Cyber liability is no longer a concern reserved for large enterprises with sprawling data centers and global operations. Today, small and mid-sized businesses are increasingly targeted by cybercriminals, regulators, and plaintiff attorneys — often simultaneously. As AI-driven attacks grow more sophisticated and privacy laws tighten, a single breach can trigger cascading consequences that go far beyond IT cleanup. Understanding cyber risk, insurance limitations, and leadership responsibilities is no longer optional; it’s a core requirement for running a resilient business in the modern economy.
For years, cyber liability was treated as a problem reserved for large enterprises with massive data centers and global operations. That assumption no longer holds. Today, small and mid-sized businesses are increasingly the primary targets of cybercriminals, regulators, and plaintiff attorneys — often all at once.
According to Jason Bishara, a financial lines and risk specialist who works closely with founders and executives, cyber risk has quietly become one of the most serious operational and legal threats facing smaller organizations. And unlike traditional business risks, cyber incidents rarely stay contained.
“Larger companies have more resources, and they’ve been using those resources to combat cyberattacks,” Bishara explains. “Smaller companies, on the other hand, are often the low-hanging fruit. Bad actors target them because it’s easy.”
And the consequences of an attack now extend far beyond IT cleanup. A single breach can trigger regulatory investigations, customer lawsuits, business interruption, and even claims against company leadership.
Below, we break down the most important takeaways from Jason’s interview — and what small business owners need to understand right now.
Table of Contents
Why Small and Mid-Sized Businesses Are the New Cyber Target
Large corporations invest heavily in cybersecurity, often deploying advanced AI tools to detect and neutralize threats in real time. Smaller companies usually cannot match that level of defense, making them what attackers call “low-hanging fruit.”
As Bishara puts it:
“Smaller companies are vulnerable not just to attacks, but also to shareholder allegations that they aren’t doing enough to keep data safe or protect investors.”
Cybercriminals know that many small businesses:
- Have limited security budgets
- Rely heavily on third-party vendors and cloud tools
- Lack of dedicated cybersecurity leadership
The result is a growing wave of attacks aimed squarely at smaller organizations. When breaches occur, the fallout doesn’t stop at operational disruption. Jason points out that shareholders and investors are increasingly alleging that companies failed to take reasonable steps to protect data, opening the door to lawsuits that go well beyond IT problems.
What Regulators Look for After a Breach
Once a breach occurs, regulators tend to focus on fundamentals — not technical jargon. Bishara says post-incident investigations almost always revolve around three questions:
- What steps were taken to prevent the incident?
- Was the company prepared to detect intrusions quickly?
- How did the company respond to limit damage?
While executives are not expected to be cybersecurity engineers, they are expected to provide oversight.
“Corporate leaders may not always be cyber experts themselves,” Bishara notes, “but they can still oversee these issues, allocate resources, and identify the experts who are in charge of the company’s cybersecurity.”
A lack of documentation — or worse, policies that exist only on paper — often becomes a major liability during post-incident investigations.
The Biggest Cyber Insurance Misconceptions
One of the most common misconceptions Jason encounters is the belief that cyber insurance automatically covers any breach-related loss. In reality, cyber insurance policies vary widely, and coverage is far from standardized.
“Cyber insurance isn’t standardized, so you can’t just assume you have coverage,” Bishara warns. “You need to look at your specific policy language.”
Some of the most common gaps include:
- Social engineering and wire fraud exclusions (especially when an employee authorizes a fraudulent transfer)
- Supply chain failures involving vendors or technology partners
- Secondary lawsuits, such as D&O claims tied to alleged mismanagement of cyber risk
According to Bichara,
“Some policies may limit coverage if an employee authorizes a transfer because they were tricked. That’s a big issue — and AI is making it worse.”
With AI-powered scams becoming more convincing, these exclusions are becoming more consequential. And beyond the immediate breach costs, he emphasizes the downstream risk:
“It’s also important to consider the possibility of D&O lawsuits after a cyber incident.”
Business owners must understand exactly what their policies do — and do not — cover.
The Rise of “Mass Breach” Litigation
New state-level privacy laws are expanding consumer protections, which is generally positive. However, these laws are also creating new pathways for litigation, particularly against smaller businesses that are unaware of evolving compliance requirements.
Jason notes that many wrongful data collection lawsuits now target:
- Websites using tracking pixels
- Online advertising and analytics tools
- Businesses collecting personal data without proper disclosures
Small businesses are especially exposed because many don’t realize how aggressively privacy rules now apply to everyday tools.
“Any business using pixel trackers on their website or online advertising could be at risk of violating rules for the collection and storage of personal data.”
Tools such as TikTok pixels, Twitter analytics, and LinkedIn Insight tags have all been cited in litigation. Some cyber insurance policies can help transfer this risk, but only if the coverage is structured correctly.
