Frequently Asked Questions
Straight answers for small business owners and nonprofit leaders. No jargon. No scare tactics. Just what you need to make a smart decision.
Do we really need cybersecurity help if we are small?
Yes. Most real-world incidents hit smaller organizations because attackers know there is less oversight and fewer guardrails. The bigger issue is expectations. Cyber insurance carriers, vendors, and sometimes regulators now expect even small organizations to show basic security practices and documentation.
How is this different from what our IT provider does?
Your IT provider focuses on keeping systems running. Our job is to help leadership understand risk, document decisions, and make sure what is in place matches what you are telling insurers, vendors, boards, or regulators. We work alongside IT, not instead of them.
We have cyber insurance. Isn’t that enough?
Cyber insurance is important, but it is not a substitute for basic controls. Policies are written with assumptions. If what was documented on the application does not match reality, claims can be delayed, reduced, or denied. Good security and good documentation make insurance far more useful when you actually need it.
How does cyber insurance really work?
Cyber insurance is designed to help cover certain costs after an incident, like investigation, legal support, notification, and recovery. It does not prevent an incident. Most policies also include requirements you are expected to maintain. The practical goal is to align your real-world controls with what your policy expects and what you documented in your application.
What kinds of cybersecurity insurance are there?
Most organizations run into a mix of cyber-related coverages. The names vary by carrier, but these are common:
- Cyber liability covers many breach and ransomware response costs.
- Privacy and network security focuses on unauthorized access and privacy-related claims.
- Crime coverage with cyber endorsements often applies to email fraud, wire fraud, and payroll diversion. Many organizations assume a cyber policy covers this when it does not.
- Technology errors and omissions is usually for organizations that provide IT or technology services to others, not internal incidents.
- Business interruption may help cover downtime losses, but waiting periods and exclusions can surprise leadership.
Why do cyber insurance claims get denied?
The most common reasons are not technical “gotchas.” Claims are often denied or reduced because required controls were missing, answers on the application overstated reality, or known risks were left unaddressed. The organizations that get paid are usually the ones that can show they did what they said they were doing.
What does the first conversation usually involve?
It is not a sales pitch. We listen, ask a few focused questions, and help you get clarity on where risk may exist and what “good” looks like for your size and industry. If there is a fit, we outline next steps in plain language and you decide what to do.
Are you going to recommend a lot of new technology?
No. Most of our work is about clarity, priorities, documentation, and governance. Technology may be part of the solution, but it is rarely the first step and it is never the only step.
Do you work with nonprofits and healthcare organizations?
Yes. We routinely work with nonprofits and physician practices that have limited internal resources but increasing expectations around privacy, security, and insurance requirements. Our approach is practical and scaled, not enterprise-heavy.