Back to BlogTips & Advice

Cyber Insurance Coverage Checklist (For Founders Buying Their First Policy)

A founder-friendly checklist for evaluating cyber insurance: coverage items, underwriting questions, limits guidance by stage, and what to prepare before applying.

· Updated

Buying your first cyber insurance policy is one of those tasks that feels straightforward until you're actually doing it. The application asks about things like 'network security liability,' 'dependent business interruption,' and 'sublimits for social engineering.' The policy document is 40 pages. Your enterprise customer just wants a COI by end of week.

This checklist is built for that moment. It covers what to look for in a policy, the underwriting questions you'll get asked, how to think about limits by company stage, and what documentation to pull together before you apply. Work through each section in order and you'll be able to evaluate a policy intelligently and get through underwriting without surprises.

Coverage Checklist: What to Look for in a Cyber Policy

Cyber policies are divided into two halves: first-party coverage (your own losses) and third-party coverage (claims made against you by others). A complete policy for a startup should include meaningful coverage in both. Here's what to check for in each category.

First-Party Coverage Items

  • Breach response costs: Covers forensic investigation, breach counsel, PR support, and customer notification. This is the first cost center after any incident and often the largest. Confirm there's no sublimit that would cap it below $250,000 for a seed-stage company.
  • Business interruption (BI): Replaces lost revenue and covers extra expenses when your systems are taken offline by a covered cyber event. Check the waiting period—most policies have an 8-72 hour deductible before BI kicks in. Shorter waiting periods are better but cost more. Confirm the coverage period (how many consecutive days are covered).
  • Dependent business interruption: If a key vendor or cloud provider suffers an outage due to a security event, this extends BI coverage to your resulting downtime. Often an endorsement—ask specifically whether it's included. Critical if your product is entirely cloud-hosted.
  • Ransomware and cyber extortion: Covers the ransom payment itself (subject to OFAC compliance), professional ransomware negotiator fees, and system recovery costs after the incident. Confirm the sublimit matches your risk exposure—some policies cap ransomware at $250,000 within a $1M policy.
  • Data restoration: Pays for recovering, recreating, or restoring data that's corrupted or destroyed. Look for whether proprietary source code is included—some policies exclude it. Check the sublimit if you have large or complex databases.
  • Funds transfer fraud / social engineering: Covers losses from phishing-driven wire transfers or fraudulent payment instructions. This is often a separate endorsement with its own sublimit (typically $100,000-$250,000). If your finance team handles wire transfers, this is worth having. Read the trigger carefully—some require the impersonated party to be a specific individual.
  • Notification and credit monitoring costs: The cost of notifying affected individuals and providing credit monitoring is sometimes broken out as its own line item. For consumer-facing startups with large user bases, this can be the single largest cost category—$10-$30 per affected person quickly adds up to six figures.

Third-Party Coverage Items

  • Network security liability: Covers claims by third parties (customers, partners, vendors) that a security failure in your systems caused them harm. This is the core third-party coverage your enterprise customers are asking for in their MSA. Confirm the limit matches your contract requirements.
  • Privacy liability: Covers claims arising from unauthorized disclosure of personal information, failure to properly handle data, or violation of privacy laws. Distinct from network security liability—privacy claims can arise even without a technical breach (e.g., a misconfigured sharing permission that exposes data).
  • Regulatory defense costs: Pays for legal defense costs when regulators—state AGs, FTC, HHS—investigate your company after a breach. Often included within the overall limit rather than as a separate sublimit. Confirm coverage applies to state-level actions, not just federal.
  • Regulatory fines and penalties: Some policies cover fines assessed by US regulators. GDPR fines are frequently excluded by US policies. If you process EU resident data, ask specifically whether EU regulatory actions are covered. Don't assume—this varies significantly by carrier.
  • PCI DSS fines and assessment costs: If you're in PCI scope (you process, store, or transmit cardholder data), look for specific coverage of card brand fines and PCI forensic assessor costs after a breach. Not all policies include this—ask explicitly.
  • Media liability: Covers claims arising from content you publish online—defamation, copyright infringement, invasion of privacy. Often included as part of the cyber policy. Useful for marketing-heavy startups or anyone with a significant content program.

Underwriting Questions You'll Get Asked

The underwriting application for a startup cyber policy is shorter than most people expect—typically 15-30 questions. The categories are consistent across carriers. Here's what you'll be asked and why it matters.

