Data breaches, malware attacks and other cybercrimes are already malicious and sneaky, and experts predict cybercrime will grow increasingly prevalent through bigger breaches, more mobile attacks, greater supply chain disruption and complicated crypto crimes.1 What’s a small business to do? Step one: follow a cyber insurance coverage checklist to ensure you’re doing everything possible to steer clear of cyberattacks.

You can review everything your business needs to stay safe from cyberattacks while building a solid cybersecurity plan for the future. Follow along through the four-step process:

  1. Assess your business’s cyber risk
  2. Determine your cyber liability insurance budget
  3. Know what to look for in a cyber liability insurance policy
  4. Create a cybersecurity risk management strategy

1. Steps to assess your business’s cyber risk

General factors that impact your cyber risk level include:

  • Data type. The more sensitive it is, the more it needs to be protected.
  • Technology dependence. How dependent you are on technology and the degree to which that technology is updated or outdated. If employees can bring their own devices to work, this can increase your vulnerability.
  • Past experience. Whether or not you’ve been breached before. Many companies experience another intrusion within a year of a cyberattack.2

Inventory your assets

To initiate a cyberattack defense strategy for your small business, first perform an inventory to assess your cybersecurity risk. Creating an asset inventory list provides a quick way to visualize the most vulnerable elements of your business. As part of your asset identification process, note what data you collect and the security level of your data storage systems.

Identify threats

A “threat” is anything that a cyberattacker could use to steal from you, cause harm to your organization or hold your files for ransom. Your threats might differ for each asset due to their varying locations, encryptions and security systems. Pinpoint your vulnerabilities and weak spots that could expose your organization to unnecessary risk.

Assess your risk-mitigation controls

Review your security controls to identify potential vulnerabilities and reduce risk by implementing more strategic methods in the form of new software, like two-factor authentication requirements, automated updates and consistent data monitoring. Teach enhanced employee vigilance, like new security policies and employee cybersecurity training.

Here are three categories of cybersecurity controls to focus on.

  1. Preventative controls stop cyberattacks before they happen, such as installing antivirus software and building firewalls.
  2. Detective controls discover new threats or identify an attack in progress and capture valuable details about the incident, such as log monitoring and security alerts.
    1. Corrective controls such as an incident response plan act as countermeasures to reduce the impact of an incident.

Create a priority-based plan

Once you know the weak spots in your cyber armor, you can strengthen your defenses using risk level to prioritize action areas.

  • High risk: Deal with weaknesses in the high-risk categories immediately because you’ve identified your business vulnerabilities and face a significant chance of a cyberattack.
  • Medium risk: Identified weaknesses in the medium-risk category can be targeted for correction after neutralizing high-risk threats.
  • Low risk: Anything in the low-risk category can probably idle while you address high-to-medium risk items. These lower risk vulnerabilities still need to be addressed though!

2. Determine your insurance budget

While it would be nice to cover every single asset with high-level protection, most small businesses don’t have the budget for this degree of cybersecurity. Instead, weigh your spending versus the highest level of risk you’re willing to accept. It’s not likely you will ever lower your company’s cybersecurity risk down to zero, but you don’t want to leave your business vulnerable to easily preventable threats.

Here’s how to find that balance.

Understand current threats

Once you have a framework of possibilities for risks, threats and cyberattacks on your business, you can determine your budgeting strategy. This is unique to every industry and organization, so thoroughly research your industry and understand your cyberattack vulnerabilities.

Some attacks, like ransomware, are industry-agnostic and happen to companies of all types. Ransomware attacks occur every 11 seconds, so consider this when selecting a liability plan.3

Determine which assets are most valuable and sensitive

Consider spending more to protect and insure your most valuable assets and what would be most costly if compromised. For example, if your company experiences a ransomware attack, your operations could freeze as you deal with the costly process of regaining access to your systems and files. To prioritize valuable asset protection, consider allocating more dollars into protecting your most critical systems and files. As a rule of thumb, if your business can’t operate without it, it’s a high-risk system and worth your investment in protection.

It’s also important to consider data sensitivity. How costly could it be for your business if particular data were leaked or breached? Consider the potential for lawsuits, the necessity for ID restoration or credit monitoring, and other costs associated with leaked sensitive information. If leaked data could cause a massive financial backlash on your organization, consider this a budgetary priority as well.

3. Select a cyber liability insurance policy

Every company faces cyber risks, no matter the size or industry. To select the best cyber liability insurance policy for your organization, gain a solid understanding of your vulnerabilities and decide how to best protect your assets. With that in mind, there are a few key features we recommend looking for in cyber insurance coverage that can ensure high-grade, reliable protection.

Network security coverage

Network security coverage is the baseline — all companies should have it, especially those at higher risk for data and privacy crimes. When you experience a data breach, malware, ransomware or data leakage, network security liability coverage can provide for legal protection, IT forensics, ransomware strategy, customer notification and post-crime follow-up care, like credit monitoring.

