The 7 Cyber Claims That Catch Small Businesses Off Guard

The scenario: Your controller receives an email from the CEO at 4:47 PM on a Friday. 'I need you to wire $67,000 to this account for a deal we're closing Monday. It's confidential — don't discuss with anyone until the announcement.' The email looks perfect: right name, right signature, right tone. She wires the money. The email was spoofed.

Why it catches businesses off guard: There was no hack. No malware. No system breach. An employee voluntarily transferred money based on a convincing impersonation. Your general liability policy doesn't cover it. Your crime policy may have a $50,000–$100,000 deductible. Your base cyber policy — without a social engineering endorsement — doesn't cover it either.

The fix: A cyber policy with a social engineering fraud endorsement covers the full loss. Business email compromise (BEC) caused $2.9 billion in reported losses in 2023 alone. This isn't a rare scenario — it's the most common cyber claim by frequency.

The scenario: Your company uses a third-party payroll processor. That processor gets breached, exposing Social Security numbers and bank account details for all 85 of your employees. Your employees sue you — not the vendor. The state attorney general opens an investigation into your data handling practices.

Why it catches businesses off guard: You didn't cause the breach. Your systems weren't compromised. But you're the one who collected the data and chose the vendor. In the eyes of your employees and regulators, you're responsible for protecting their information regardless of who you outsourced it to.

The fix: Third-party cyber liability covers the lawsuits and regulatory defense. Contingent business interruption covers the operational disruption while you migrate to a new vendor. Some policies also cover the cost of forensic investigation to confirm your own systems weren't also compromised.

The scenario: You arrive Monday morning to find every computer locked with a ransom demand. Your IT provider restores from backups within 48 hours — you think the crisis is over. Three weeks later, your customer data appears on a dark web marketplace. The attackers exfiltrated your data before encrypting it.

Why it catches businesses off guard: Most businesses treat ransomware as a system availability problem. Pay the ransom or restore from backup, and you're done. But modern ransomware gangs practice 'double extortion' — they steal your data first, then encrypt it. Even if you never pay the ransom, you still have a data breach that triggers notification requirements in all 50 states.

The fix: A comprehensive cyber policy covers both the ransomware event (first-party: system restoration, business interruption, ransom negotiation) and the data breach (third-party: notification, credit monitoring, regulatory defense, lawsuits). Policies that treat these as separate sublimits can leave gaps — make sure your policy covers the full lifecycle of a combined event.

The scenario: Your entire business runs on a cloud platform — CRM, email, file storage, project management. That platform suffers a 4-day outage. You can't access customer records, process orders, or communicate with clients. Revenue stops. Your team sits idle. The cloud provider's SLA offers you a credit equal to one month of your subscription fee: $299.

Why it catches businesses off guard: Your traditional business interruption policy covers physical events — fire, flood, equipment breakdown. It doesn't cover a software outage at a third-party provider. And the cloud provider's liability is capped at your subscription fee, not your actual losses.

The fix: Contingent business interruption coverage within a cyber policy covers lost income and extra expenses when your outsourced technology providers experience an outage. This is increasingly critical as businesses move operations to cloud platforms where they have zero control over uptime.

The scenario: A sales manager gives two weeks' notice. During those two weeks, she downloads your entire customer database — 10,000 contacts with purchase history, pricing, and contract terms — to a personal USB drive. She takes it to your competitor. You discover it when your clients start getting calls from her new employer.

Why it catches businesses off guard: This isn't a 'hack' in the traditional sense. An authorized user accessed data they were permitted to access — they just took it with them. Your general liability doesn't cover it. Your employment practices liability covers the wrongful act, but not the data breach response.

The fix: Cyber liability covers the forensic investigation to determine exactly what was taken, notification to affected customers if personal information was involved, and legal costs to pursue the former employee and the competitor. Some policies also cover the reputational damage and customer retention costs.

The scenario: Your point-of-sale system is compromised by malware that skims credit card numbers for three months before detection. 12,000 card numbers are stolen. Visa and Mastercard issue fines and card reissuance assessments totaling $180,000. Three class-action lawsuits are filed by affected cardholders.

Why it catches businesses off guard: PCI-DSS fines and card brand assessments are not covered by general liability. They're contractual penalties imposed by the payment card networks, and they can be devastating — $5,000 to $100,000 per month of non-compliance, plus $3–$10 per compromised card for reissuance costs. Many businesses don't realize these costs exist until they receive the bill.

The fix: A cyber policy with PCI assessment coverage handles the fines, card reissuance costs, forensic investigation (required by the card brands), and legal defense for the lawsuits. If you process credit cards at a physical location, this coverage is non-negotiable.

The scenario: An employee clicks a link in a phishing email and enters their Microsoft 365 credentials. The attacker now has access to the employee's email, OneDrive, SharePoint, and Teams. They sit quietly for weeks, reading emails, harvesting data, and learning your business processes. Then they strike — sending fraudulent invoices to your clients, redirecting payments, and exfiltrating sensitive files.

Why it catches businesses off guard: The initial compromise was a single click. But the damage cascades across multiple systems, multiple weeks, and multiple victims. The forensic investigation alone — determining what the attacker accessed, what they stole, and who needs to be notified — can cost $30,000–$75,000. Add notification, credit monitoring, regulatory defense, and business interruption, and you're looking at a six-figure claim from a single phishing email.

The fix: A comprehensive cyber policy covers the entire chain: forensic investigation, system remediation, breach notification, credit monitoring, regulatory defense, business interruption, and — with the right endorsements — any funds that were fraudulently transferred. This is why 82% of breaches involve a human element, and why employee security training (often included free with cyber policies) is the single most cost-effective risk reduction measure.

Every one of these scenarios has something in common: the business owner didn't see it coming. They assumed their existing insurance covered it, or they assumed it wouldn't happen to them, or they didn't know the exposure existed.

Cyber insurance isn't just for tech companies and hospitals. It's for any business that uses email, stores data, processes payments, or depends on technology to operate. That's every business.

The good news: a well-structured cyber policy with the right endorsements covers all seven of these scenarios. The bad news: most off-the-shelf policies don't include the crime endorsements (scenarios 1 and 7), contingent business interruption (scenario 4), or PCI assessment coverage (scenario 6) unless you specifically ask for them.

That's why working with an agent who understands cyber — not just one who sells it — matters.