About Your Business

  • Annual revenue (current and projected): Revenue is the primary pricing driver. Pre-revenue companies typically qualify for minimum premiums. Provide your ARR if you're SaaS, or your trailing 12-month revenue if you're transactional.
  • Industry and business description: Underwriters classify risk by sector. B2B SaaS is priced more favorably than consumer apps, healthcare software, or financial services platforms. Be accurate—industry misrepresentation can void coverage.
  • Employee count: Headcount is a proxy for attack surface. More employees means more phishing targets and more endpoints to secure. Include full-time employees, part-time, and contractors who have access to your systems.
  • Prior incidents and claims: Have you had any data breaches, ransomware events, or regulatory inquiries in the last 3-5 years? Disclose honestly. Undisclosed prior incidents are one of the most common grounds for claim denial. A prior incident doesn't necessarily mean you'll be declined—it means the carrier will ask follow-up questions about what you changed afterward.

About Your Data

  • Types of personal data you store or process: PII (names, emails, addresses), PHI (health information), PCI (payment card data), government IDs, financial account data. Each category carries different regulatory exposure and affects pricing.
  • Approximate number of records: Breach notification costs scale with record count. 1,000 records and 1,000,000 records are priced very differently. Have a reasonable estimate—you don't need an exact count but a ballpark matters.
  • Whether you store third-party data: If your product processes customer data on their behalf (a CRM, a data platform, a payments processor), you hold third-party data that increases your liability exposure. Underwriters distinguish between storing your own operational data and processing data on behalf of others.
  • Cloud provider and infrastructure setup: AWS, GCP, Azure? Multi-cloud or single provider? Underwriters want to understand your dependency concentration. This is also relevant for dependent business interruption coverage.

About Your Security Controls

  • Multi-factor authentication (MFA): The most important question on any cyber application. Is MFA enforced for all employees? For email? For remote access? For admin accounts? Partial MFA enforcement (e.g., email only, not VPN) is noted and affects pricing. Full enforcement is the gold standard.
  • Endpoint Detection and Response (EDR): Do you have EDR (CrowdStrike, SentinelOne, Defender for Endpoint) deployed on company-managed devices? EDR signals faster detection capability and limits breach blast radius.
  • Backup frequency and offsite storage: How often do you run backups? Are they stored separately from production systems (offsite or in a separate cloud account)? Are backups tested for restoration? Carriers specifically ask about immutable backups because ransomware attackers routinely target backup systems.
  • Incident response plan: Do you have a documented IR plan? Even a basic 2-page document that names roles and response steps qualifies. Some carriers ask for a copy.
  • Security awareness training: Do all employees receive annual security training? Do you run phishing simulations? Documented training programs reduce social engineering risk and are noted favorably.
  • Patch management: How quickly do you apply critical patches to operating systems and software? A documented patching cadence (e.g., critical patches within 30 days) is preferred over no documented process.
  • Privileged access management: Are admin credentials managed separately from standard user accounts? Do you practice least-privilege access? Underwriters are specifically concerned about over-privileged accounts that attackers can use to move laterally.

Limits Guidance by Company Stage and ARR

Coverage limits define the maximum your insurer will pay per occurrence and in aggregate over the policy period. Choosing the right limit requires balancing your contractual requirements, your actual risk exposure, and your budget. Here's a practical framework by stage:

  • Pre-revenue / Seed (no meaningful ARR): $1M limit is the standard starting point. Satisfies early investor diligence requests and most first-round enterprise MSA requirements. Monthly cost typically $50-$120 for a low-data-volume software company. If you're collecting any consumer PII, don't delay—breach notification costs don't scale with your ARR.
  • Early revenue / Series A ($1M-$5M ARR): $1M-$2M limit is typical. If your first enterprise customer requires $2M, buy $2M—the incremental cost is usually modest and the contract requirement is the constraint, not theoretical risk modeling. Companies in this range pay roughly $100-$350/month depending on data profile and controls.
  • Growth stage / Series B-C ($5M-$20M ARR): $2M-$5M limit is common at this stage. You likely have multiple enterprise customers with varying MSA requirements. The weighted average requirement across your book of business is a reasonable floor. Companies processing sensitive data (financial, health) or holding large consumer datasets should trend toward $5M. Monthly cost typically $300-$900.
  • Later stage ($20M+ ARR): $5M-$10M+ limits are appropriate. At this scale, a breach involving your full customer base can generate notification and legal costs that exceed $5M before any third-party claims are filed. Companies in regulated industries, with government contracts, or serving large enterprises should consider excess or umbrella layers above their primary cyber limit. Work with an advisor at this stage.