Security and privacy coverage

Privacy liability coverage is crucial for companies that store large amounts of customer and employee data. Much of this information, including protected/personal health information (PHI), is considered extremely sensitive. If cybercriminals compromise the privacy or security of your data, your customers or employees could be at risk.

This type of breach also makes your small business vulnerable to litigation. Privacy coverage protects your company from the financial fallout of liabilities associated with a privacy or security breach. This includes providing for legal protection and expenses, fines or penalties that could arise from a privacy breach.

Ransomware coverage

Your business is dependent on your technology, systems and assets to function. What would happen if your network was interrupted for one hour? One day? Worse yet, one week or longer? Cybercriminals, especially those dabbling in malicious ransomware, know how vital your systems are to your business, so they hold them “hostage” for profit. Ransomware and data restoration coverage help you recover from losses or expensive repairs if this type of malware attacks your network.

Forensic and legal coverage

Forensic coverage supports an investigation when your data is compromised. It’s important to figure out how the incident happened to boost your preventative measures. With forensic coverage, a third-party forensic team completes a comprehensive discovery session.

Legal coverage will provide your company with representation to determine the scope of your legal responsibility in the event of a data breach. This coverage can also provide for legal counsel if a data breach leads to a lawsuit.

Bonus: Credit monitoring and ID repair

Credit monitoring and ID repair are considered best practices in the event of a data breach, hack or leak. As a rule, broad-spectrum cyber liability insurance policies will include all of the above, plus regulatory coverage, business interruption coverage, reputational harm coverage and social engineering coverage.

We also recommend general liability insurance as part of a complete cybersecurity strategy to ensure all your legal bases are covered.

Distinguish between first- and third-party coverage

Most cyber liability insurance policies provide comprehensive coverage, meaning they cover both first- and third-party liability.

First-party coverage

First-party coverage applies to you as the policyholder and helps pay for business damages from a cyberattack. Areas of coverage include:

  • Loss or damage to data. Helps with the cost of restoring or replacing stolen, damaged or lost data. It can also help pay for professional intellectual property recovery services.
  • Loss of income. Helps cover associated financial losses when a cyberattack leads to business closure.
  • Notification costs. If you are legally required to notify your customers, authorities and the media about your breach, first-party coverage helps pay for notification costs and credit monitoring services.
  • Reputation damage. Helps provide coverage for damage control PR and marketing experts.
  • Ransom. Helps cover extortion payments for data release.

Third-party coverage

Third-party coverage applies to lawsuits, legal claims and associated damages and settlements. Areas of coverage include:

  • Legal fees. Help cover the costs of a defense attorney should you be taken to court over cyber liability.
  • Regulatory costs. Assists with breach fines and penalties imposed by regulatory agencies.
  • Damages and settlements. Helps pay compensation to injured parties if you are found liable.

4. Creating a cybersecurity risk management strategy

Once you understand your security gaps and establish your overall cybersecurity goals for your organization, you’ll know what to look for in a cyber insurance provider that meets all your needs within your targeted budget range.

Rather than providing blanket coverage, cyber liability insurance policies often focus on specific types of attacks, so start there. It’s also important to note how the policy will go into effect. You may incorrectly assume that your policy will kick in during the immediate wake of a cyberattack, but plans commonly include exclusions, conditions and other terms or burdens of proof that must be met first.

Consider these factors when looking for a policy that will best meet the specific needs of your small business:

  • Breadth of coverage. The more your plan covers, the more it will cost. For most small businesses, it is not usually necessary to purchase the most expensive, comprehensive coverage.
  • Ability to adjust limits. Today’s adequate liability coverage may not fit if you bring in a new data-rich client tomorrow. Look for a plan that allows you to adjust coverage.
  • Effective date. It’s not uncommon to come across a breach that happened months or even years before you purchased your policy. Plans that offer retroactive coverage will compensate for this.
  • Vendor coverage. No small business is an island. Determine if and to what degree the cyber liability insurance plan covers your third-party vendors.

Cyber liability insurance that works as hard as you do

A cyber insurance coverage strategy includes analyzing your small businesses’ assets, threats, vulnerabilities and controls as they stand today, and then determining what should change and how. Then, you can use your checklist to take action to reduce exposures and thoroughly protect your company.

Obtaining high-quality insurance is an essential item on your list. You can customize your coverage by the job, month or year — and ramp up or down anytime.

For small business insurance that checks all your boxes, click “Get a quote” or download the Thimble mobile app to answer a few quick questions. Get a policy and your Certificate of Insurance (COI) within minutes.


  1. Nasdaq. Cybercrime Predictions for 2022. 
  2. Crowdstrike. Cyber Front Lines Report. 
  3. World Economic Forum. Ransomware attacks are on the rise.