7 Cyber Insurance Mistakes Small Businesses Should Avoid
Small businesses rely on technology every day. Email, online banking, payment systems, accounting software, customer records, websites, cloud platforms, and mobile devices all help businesses operate more efficiently.
But they also create cyber risk.
A phishing email, ransomware attack, fraudulent payment request, data breach, or system outage can quickly become expensive. For small and medium-sized businesses in Newfoundland and Labrador, Nova Scotia, and across Atlantic Canada, the right cyber insurance can help reduce the financial pressure that follows a cyber incident.
However, cyber insurance can be misunderstood. Some businesses assume they are already covered. Others buy coverage without reviewing limits, exclusions, or security requirements.
Here are seven common cyber insurance mistakes small businesses should avoid.
Key Points About Cyber Insurance Mistakes
Before diving into the details, here are some of the most important things business owners should understand.
- Cyber insurance is not automatically included in most standard business insurance policies.
- Commercial General Liability Insurance and Commercial Property Insurance do not usually provide proper protection for cyber-related losses.
- Cyber policies can vary significantly by insurer, especially when it comes to ransomware, cyber crime, social engineering, business interruption, and third-party claims.
- Many insurers now require basic cybersecurity controls, such as multi-factor authentication, backups, and employee training.
- Small and medium-sized businesses are not too small to be targeted by cyber criminals.
- Munn Insurance helps businesses throughout Newfoundland and Labrador and Nova Scotia review cyber risks and find insurance solutions tailored to their operations.
1. Assuming General Liability Covers Cyberattacks
Commercial General Liability Insurance is an important part of most business insurance programs. It can help protect your business if you are held responsible for bodily injury or property damage to a third party.
But it is not designed to cover most cyber losses.
A data breach, ransomware attack, phishing scam, hacked email account, or fraudulent funds transfer may not be covered by a standard general liability policy. That can leave a major gap if your business relies on email, online banking, digital records, or payment systems.
Cyber insurance is designed to respond to digital risks that traditional policies often do not cover.
2. Thinking Small Businesses Are Too Small to Be Targeted
Many small business owners assume cyber criminals only target large companies. Unfortunately, that is not the case.
Small and medium-sized businesses can be attractive targets because they often have fewer internal IT resources, less formal cybersecurity training, and fewer security controls in place.
A cyber criminal does not need to know your business personally. Many attacks are automated or opportunistic. A fake invoice, suspicious link, weak password, or compromised email account can be enough to create a serious problem.
Even a small cyber incident can interrupt operations, create unexpected costs, and put pressure on cash flow.
3. Not Reviewing Ransomware and Cyber Extortion Coverage
Ransomware can bring a business to a halt. Files may be locked, systems may become unavailable, and attackers may demand payment to restore access or prevent sensitive information from being released.
Some cyber insurance policies may provide coverage for ransomware and cyber extortion-related expenses, including investigation, recovery costs, negotiation support, data restoration, business interruption, and certain payments where legally permitted and approved under the policy.
However, this coverage is not always automatic. It may have specific limits, conditions, approvals, or security requirements.
Before choosing a policy, ask your broker how ransomware coverage works and whether any sub-limits or exclusions apply.
4. Overlooking Social Engineering and Fraudulent Funds Transfer
Phishing and business email compromise are common risks for businesses of all sizes.
A cyber criminal may impersonate a supplier, customer, manager, or business partner and request payment to a new account. If an employee follows the instructions, the money may be gone before the fraud is discovered.
Some cyber policies include social engineering or fraudulent funds transfer coverage. Others may require it to be added separately. Coverage may also include verification requirements, sub-limits, or conditions.
If your business pays invoices, sends wire transfers, accepts electronic payments, or works with vendors, this coverage should be reviewed carefully.
5. Ignoring Cybersecurity Requirements
Cyber insurance is not just about buying a policy. Many insurers now expect businesses to have basic cybersecurity controls in place.
These may include:
- Multi-factor authentication
- Regular backups
- Secure backup storage
- Antivirus or endpoint protection
- Software updates and patching
- Strong password practices
- Employee cyber awareness training
- Incident response planning
If required controls are not in place, it can affect your ability to obtain coverage, renew coverage, or have a claim paid.
Your broker can help explain what insurers are asking for and what steps may help strengthen your cyber insurance application.
6. Choosing Coverage Based Only on Price
Price matters, especially for small businesses. But the cheapest cyber insurance option may not provide the protection your business needs.
Cyber policies can differ in important ways, including:
- Coverage limits
- Ransomware coverage
- Business interruption coverage
- Social engineering coverage
- Data breach response services
- Incident response support
- Exclusions
- Sub-limits
- Waiting periods
- Reporting requirements
A lower premium may come with more limitations. The goal is not simply to buy the cheapest policy. The goal is to build coverage that fits your business and helps you recover after a covered cyber incident.
7. Waiting Until After an Incident to Ask Questions
The worst time to learn how your cyber insurance works is after something has gone wrong.