A note on deductibles: most startup cyber policies offer $1,000-$10,000 retentions. A $2,500 deductible is a reasonable default for seed-stage companies. Higher retentions lower your premium but mean you absorb more of each claim. Don't set a retention higher than what you could write a check for without disrupting operations—a $25,000 deductible sounds appealing as a premium lever until you're trying to fund a forensic investigation from your operating account at 2am.

Pre-Underwriting Packet: What to Prepare Before You Apply

You can get a cyber insurance quote in minutes—but having a few documents on hand before you start makes the process smoother and can result in better pricing. Underwriters reward companies that can demonstrate their security posture, not just assert it. Here's what to gather:

Security Stack Documentation

  • MFA configuration screenshots or policy documentation: A screenshot of your identity provider (Okta, Google Workspace, Microsoft Entra) showing MFA enforcement settings takes 2 minutes to pull and directly supports favorable pricing.
  • EDR deployment summary: A report or screenshot from your EDR platform showing deployment coverage across endpoints. If you're at 90%+ coverage, document it.
  • Backup policy and test records: A brief description of your backup cadence, where backups are stored, and when you last tested restoration. Even a Notion doc or internal runbook page qualifies.
  • Vulnerability scanning results: Recent results from a vulnerability scanner (Qualys, Tenable, or even a basic AWS Inspector report) demonstrate active security hygiene.

Data Inventory

  • Record of data types you process: A simple spreadsheet listing what categories of personal data you hold (PII, PHI, PCI, etc.), where it lives (which systems and cloud accounts), how long you retain it, and roughly how many records are involved.
  • Subprocessor / vendor list: A list of third-party vendors who have access to your data or systems (your data subprocessors). This is required for SOC 2 and GDPR compliance anyway—if you have it, bring it to underwriting.
  • Data flow diagram (if available): A high-level diagram showing how data enters, moves through, and exits your systems. Not always required for small startups, but useful for more complex data architectures.

Governance Documents

  • Written Information Security Policy (WISP): A documented security policy covering access management, data handling, incident response, and acceptable use. Required for SOC 2 and many enterprise vendor agreements. If you have one, bring it. If you don't, a short policy document covering the basics is better than nothing.
  • Incident response plan: Your documented IR plan naming response roles, escalation paths, and the key steps from detection to recovery. Some carriers ask for a copy. A two-page runbook is sufficient at the seed stage.
  • SOC 2 status and most recent report: If you're SOC 2 Type I or Type II certified, have your report available. This is the single most effective document for obtaining favorable pricing—it signals that your controls have been independently verified.
  • Prior claims history: Documentation of any prior cyber incidents, including what happened, when, how it was resolved, and what controls were implemented afterward. Disclose prior incidents proactively—carriers check loss history databases and undisclosed incidents are grounds for coverage denial.

Get Your Quote from Latent Insurance in Under 5 Minutes

You've done the work. You know what coverage to look for, what questions to expect, what limits make sense for your stage, and what documents to have ready. The next step takes less than 5 minutes: get a quote from Latent Insurance, see your coverage options immediately, and have a certificate of insurance ready for your customer before the end of the day. No broker phone tag. No waiting on a response. Just coverage that matches where your startup actually is.

Related Articles

Tips & Advice

Med Spa Insurance FAQ: 25 Questions Answered

Answers to the 25 most common med spa insurance questions. Coverage types, costs, requirements, claims, and how to choose the right policy.

Read more
Tips & Advice

Med Spa Risk Management: Lower Claims & Insurance Costs

Proven risk management strategies for med spas. Reduce malpractice claims, lower insurance premiums, and protect your practice with actionable steps.

Read more
Tips & Advice

How Much Malpractice Insurance Do I Need for My Med Spa?

Find out how much malpractice insurance your med spa needs. Coverage limits guide with factors, state minimums, and when to increase your protection.

Read more

Have questions about your coverage?

Our team is ready to help you find the right insurance for your business.

Get a Quote