7 Cyber Insurance Mistakes That Will Wreck Your Small Business in 2026

Cyber insurance has changed more in the last two years than in the previous ten. Carriers have paid out billions in ransomware claims, tightened underwriting dramatically, and started denying claims based on application answers that customers thought were routine. According to At-Bay's 2026 InsurSec Report — which analyzed over 100,000 policy years — the average cyber claim severity hit an all-time high of $221,000 in 2025, with ransomware claims averaging $508,000.

The mistakes small businesses make with cyber coverage today aren't theoretical. They're showing up in actual claim denials and uncovered losses every week. Here are the seven we see most often, and what to do about them.

1. Assuming you're too small to be a target

The most common cyber insurance mistake doesn't involve the policy at all — it's the belief that small businesses fly under the radar of cyber criminals. They don't.

Modern ransomware attacks are largely automated. Attackers scan the internet for specific vulnerable hardware and software, then deploy attacks at scale. Your company size is usually irrelevant — what matters is whether you're running a vulnerable VPN, an unpatched firewall, or a Remote Desktop Protocol port that's exposed to the internet. A 50-person plumbing contractor and a 5,000-employee manufacturer can get hit by the exact same automated attack on the exact same day.

Small businesses saw a 40% increase in ransomware attacks year over year and a 56% increase in fund transfer fraud incidents. Manufacturing experienced ransomware frequency at 2.2 times the average. If you have employees, customers, financial accounts, or computers connected to the internet, you are a target.

2. Treating cyber as just "ransomware insurance"

Ransomware gets the headlines, but it's not actually the most common cyber claim type. Financial fraud — specifically business email compromise (BEC) — has accounted for roughly 30% of cyber claims for three years running. Email is the initial entry vector in 82% of these incidents.

Here's how a typical BEC attack works: an attacker compromises a vendor's email account, watches your invoice patterns for a few weeks, then sends a perfectly-styled email asking you to update payment routing for an upcoming wire. By the time you realize it wasn't really your vendor, the money is gone. Average loss: $285,000 in 2025, with the largest single loss recorded at $9.65 million.

A cyber policy that only emphasizes ransomware coverage may have small or excluded sub-limits for social engineering and funds transfer fraud. Read the social engineering and crime sub-limits carefully. Many policies cap these at $25,000 to $100,000, far below typical losses. If those limits aren't adequate for your business, ask your broker to negotiate higher limits or to bond the gap with a separate crime/fidelity policy.

3. Misrepresenting your security controls on the application

This is where small businesses are losing claims most often, and the consequences are devastating.

Cyber insurance applications now read like enterprise security audits. Carriers ask detailed questions about multi-factor authentication (MFA), endpoint detection and response (EDR), backups, patching, and email security. Many applicants check "yes" based on partial implementation — for example, MFA is enabled on Office 365 but not on the company VPN, or "yes" we have backups but they haven't been tested in 18 months.

When a claim happens, carriers will examine your security configuration. If your application said you required MFA on all remote access and the breach occurred on a VPN account that didn't have it, the carrier may treat that as a material misrepresentation and void the policy retroactively. There's a documented case of a 158-year-old company that closed permanently after a ransomware attack traced to a single guessed password on an account without MFA — they had insurance, but the claim was disputed.

Before you submit a cyber application, walk through every security question with the person who actually administers your IT. Half-truths now will cost you everything later.

4. Letting a "leading EDR tool" lull you into false security

EDR (endpoint detection and response) replaced basic antivirus as the minimum standard for cyber insurance over the past few years. But here's the inconvenient truth from At-Bay's claims data: 60% of victims of the Akira ransomware crew had a leading EDR tool deployed and were breached anyway.

The reason is that sophisticated ransomware crews specifically deploy tools designed to disable EDR agents before launching their main attack. EDR is necessary but not sufficient. Without 24/7 managed detection and response (MDR) — meaning a real human security team monitoring alerts at 3 AM — the EDR may detect the threat but no one's awake to act on it.

For most small businesses, true 24/7 MDR is too expensive. The pragmatic answer: combine EDR with a managed IT provider that has after-hours alert escalation, and make sure your incident response plan accounts for the gap. Don't assume a security product alone is protection.

