Security

Do Small Businesses in Bardstown Need Cyber Insurance?

A few years ago, cyber insurance was something large corporations bought. Today we're seeing small businesses across Nelson County and the surrounding area getting asked about it — by their insurance agents, by clients who require it in contracts, and sometimes by their own accountants after reading about a local business getting hit with ransomware. So do you actually need it? The short answer is probably yes, but there's a lot of nuance in what you're buying and what it actually covers.

What cyber insurance actually covers

Cyber insurance policies vary widely, but a solid small-business policy typically covers:

  • Ransomware and extortion payments — If attackers encrypt your data and demand payment, your policy may cover the ransom and negotiation costs.
  • Incident response costs — The forensics work, IT consulting, and recovery labor to figure out what happened and get you back up. This is often the biggest cost after an attack.
  • Business interruption — Lost revenue during the days or weeks you're not operating normally while recovering.
  • Data breach notification — If customer or employee data was exposed, Kentucky law requires notification. Insurance covers the cost of identifying affected parties and sending notices.
  • Legal defense and liability — If a client sues you because their data was exposed through a breach of your systems.
  • Crisis communications — PR help if the breach is significant enough to affect your reputation.

What it typically does not cover: replacing hardware, losses from prior to the policy start, and increasingly, incidents caused by security controls you claimed to have in place but didn't.

What it costs for a small Kentucky business

For a small office in Bardstown — say, 5–20 employees, no special regulatory requirements — a basic cyber liability policy typically runs $800–$2,500 per year. Healthcare and legal businesses pay more due to the sensitivity of the data they handle. Businesses with strong security controls (MFA, backups, endpoint protection) often qualify for lower premiums.

Some business owner's policies (BOPs) include a thin layer of cyber coverage, but the limits are usually too low to be meaningful — often $10,000–$25,000 in a world where average small-business incident costs run $25,000–$100,000. A standalone cyber policy with $500,000–$1,000,000 in coverage is a much more realistic safety net.

The underwriting has gotten strict — and that's actually useful

Three years ago you could get cyber insurance by answering a handful of vague questions. That's changed. Insurers have been burned by large claims and have responded by requiring real security controls before they'll write a policy — or before they'll pay a claim.

Common requirements now include:

  • Multi-factor authentication on email, remote access, and admin accounts
  • Verified, tested backups stored separately from your main network
  • Endpoint detection and response (EDR) software on all devices
  • A documented incident response process
  • Regular patching of operating systems and software

If you say "yes" to these on an application and you don't actually have them, the insurer can deny your claim after an incident. That's not a hypothetical — it's happened to small businesses who answered the application questions optimistically.

The silver lining: The underwriting checklist is actually a pretty good security to-do list. If you can honestly check every box on a cyber insurance application, you're in substantially better shape than most small businesses your size. Getting insurable and getting secure are mostly the same work.

Who especially needs it

Cyber insurance is worth prioritizing if any of these apply to your business:

  • You handle sensitive client data — Medical records, legal files, financial records, employee SSNs. A breach here carries notification obligations and significant liability.
  • A client contract requires it — This is increasingly common. If you're a vendor or subcontractor to a larger business, they may require you to carry cyber liability coverage.
  • Downtime would be extremely costly — A business that can't operate for three days without serious financial damage should have the business interruption coverage.
  • You process payments — PCI DSS compliance is a separate topic, but businesses that handle card data have elevated exposure.

Who might be able to wait

A very small operation — one or two people, minimal client data, low revenue — might reasonably deprioritize cyber insurance in favor of getting the basic security controls right first. The controls (MFA, backups, endpoint protection) reduce the likelihood of an incident far more than insurance does. Insurance only helps after something goes wrong.

That said, policies are inexpensive enough at the small end that for most businesses, the question is really "which policy" rather than "whether."

How your IT setup affects your premium and coverage

This is where IT and insurance intersect directly. Insurers are increasingly asking for documentation: can you prove MFA is enforced? Can you show backup test records? Do you have endpoint protection deployed on every device?

At Etoc IT, part of what we do for managed clients is maintain exactly this kind of documentation — monthly health reports, backup monitoring logs, MFA enforcement records. When a client needs to answer an insurance application or renew a policy, we can provide the evidence the insurer is looking for. It's a detail that matters more than most people realize when a claim is on the line.

If you're in Nelson County or the surrounding area and want help making sure your IT controls actually match what your cyber insurance policy assumes, reach out. We'll review your setup and tell you straight where the gaps are.

Want to make sure your IT actually matches your insurance?

We'll review your security controls and give you a plain-English report on where things stand — no obligation.

Request a Free Security Review
E

Etoc IT
Locally owned IT support for small businesses in Bardstown, Nelson County, and surrounding Central Kentucky.