Before a claim happens, business owners should understand:
- Who to contact after a cyber incident
- What steps to take immediately
- What documentation may be required
- Whether the policy includes breach response support
- How ransomware and fraud claims are handled
- What exclusions or conditions apply
- How quickly an incident must be reported
A short conversation with your broker can help you understand what to do if your systems are compromised, your email is hacked, money is redirected, or sensitive information is exposed.

Frequently Asked Questions About Cyber Insurance Mistakes
- What does cyber insurance cover?
Cyber insurance may cover costs related to data breaches, ransomware, cyber extortion, business interruption, forensic investigation, data recovery, customer notification, legal defence, privacy claims, regulatory investigations, and certain cyber crime losses, depending on the policy. - What is the difference between first-party and third-party cyber insurance?
First-party cyber insurance helps protect your own business from direct costs after a cyber incident, such as breach response, data recovery, cyber extortion, and lost income. Third-party cyber insurance helps protect your business if someone else makes a claim against you after a privacy breach, network security failure, or other covered cyber event. - Does Commercial General Liability Insurance cover cyberattacks?
Usually not. Commercial General Liability Insurance is designed mainly for bodily injury and property damage claims involving third parties. It does not typically provide the specialized protection needed for cyberattacks, ransomware, data breaches, online fraud, or digital system losses. - Does my business insurance already include cyber coverage?
Not always. Some business insurance packages may include limited cyber coverage, but it may not be enough to properly respond to a data breach, ransomware attack, cyber fraud, or system outage. It is important to review your policy with a broker so you understand what is included, what is excluded, and whether additional cyber coverage is recommended. - Does my Errors and Omissions policy cover cyber risks?
Usually not. Errors and Omissions Insurance, including Technology Errors and Omissions Insurance, is generally designed to respond to claims involving professional services, advice, technology services, or technology products. It may not properly cover losses involving data breaches, ransomware, privacy incidents, cybercrime, or the exposure of private third-party information. Some businesses may need both E&O coverage and cyber insurance. - Do small businesses really need cyber insurance?
Yes. Small and medium-sized businesses often rely on digital systems but may have fewer resources to prevent, detect, or respond to cyber incidents. Cyber insurance can provide important financial protection and access to specialized response support. - Is cyber insurance only for businesses that sell online?
No. Any business that uses email, online banking, customer records, accounting software, cloud platforms, payment systems, websites, or digital files can face cyber risk. You do not need to sell products online to be exposed to phishing, ransomware, fraudulent payment requests, data breaches, or system interruptions. - Are businesses in Newfoundland and Labrador, Nova Scotia, and Atlantic Canada exposed to cyber risks?
Yes. Cyber risk is not limited to large companies or businesses in major cities. Small and medium-sized businesses throughout Newfoundland and Labrador, Nova Scotia, and Atlantic Canada rely on email, online banking, payment systems, customer records, cloud software, websites, and other digital tools every day. That means they can be exposed to risks such as phishing emails, ransomware, fraudulent funds transfers, data breaches, system outages, and privacy-related claims. Even a small cyber incident can interrupt operations, create unexpected costs, and put pressure on cash flow. Cyber insurance can help businesses in Atlantic Canada respond to and recover from these types of events with financial protection and access to specialized support. - Is cyber insurance legally required?
Cyber insurance is not always required by law, but some contracts, clients, vendors, lenders, professional associations, or business partners may require proof of cyber coverage. Even when it is not required, it can be an important part of a business insurance program. - Does cyber insurance cover ransomware?
Many cyber insurance policies may provide coverage for ransomware-related expenses, including investigation, recovery costs, cyber extortion response, business interruption, and certain payments where legally permitted and approved under the policy. Coverage varies, so it is important to review policy wording and conditions. - Does cyber insurance cover phishing or fraudulent funds transfers?
Some cyber policies may provide coverage for phishing, social engineering, or fraudulent funds transfer losses. This coverage often has specific conditions, sub-limits, and verification requirements, so it should be reviewed carefully with your broker. - Does cyber insurance cover mistakes made by employees?
It may, depending on the policy. Many cyber incidents begin with an employee clicking a fraudulent link, downloading a harmful attachment, using a compromised password, or responding to a fake payment request. Cyber insurance may help respond to certain covered incidents involving employee error, but coverage depends on the policy wording, security requirements, and the type of loss. - Does cyber insurance cover outages involving cloud providers or third-party technology vendors?
Some policies may include coverage for dependent system interruptions, which can help if your business is disrupted because of a covered cyber event involving a third-party technology provider. This coverage is not always automatic, so it should be reviewed carefully with your broker. - What are the most common types of cyberattacks businesses face?
Common cyberattacks include phishing emails, ransomware, malware, business email compromise, fraudulent funds transfers, and distributed denial of service attacks, often called DDoS attacks. Phishing is especially common and may involve fake emails, links, invoices, or login pages designed to trick employees into sharing information, downloading malware, or sending money to the wrong place. - How would I know if my business has been cyber attacked?
