — claims from customers, vendors, or partners whose data was exposed

What underwriters now require to issue a policy

This is the part that has changed the most. Five years ago you could get cyber insurance with a short questionnaire. Today, expect underwriters to require evidence of:

  • MFA on every email account, administrative account, VPN, and remote access path
  • EDR deployed and managed on every endpoint
  • Documented patching cadence — what patches roll out within how many days of release
  • Email-gateway phishing defense with sandboxing
  • Backup architecture — offline or immutable copies, with documented test-restore evidence
  • Security awareness training — recurring, with phishing simulation
  • Vendor due diligence for third-party access (typically an MSP attestation that you have one and what they handle)
  • Incident response plan documented and tested

Without these in place, you either won’t get a policy, will get one with very low limits and high deductibles, or will pay premiums that make self-insuring look reasonable. The policies of a few years ago that paid out without scrutinizing controls are gone — insurers were losing money on those and changed the model.

Where Bytes Unlimited sits on cyber insurance

We design managed client environments to satisfy cyber-insurance underwriting requirements as a default posture, not as a special project. The controls overlap heavily with HIPAA and PCI DSS requirements, so the same engineering work satisfies multiple obligations.

If you’re up for renewal, the practical step is to share the underwriter’s questionnaire with us. We’ll map your current state against what they’re asking and identify gaps before you submit.

RELATED TERMS

Need help applying Cyber Insurance to your business?

We've done this kind of work across New York. First conversation is free.