“Businesses should be judicious about the use of all tracking tools,” he says. “Some cyber insurance policies can help transfer this risk — but only if it’s properly covered.”
How AI Is Reshaping Cyber Risk
Artificial intelligence has dramatically altered the threat landscape. Cybercriminals are now using AI to:
- Automate vulnerability scanning
- Adapt malware in real time
- Create convincing phishing messages, voice clones, and deepfake videos
“Cybercriminals are automating attacks with tools that detect vulnerabilities and malware that can adapt in real time,” Bishara says.
AI has also supercharged impersonation scams.
“They’re using generative AI, voice cloning, and even deepfake video to make scams much harder to detect.”
In some cases, attackers are even manipulating a company’s own AI systems to extract sensitive information. Even internal systems can become attack vectors.
“Bad actors can exploit a company’s AI to trick it into revealing sensitive information,” he explains. “That’s creating a completely new type of cyberattack.”
This emerging category of risk is forcing insurers to reevaluate policy language, and Jason says early signs of AI-related exclusions are already appearing in certain coverage lines. Insurers are paying attention.
“Cyber insurers may ask more questions about AI and tweak policy language,” Bishara says. “We’re already seeing early AI exclusions in other coverage lines.”
Leadership Accountability Is Increasing
Cybersecurity is no longer just an IT issue. It directly impacts financial stability, reputation, and stakeholder trust. As a result, boards and business owners are being held more accountable for cyber preparedness.
To demonstrate “reasonable preparedness,” leaders should be able to answer basic questions:
- Are cybersecurity best practices documented and followed?
- Are vendors and partners properly vetted?
- Is cyber insurance in place and understood?
- Is there a written, tested incident response plan?
Jason emphasizes that prevention matters, but response planning is essential. And having a plan isn’t optional.
“Because cyberattacks have become so prevalent, every company should have a written cyber incident response plan that is regularly reviewed and updated.”
Cyber incidents are now common enough that every organization should assume it will eventually face one.
What Insurers Look for When Underwriting Cyber Risk
From an underwriting perspective, insurers want to see consistency and discipline. Bishara points to several common factors carriers evaluate, including documentation, past incidents, continuous monitoring, data sensitivity, remote work exposure, use of AI, and supply-chain risk management. Insurers commonly evaluate factors such as:
- Consistent execution of cybersecurity best practices
- Past incidents or loss history
- Continuous monitoring and vulnerability assessments
- Volume and sensitivity of data handled
- Workforce size, turnover, and remote work exposure
- Use of emerging technologies and AI
- Supply chain and vendor risk management
No single control guarantees coverage — but weak fundamentals can raise red flags quickly. Companies that can demonstrate discipline and consistency are viewed as better risks and often receive more favorable terms.
The First 72 Hours After a Breach Matter Most
In the immediate aftermath of a cyber incident, confusion can be as damaging as the breach itself. A well-prepared business knows exactly who is responsible for what and how decisions will be made.
When an incident occurs, speed and clarity matter.
“Time is of the essence,” Bishara says. “You need clear roles and accountability. Who is responsible? What is the plan?”
Detection failures are a common issue.
“If you’re not actively monitoring intrusions, you might not even realize there’s been a breach for weeks or months.”
Common mistakes Jason sees include:
- Delayed detection due to lack of monitoring
- Unclear internal roles and communication
- Waiting too long to notify the cyber insurance carrier
Insurers play a critical role in loss mitigation and compliance guidance. Jason advises notifying the carrier immediately, even while details are still emerging, and never responding to threats without professional guidance.
“Carriers know how to assess and mitigate losses. They need to be notified immediately.”
And above all:
“Never respond to a threat without getting your carrier’s advice first.”
Cyber Insurance Pricing and Insurability Today
Despite growing threats, the cyber insurance market is currently favorable for buyers.
“Cyber insurance rates are stable right now,” Bishara notes. “In fact, rates declined by about 1.5% in Q2 2025 due to increased competition.”
That doesn’t mean coverage is automatic.
“Strong cybersecurity is still the best strategy,” he says. “If you can show insurers you’re a good risk, you may receive more favorable terms.”
According to the Council of Insurance Agents & Brokers, cyber rates declined by 1.5 percent in Q2 2025, largely due to increased competition and capacity.
Businesses can improve insurability by:
- Demonstrating strong cybersecurity controls
- Maintaining clean loss histories
- Accepting higher deductibles where appropriate
Working with a broker can also help.
“Policy structure matters. If you retain more risk, such as with higher deductibles, your rates will generally be lower.”
Strong risk management doesn’t just reduce incidents. It can also reduce premiums.
The Real Cost of Doing Nothing
For entrepreneurs who still view cyber liability as optional, Jason offers a sobering perspective.
“Cyberattacks are both common and costly,” he says. “Businesses of all sizes need to be prepared — and that typically involves carrying insurance.”
