What is cyber insurance and does a small business need it?

Cyber insurance is a policy that covers the costs a business faces after a cyber incident — data recovery, business interruption, legal and notification costs after a breach, and sometimes ransom payments and incident-response specialists:

• Increasingly not optional — it is now a required control at the Gold tier of the SMB1001 certification standard, and larger customers increasingly ask suppliers to hold it.
• The important caveat — insurers now expect basic controls to be in place before they pay out — multi-factor authentication, backups, patching — and a claim can be reduced or refused if you attested to controls you did not actually have, because the policy assumes you did the basics.
• Breach duties — if your business holds personal information, an incident may also trigger duties under the OAIC’s Notifiable Data Breaches scheme, and cyber policies often help cover that cost.

Cyber insurance is a backstop, not a substitute for the basics — and increasingly the insurer checks you did the basics before they pay.