More than 60% of ransomware attacks target small and mid-size businesses. The average cost of a ransomware event for an SMB now exceeds $1.4 million when you include the ransom demand, recovery costs, business interruption, and breach notification. And most standard General Liability and Commercial Property policies — the ones most California small businesses have — explicitly exclude cyber events.

The GL Exclusion Most Business Owners Don't Know About

Modern general liability policies contain specific cyber exclusions. If a ransomware attack encrypts your systems and shuts down your business for a week, your GL policy will not pay for the lost income, the recovery costs, the forensic investigation, or the ransom. Neither will your commercial property policy. These risks were written out of standard policies years ago — and standalone cyber insurance was created to fill the gap.

California's CCPA Amplifies the Exposure

The California Consumer Privacy Act (CCPA) creates a direct right for California consumers to sue businesses for data breaches of their unencrypted personal information — without proving actual harm. Statutory damages range from $100 to $750 per consumer per incident. A breach affecting 20,000 California customers produces potential statutory liability of $2M–$15M — before any actual damages are calculated.

Any business collecting California consumer data and meeting any of the CCPA thresholds ($25M revenue, 100,000+ consumer records, 50% revenue from data sales) has CCPA exposure. The California Privacy Protection Agency (CPPA) is actively enforcing.

Cyber insurance covers what your existing policies explicitly exclude: ransomware recovery, business interruption from system outages, breach notification costs, forensic investigation, and CCPA regulatory defense and penalties.

The MFA Requirement

Most cyber insurers now require multi-factor authentication (MFA) on email and remote access as a condition of coverage. This has become a near-universal underwriting requirement — and missing MFA is a disqualifier at most standard carriers. If you don't have MFA on your business email accounts, implementing it is the single most important step both for security and for cyber insurance eligibility.

What Cyber Insurance Actually Covers

  • First-party: Ransomware payments (where legally permitted), recovery and restoration costs, business interruption income, breach notification to affected customers
  • Third-party: Customer lawsuits for data exposure, CCPA regulatory defense and fines, PCI-DSS fines for payment card breaches
💡 Bollinsure TipCyber insurance premiums have increased 30–50% over the last two years due to ransomware frequency. Businesses with strong security controls — particularly MFA, offline backups, and endpoint detection — consistently receive better rates. We review your security posture before placement to match you with carriers who reward good controls.