5. Underestimating business interruption coverage

When a ransomware attack hits, the ransom payment is rarely the biggest cost. Business interruption — the revenue you lose while systems are down and the cost of operating manually — usually dwarfs everything else.

Claims involving business interruption averaged $510,000 in severity, compared with $168,000 for ransomware claims without it. One in three ransomware claims now triggers business interruption coverage.

Two common mistakes here:

1. The waiting period is too long. Many cyber policies have an 8 to 12 hour "waiting period" before business interruption coverage kicks in. If your operations recover in 6 hours, you get nothing — but you've still lost a half-day of revenue. Ask your broker about reducing this to 4-6 hours.

1. The indemnity period is too short. Some cyber policies cap business interruption recovery at 60 to 90 days. Severe ransomware events routinely take 4-6 months to fully recover from, especially in manufacturing or healthcare. If your operations would take longer than 90 days to fully restore, that gap is uncovered loss.

6. Buying a policy from a generalist agent who doesn't understand cyber

Cyber insurance is genuinely complicated. Coverage forms vary enormously between carriers, and small differences in policy wording can mean the difference between a six-figure recovery and an uncovered loss.

Common pitfalls when buying from someone who doesn't specialize:

• War exclusions — most cyber policies exclude losses from "acts of war" or "state-sponsored attacks." After a high-profile court case in 2022, this exclusion was rewritten in carrier forms and now applies more broadly. Some interpretations could exclude any breach attributed to a foreign threat actor, which is most of them. Check whether the policy uses the modern Lloyd's exclusion language and what carve-backs exist.

• Definition of "computer system" — does it include your phone system? Cloud applications you don't own? Vendor systems you depend on? Narrow definitions can exclude significant categories of loss.

• Notice provisions — some policies require notification within 24-72 hours of "discovery." If you delay reporting because you're trying to investigate internally, you can void the policy without realizing it.

• Vendor and contingent business interruption — if your loss is caused by your cloud provider going down (not by an attack on you directly), is that covered? Many policies don't cover this, but it's a real risk.

If your current cyber policy was bound in five minutes through an online portal, there's a good chance you don't actually understand what it covers.

7. Skipping cyber coverage entirely

The most expensive mistake of all. Many small business owners look at cyber insurance premiums — which can run $1,500 to $7,500+ per year for typical small businesses — and decide to self-insure or skip it altogether.

The math doesn't work. The average cyber claim now exceeds $221,000, and that's the average. A single severe incident can easily reach $1M to $5M in total cost when you add up ransom, recovery, legal fees, breach notification, regulatory fines, and lost business. Class action lawsuits now follow 6% of ransomware incidents and 4% of data breaches.

Cyber insurance also includes incident response services that small businesses can't realistically build internally — 24/7 breach hotlines, pre-negotiated rates with forensic firms, breach coaches who manage notifications, and PR support. The "service" component of a cyber policy is often more valuable than the indemnity component for a small business that's never dealt with a breach before.

What to do next

If you've read this and recognized your business in any of these mistakes, here's the practical action list:

1. Pull out your current cyber policy (if you have one) and check the social engineering sub-limit, the business interruption waiting period, and the indemnity period.
2. Walk through your last cyber application with whoever actually manages your IT. Are all the answers still accurate? Have you added new VPN access, new cloud apps, new vendors that weren't disclosed?
3. Confirm MFA is actually on everything — VPN, email, cloud admin accounts, remote desktop. Not just on Office 365.
4. Test your backups. When was the last time someone restored a file or system from backup to verify the backup actually works?
5. If you don't have cyber coverage at all, get quotes from at least two carriers. Premiums vary significantly between insurers, and so do coverage forms.

Cyber insurance is one of the areas where having an independent broker pays off — we shop across multiple carriers, evaluate the policy language, and help you negotiate sub-limits and coverage extensions to fit your actual risk profile.

If you'd like a no-obligation review of your current cyber policy, or you're shopping for new coverage, give us a call or request a cyber insurance quote. We'll walk through your specific situation and put real numbers and policy options in front of you so you can make an informed decision.