Your firm carries professional liability insurance because a single malpractice claim could threaten the business. Cybersecurity insurance serves the same purpose for a different category of risk — and that risk is no longer theoretical.

The average data breach now costs $4.44 million globally and $10.22 million in the United States (IBM Cost of a Data Breach Report 2025). For a 20-person CPA practice, law firm, or financial advisory, even a fraction of that figure is devastating. Cybersecurity insurance exists to transfer a portion of that risk to a carrier — but only if your firm qualifies.

And qualifying has become significantly harder.

According to Marsh McLennan’s 2024 report, 41% of cyber insurance applications are denied on their first submission. The top two reasons: missing multi-factor authentication and inadequate endpoint protection (MoneyGeek). Carriers are no longer rubber-stamping policies. They are auditing your security controls before offering coverage, and they are denying claims when the controls you attested to were not actually in place.

This guide explains what cybersecurity insurance covers, what carriers require from your firm, and how to position yourself for approval at competitive premiums. It is a preview of our complete Cybersecurity Insurance Guide, which includes application preparation checklists, carrier comparison frameworks, and documentation templates.

What Cybersecurity Insurance Actually Covers

Cybersecurity insurance policies generally cover two categories of expenses: first-party costs (your direct losses) and third-party costs (claims made against you by others).

First-Party Coverage

These are the costs your firm incurs directly as a result of a cyber incident:

  • Incident response and forensic investigation. Identifying the breach, determining its scope, and understanding how it occurred. Forensic investigations alone routinely cost $50,000 to $250,000.
  • Data recovery and system restoration. Rebuilding compromised systems, restoring data from backups, and returning to normal operations.
  • Ransomware payments. Some policies cover ransom payments, though this coverage is increasingly restricted and may require pre-approval from the carrier.
  • Business interruption. Revenue lost while your systems are down. For professional services firms with high hourly billing rates, this can accumulate rapidly.
  • Notification costs. Federal and state laws require you to notify affected individuals after a breach. Notification includes letters, credit monitoring services, and call center support.
  • Crisis management and public relations. Protecting your firm’s reputation with clients and the public after an incident.
  • Regulatory defense costs. Legal fees associated with defending against regulatory investigations by the FTC, state attorneys general, or industry regulators.

Third-Party Coverage

These address claims made against your firm by others affected by the breach:

  • Client lawsuits. Clients whose data was exposed may bring negligence or breach-of-contract claims against your firm.
  • Regulatory fines and penalties. Coverage for fines imposed by regulators, where insurable by law.
  • Payment card industry (PCI) assessments. If your firm processes credit card payments and experiences a breach, you may face PCI fines and assessments.
  • Media liability. Coverage for claims arising from the breach’s disclosure.

What Is Typically Excluded

Understanding exclusions is as important as understanding coverage. Common exclusions include:

  • Known vulnerabilities left unpatched. If your systems had a known, available patch that you failed to apply before the breach, the carrier may deny the claim.
  • Acts of war or nation-state attacks. Some policies exclude attacks attributed to state-sponsored actors, though this exclusion is narrowing under pressure from policyholders.
  • Failure to maintain attested controls. If you told the carrier you had MFA deployed and you did not, the claim may be denied. Coalition’s 2024 data shows 82% of denied claims involved organizations without MFA (SecureAIT).
  • Social engineering losses (in some policies). Business email compromise and wire transfer fraud may require a separate rider or endorsement.
  • Prior known incidents. Events that occurred before the policy inception date, or that you knew about before applying, are excluded.

For a deeper look at why your firm needs coverage, read Cyber Insurance for Small Business: Why You Need It and How to Get Covered.

What Carriers Require in 2026: The Security Controls Checklist

Cyber insurance carriers have moved from trust-based underwriting to evidence-based underwriting. Your application is no longer a formality. It is a security audit. Carriers want to see specific technical controls in place before they will offer coverage, and they verify these controls at renewal.

Here are the controls that carriers now consider table stakes for professional services firms.

Multi-Factor Authentication (MFA)

Status: Mandatory for virtually all policies.

Carriers expect MFA to be enforced for:

  • Remote access to firm systems (VPN, remote desktop)
  • All email accounts (especially Microsoft 365 and Google Workspace)
  • Privileged and administrative accounts
  • Cloud-based applications that contain client data
  • Any system accessible from outside your office network

MFA is the single most impactful control you can implement. It blocks the vast majority of credential-based attacks, which remain the leading cause of breaches in professional services. Implementation typically takes one to two weeks and costs $3 to $6 per user per month.

If your firm does not have MFA deployed today, this is where you start. Nothing else on this list matters if you fail here, because the carrier will not get past this question on the application.

Endpoint Detection and Response (EDR)

Status: Required by most carriers. Traditional antivirus is no longer accepted.