Warning signs can include unusual login activity, locked files, missing or changed data, slow systems, strange pop-ups, suspicious emails sent from your account, unexpected password resets, customers receiving emails you did not send, or money being redirected to an unfamiliar account. Sometimes the first sign is a ransom message or being told by a customer, supplier, bank, or IT provider that something looks wrong. If you suspect a cyber incident, act quickly. Contact your IT provider, avoid deleting anything that could be needed for an investigation, and notify your insurance broker or insurer as soon as possible. Many cyber insurance policies include access to specialists who can help guide the response. - What should I do if my business has a cyber incident?
If your business experiences a cyber incident, act quickly. Disconnect affected systems if needed, avoid deleting evidence, notify your IT provider, contact your insurance broker or insurer, and follow the incident reporting instructions in your policy. Many cyber insurance policies include access to breach response specialists who can help guide the next steps. - What are some basic cyber safety practices my business should follow?
Basic cyber safety practices include using multi-factor authentication, backing up important data, keeping software updated, training employees to recognize phishing emails, using strong passwords, limiting access to sensitive information, securing company devices, and using firewall or endpoint protection. These steps can help reduce risk and may also be required or encouraged by cyber insurers. - What security measures do insurers require for cyber insurance?
Insurers may require or strongly encourage controls such as multi-factor authentication, secure backups, software updates, endpoint protection, employee cybersecurity training, strong password practices, and incident response procedures. Requirements vary by insurer and business type. - What does cyber insurance not cover?
Cyber insurance policies vary, but common exclusions may include known incidents that occurred before the policy started, intentional wrongdoing, failure to maintain required security controls, war or certain state-sponsored attacks, bodily injury, physical property damage, and upgrades beyond restoring systems to their prior condition. - What information do I need to get a cyber insurance quote?
You may need to provide details about your business operations, annual revenue, industry, number of employees, type of data collected, technology systems used, cybersecurity controls, previous cyber incidents, and desired coverage limits. - What cyber coverage should my business consider?
Many businesses should review coverage for data breach response, ransomware and cyber extortion, business interruption, cyber crime, fraudulent funds transfer, privacy liability, network security liability, regulatory defence, and data recovery. - Should I review cyber insurance every year?
Yes. Your cyber risk can change as your business grows, adds employees, uses new software, accepts online payments, stores more customer information, or signs new contracts. Reviewing cyber insurance each year can help ensure your coverage still reflects the way your business operates. - How much does cyber insurance cost?
Costs vary based on business size, industry, revenue, data exposure, cybersecurity controls, coverage limits, optional coverages, and claims history. The best way to find out your cost is to get a personalized quote. - How can I get a quote for Cyber Insurance?
Getting a quote is quick and straightforward. You can visit Munn Insurance online at www.munninsurance.com/business and complete a short quote request form in just a few minutes. Once submitted, a member of our commercial insurance team will review your information and follow up with tailored options for your business. If you would rather speak with someone directly, you can also call Munn Insurance Monday to Friday, 8:30 a.m. to 4:30 p.m. at 1-855-726-8627 to speak with a commercial insurance advisor. - Why use a broker like Munn Insurance for cyber insurance?
Cyber insurance can feel complicated because coverage wording, exclusions, sub-limits, security requirements, and claims processes vary by insurer. At Munn Insurance, our commercial team can help explain your options in plain language, identify possible gaps, compare coverage, and build a cyber insurance solution around the way your business actually operates. Beyond finding competitive pricing, we also help with the full insurance process. From reviewing coverage options to supporting you through claims, we act as a long-term insurance partner for your business.
The Bottom Line
Cyber insurance can be an important part of protecting a small or medium-sized business, but the details matter.
Assuming you are covered, overlooking ransomware or fraud protection, ignoring security requirements, or choosing coverage based only on price can create gaps when your business needs help most.
At Munn Insurance, we help businesses across Newfoundland and Labrador and Nova Scotia review their cyber risks, compare coverage options, and build insurance solutions that fit the way they operate.
Getting started is simple.
Visit Munn Insurance online and go to the business insurance page at www.munninsurance.com/business and complete our online quote request form.
Prefer to speak with someone directly?
Call Munn Insurance Monday through Friday from 8:30 a.m. to 4:30 p.m. at 1-855-726-8627 and speak with one of our commercial insurance specialists.
Related News
Recent News
7 Cyber Insurance Mistakes Small Businesses Should Avoid
Small businesses rely on technology every day. Email, online banking, payment systems, accounting software, customer records, websites, cloud platforms, and mobile devices all help businesses operate more efficiently. But they also create cyber risk. A [...]
How to Get the Best Cyber Coverage for Your Business
Cyberattacks have increased significantly in recent years, and businesses of all sizes are paying closer attention to how they would respond if something happened. It could be as simple as coming into work one morning, [...]
Talking to a Broker About Cyber Insurance Makes Sense and Could Save Big Dollars Too.
Cyber insurance can feel complicated, but asking questions about it does not have to be. Many business owners are unsure whether they need cyber coverage, what it includes, how much it costs, or whether their [...]