Beyond financial losses, there are governance implications. Failing to secure cyber insurance may expose leadership to claims that they neglected their duty to protect stakeholders.
Cyber insurance provides more than reimbursement. It offers expert guidance during high-stress situations — from ransomware demands to regulatory notifications. When a company is facing a multimillion-dollar ransom or a customer data breach, that guidance can be invaluable.
“If your files were being held for a $50 million ransom, would you know what to do?” Bishara asks. “With cyber insurance, your insurer takes the lead.”
In high-pressure moments, that expertise can make the difference between containment and catastrophe.
Final Thoughts
Cyber liability is no longer a future concern or a big-company problem. It is a present-day operational, legal, and leadership issue for businesses of all sizes.
As NSI Insurance Group Financial Lines Practice Leader and Capital Markets advisor Jason Bishara makes clear, preparedness is no longer measured by intent — but by action. For small businesses, the question is no longer if cyber risk will matter, but whether leadership is ready when it does.
Key Takeaways
- Small businesses are now prime cyber targets. Attackers intentionally go after organizations with fewer defenses, limited monitoring, and heavy reliance on third-party vendors.
- Cyber incidents trigger legal and regulatory fallout. A breach today can lead to regulatory investigations, consumer lawsuits, shareholder claims, and even D&O exposure.
- Cyber insurance is not one-size-fits-all. Policy language matters, and many businesses are surprised to learn that social engineering, wire fraud, and vendor-related incidents may be excluded.
- AI has dramatically escalated cyber risk. Generative AI, voice cloning, and adaptive malware have made phishing and impersonation attacks harder to detect and more damaging.
- Leadership accountability is increasing. Cybersecurity is no longer just an IT issue; boards and owners are expected to demonstrate reasonable preparedness.
- The first 72 hours after a breach are critical. Clear roles, fast detection, and immediate insurer involvement can significantly limit financial and reputational damage.
- Doing nothing is now the riskiest option. Beyond financial loss, failure to prepare or insure against cyber risk can expose leadership to claims of negligence.
About Jason Bishara:
Jason Bishara is a financial lines and risk specialist who advises small and mid-sized businesses on navigating today’s rapidly evolving liability landscape. As Financial Lines Practice Leader and Head of the Capital Markets Group at NSI Insurance Group, Jason works closely with founders, executives, and operators to help them understand and manage exposures ranging from cyber liability and data breaches to D&O and management risk.
Frequently Asked Questions (FAQ) on Cyber Liability
Why are small businesses more vulnerable to cyberattacks than large companies?
Small businesses typically have fewer cybersecurity resources, limited monitoring capabilities, and smaller IT teams. While large organizations invest heavily in advanced detection tools and AI-driven defenses, many smaller companies rely on basic protections and third-party platforms. Cybercriminals understand this imbalance and intentionally target small and mid-sized businesses because attacks are easier, faster, and less likely to be detected early. In addition, smaller companies often underestimate their risk, making them less prepared to respond when an incident occurs.
Does cyber insurance automatically cover all types of cyber incidents?
No. Cyber insurance policies vary widely, and coverage is not standardized across insurers. Many policies contain exclusions or limitations related to social engineering, wire fraud, vendor failures, and certain data privacy violations. For example, if an employee authorizes a fraudulent wire transfer after being tricked, coverage may be limited or denied. Businesses must carefully review policy language to understand what is covered, what is excluded, and whether additional endorsements are needed to address their specific risks.
How is artificial intelligence changing cyber threats for businesses?
AI has significantly increased both the scale and sophistication of cyberattacks. Cybercriminals now use AI to automate vulnerability scanning, adapt malware in real time, and create highly convincing phishing messages using voice cloning and deepfake technology. These tools make attacks harder to detect and easier to execute. AI can also be used to manipulate internal systems, including chatbots and automated workflows, to extract sensitive information. As a result, insurers are reassessing cyber risk and, in some cases, introducing AI-related exclusions or tighter underwriting standards.
What should a small business do in the first 72 hours after a cyber breach?
The first 72 hours are critical. A well-prepared business should already have a written incident response plan that defines roles, responsibilities, and communication protocols. Immediate steps include identifying and containing the breach, preserving evidence, and notifying the cyber insurance carrier as soon as possible. Delays in detection or insurer notification can increase losses and complicate compliance obligations. Businesses should avoid responding to threats, such as ransom demands, without professional guidance from their insurer and legal advisors.
Is cyber liability really a leadership and governance issue?
Yes. Cyber risk is now viewed as an enterprise-wide issue that affects financial stability, reputation, and stakeholder trust. Regulators, investors, and plaintiffs increasingly expect business leaders to demonstrate reasonable preparedness, including proper oversight, documented policies, vendor vetting, and insurance coverage. Failure to address cyber risk can expose owners and executives to claims that they neglected their duty to protect the organization and its stakeholders. Cybersecurity is no longer just a technical concern — it’s a core leadership responsibility.