EDR goes beyond traditional antivirus by actively monitoring endpoint behavior, detecting suspicious activity, and responding automatically to potential threats. While antivirus relies on matching known malware signatures, EDR identifies anomalous behavior patterns that indicate a compromise — even from previously unknown threats.

Carriers want to see EDR deployed on every endpoint in your environment: desktops, laptops, and servers. They will ask for the specific product name and confirm it is actively monitored, not just installed.

EDR deployment typically takes two to four weeks and costs $5 to $15 per device per month (MIS Solutions).

Encrypted and Tested Backups

Status: Required, with specific expectations about testing and isolation.

Carriers want to see:

  • Regular automated backups of all critical data and systems
  • Encryption of backup data both at rest and in transit
  • Offline or air-gapped copies that ransomware cannot reach through your network
  • Regular restoration testing to verify that backups actually work when you need them
  • Defined recovery time objectives (RTOs) that you can meet

A backup that has never been tested is not a backup. It is an assumption. Carriers know this, and they will ask when you last performed a restoration test.

Incident Response Plan (IRP)

Status: Required, and carriers may ask for the document.

Your incident response plan should define:

  • Who is responsible for managing a breach (internal and external contacts)
  • How incidents are detected, classified, and escalated
  • Containment procedures to limit damage during an active breach
  • Communication protocols for notifying clients, regulators, and law enforcement
  • Recovery steps and post-incident review procedures
  • Contact information for your cyber insurance carrier and breach coach

The IRP should be reviewed and tested at least annually. A tabletop exercise — where your team walks through a simulated breach scenario — demonstrates that the plan is not just a document but a practiced procedure.

Security Awareness Training

Status: Expected by most carriers, and increasingly verified.

Phishing remains the most common attack vector for professional services firms. Carriers want evidence that your staff receives regular security awareness training, not a one-time onboarding module.

Effective training programs include:

  • Monthly or quarterly training modules
  • Simulated phishing campaigns to test staff response
  • Documented completion rates and test results
  • Role-specific training for staff who handle sensitive financial data

Patch Management

Status: Expected. Carriers may ask about your patching cadence.

Unpatched software is one of the most common entry points for attackers. Carriers want to see a documented patch management process that includes:

  • Regular scanning for missing patches across all systems
  • Critical patches applied within 48 hours of release
  • Non-critical patches applied within 30 days
  • Documentation of patching activities and exceptions

Email Security

Status: Increasingly scrutinized, especially for professional services.

Business email compromise (BEC) is one of the most expensive attack types for professional services firms. A single fraudulent wire transfer instruction can cost hundreds of thousands of dollars. Carriers want to see:

  • Advanced email filtering and anti-phishing tools
  • DMARC, DKIM, and SPF records properly configured
  • External email warning banners
  • Verification procedures for wire transfer requests

How to Reduce Your Cyber Insurance Premiums

Premiums vary widely based on your firm’s size, industry, revenue, claims history, and — most importantly — your demonstrable security posture. Firms that invest in cybersecurity controls are consistently rewarded with lower premiums and better coverage terms.

Here are the strategies that make the greatest difference:

1. Implement All Required Controls Before Applying

This seems obvious, but many firms submit applications hoping to address gaps after approval. That approach results in denial or inflated premiums. Complete your MFA deployment, EDR installation, backup configuration, and incident response plan before you apply.

2. Document Everything

Carriers reward firms that can demonstrate their controls, not just describe them. Maintain written policies, training records, patch logs, backup test results, and access review documentation. When the application asks whether you have a control in place, you should be able to point to dated evidence.

For guidance on building this documentation, read our article on CPA Cyber Insurance Documentation.

3. Work with a Specialized Broker

A broker who specializes in cyber insurance for professional services firms understands which carriers offer the best terms for your industry. They can also help you frame your application to highlight your strengths rather than expose gaps.

4. Reduce Your Attack Surface

Every internet-facing system, unmanaged device, and unnecessary admin account is a potential entry point. Before applying:

  • Audit and close unused remote access points
  • Remove administrative privileges from standard user accounts
  • Decommission legacy systems that are no longer supported
  • Implement network segmentation to isolate sensitive data

5. Choose Higher Deductibles Strategically

Higher deductibles reduce premiums. For firms with strong security controls and a low risk profile, a higher deductible may be the right tradeoff — but only if you can absorb the deductible amount in the event of an incident.

6. Bundle with Other Policies

Some carriers offer discounts when you bundle cybersecurity insurance with professional liability, general liability, or other business coverage. Ask your broker about package options.

Application Tips: Getting Approved on the First Submission

The application process is where many firms stumble. Here is how to approach it:

Be accurate. Do not overstate your security posture on the application. If you attest to controls you do not actually have in place, you risk claim denial when you need coverage most. Carriers verify controls, and misrepresentation can void your policy entirely.

