Insurers tighten the screws, small firms pay the price
Insurers are increasingly cutting the amount they will pay for ransomware and demanding immediate, costly security upgrades from applicants, leaving many small businesses exposed to gaps they cannot afford to close. Over the last 18 months carriers have added explicit ransomware sublimits to policies, required proof of multi factor authentication and enterprise endpoint detection, and begun running external scans before binding coverage. Underwriting now treats cyber insurance less as a payout promise and more as a compliance checklist.
Limits, sublimits and the cost of being small
Where once a single policy limit might have covered most first-party losses, insurers now commonly carve out separate ransomware limits that can be far smaller than the overall policy. That leaves businesses with a policy limit of $1,000,000 but a ransomware sublimit of $250,000 for extortion and related expenses, effectively forcing firms to self insure the remainder or raise their premiums. Legal disputes over how sublimits apply have already reached federal court, highlighting the teeth in these contract changes. Smaller companies are the most vulnerable because they tend to lack the cash to top up limits or the staff to satisfy underwriting checks.
A shifting claims landscape
The market shift does not happen in a vacuum. Ransomware economics have moved quickly: extortion demands and payment patterns swung sharply through 2024 and 2025, producing both spikes in average payments and periods when fewer victims chose to pay. Insurers point to rising claim severity on some accounts and to aggregate concentrations that threaten reinsurance capacity, which helps explain the tougher terms at renewal. The result for many small businesses is higher cost or reduced protection just when attacks remain a daily risk.
Brokers, MSPs and the real-world squeeze
Brokers and managed service providers are adapting by packaging security services and by steering clients toward group programs and layered controls, but those solutions carry recurring fees many small firms did not budget for. Multi factor authentication, reliable offline backups, and EDR deployments are repeatedly cited as the minimum now required to get competitive terms. For businesses operating on thin margins, meeting those requirements can be the difference between affordable coverage and no coverage at all.
Bottom line
The cyber insurance market is forcing a reckoning: coverage no longer replaces basic security hygiene, it rewards it. For small businesses, that means immediate investment in controls or facing smaller payouts, bigger deductibles, and difficult recovery choices if a breach occurs. The window to act is closing, and the price of delay is getting higher.