Prepare before you apply. Gather documentation of your security controls, including product names, deployment dates, and configuration details. Have your IT provider prepare a summary of your security environment.

Know your data. The application will ask what types of data you store, how many records you hold, and where that data resides. Have this information ready.

Disclose prior incidents honestly. If your firm has experienced a security incident in the past, disclose it. Carriers will discover it during underwriting if you do not, and non-disclosure is grounds for policy rescission.

Engage your IT provider. Your managed IT provider should be prepared to support the application process, provide technical documentation, and answer underwriter questions directly if needed.

How Much Coverage Does Your Firm Need?

Coverage limits for professional services firms typically range from $1 million to $5 million, depending on firm size, data volume, and risk profile. Small businesses generally need $1 million to $2 million in coverage (MoneyGeek).

Factors that influence the right coverage level:

  • Number of client records you hold. More records mean higher notification costs and greater exposure.
  • Revenue. Business interruption coverage should align with the revenue you could lose during extended downtime.
  • Regulatory environment. Firms subject to the FTC Safeguards Rule, SEC requirements, or state-specific regulations face higher regulatory defense costs.
  • Client expectations. Institutional clients, LPs, and enterprise counterparties may require you to carry minimum coverage limits as a condition of the relationship.

Bay Area firms in San Jose, Palo Alto, Mountain View, and San Francisco often face higher premiums due to the concentration of high-value targets in the region, but firms with documented security programs can offset this.

Get the Complete Guide

This preview covers what cyber insurance covers, what carriers require, and how to position your firm for approval. The complete Cybersecurity Insurance Guide goes further with:

  • A pre-application security assessment checklist to verify you meet carrier requirements before submitting
  • A carrier comparison framework for evaluating policies side by side
  • Documentation templates for the security controls carriers verify most frequently
  • A renewal preparation timeline so you are never scrambling before your policy expires
  • Sample incident response plan that meets carrier expectations
  • A premium reduction roadmap with prioritized actions ranked by impact on your premiums

Download the Complete Cybersecurity Insurance Guide — it is free, and it will help you secure the coverage your firm needs at a premium you can afford.

If your firm is preparing for a cyber insurance application or renewal and needs to close security gaps, One82 has helped professional services firms across the Bay Area for over 26 years. We can assess your current security posture, implement the controls carriers require, and prepare the documentation you need. Schedule a 15-minute discovery call to get started.

Frequently Asked Questions

How much does cybersecurity insurance cost for a small professional services firm?

Premiums depend on your firm’s size, industry, revenue, claims history, and security posture. For professional services firms with 10 to 50 employees, annual premiums typically range from $2,000 to $15,000 for $1 million to $2 million in coverage. Firms with strong, documented security controls consistently receive lower premiums than firms with gaps.

What is the most common reason cyber insurance applications get denied?

Missing multi-factor authentication and inadequate endpoint protection are the top two reasons. According to Marsh McLennan, 41% of applications are denied on the first submission. Implementing MFA and EDR before applying significantly improves your chances of approval and reduces your quoted premium.

Can our cyber insurance claim be denied after we have a policy?

Yes. If you attested to having specific security controls on your application and those controls were not actually in place at the time of the incident, the carrier can deny your claim. This is why accuracy on the application is critical. Do not claim you have MFA if it is only partially deployed. Do not claim you have EDR if you are still running traditional antivirus.

What is the difference between cybersecurity insurance and professional liability insurance?

Professional liability (also called errors and omissions or E&O) covers claims arising from professional mistakes, negligence, or failure to deliver services. Cybersecurity insurance covers losses from cyber incidents — data breaches, ransomware, business email compromise, and system outages. A data breach at your firm could trigger both types of claims: a client might sue under professional liability for failing to protect their data, while the breach response costs are covered by cyber insurance.

Does cybersecurity insurance cover ransomware payments?

Many policies include ransomware coverage, but it is increasingly restricted. Some carriers require pre-approval before any payment is made, some cap the ransomware payment at a percentage of the policy limit, and some exclude ransomware payments entirely. Review this coverage carefully with your broker. Regardless of coverage, having strong backups that allow you to recover without paying a ransom is always the better position.

How often do carriers audit our security controls?

Carriers typically verify controls at application, at renewal, and sometimes mid-term. Some carriers now use automated scanning tools to continuously monitor policyholders’ external security posture. If a carrier discovers that your security has degraded since application — for example, if your MFA is disabled or your systems are running unpatched software — they may issue a remediation notice or adjust your coverage terms at renewal.

Should we work with our IT provider on the cyber insurance application?

Absolutely. Your managed IT provider should be an active participant in the application process. They can provide accurate technical details about your security controls, help you identify and close gaps before submission, prepare documentation the carrier may request, and answer technical questions from underwriters. Firms that involve their IT provider in the process have significantly higher first-submission approval rates.