Let’s take a little trip back in time. Not too far, maybe 15 or 20 years.
Back then, if you heard the words “data breach,” you probably pictured getting a letter in the mail. Some company you bought from got hacked, and now you had a year of free credit monitoring. It was a hassle, for sure, but it felt manageable. For businesses, buying cyber insurance was mostly about managing that hassle—the cost of sending letters, dealing with regulators, and handling any lawsuits that popped up.
As Evan Fenaroli, who’s the Vice President of Management and Professional Liability at Philadelphia Insurance Companies (PHLY), explained it, the whole thing really kicked off after 2003. That’s when California passed the first law in the U.S. requiring companies to notify people about breaches. “By 2018, every other state had similar laws in place,” he says. “A lot of early buyers of cyber coverage were primarily concerned with the data privacy aspect of it.”
It made total sense. The biggest fear was losing customer data. But that was about to change in a huge, scary way.
And Then Ransomware Kicked the Door In
Fast forward to around 2019. The game completely changed.
Cybercriminals, who had been dabbling in ransomware for years, suddenly had a lightbulb moment. Why just steal data when you can hold an entire company hostage? They started targeting bigger organizations and demanding payments not in dollars, but in cryptocurrency like Bitcoin.
“Fast forward to 2019 into 2020, we started seeing a major uptick in ransomware incidents,” Fenaroli recalls. “What was unique here is that we started seeing the extortion demands increase drastically.”
Suddenly, this wasn’t about a PR headache and credit monitoring anymore. This was about your entire operation grinding to a halt. Imagine walking into your office on a Monday morning and finding that none of your computers work. Your files are locked. Your customer database is gone. And there’s a message on the screen demanding a six-figure payment to get it all back.
That’s the reality businesses started facing. The risk wasn’t just about privacy anymore; it was about pure survival. The potential costs exploded from notification fees to business interruption, data recovery, and the ransom payment itself.
The Wake-Up Call Nobody Wanted (But Everyone Needed)
As you can imagine, the insurance industry felt this shift in a big way.
The massive payouts for ransomware claims sent shockwaves through the market. Fenaroli puts it bluntly: “It led to a huge increase in payouts. It hardened the market. It made carriers cut back in capacity.”
In plain English? It got a lot harder and more expensive to get good cyber insurance. Insurers started asking a lot more tough questions and demanding that businesses have much stronger security measures in place before they’d even offer a policy.
But here’s the interesting part—this market-wide panic had a silver lining.
It forced everyone to finally get serious about cybersecurity. “Everybody realized that it was a problem,” Fenaroli says. “Cyber risk became a top-line agenda item at the C-suite and the board levels.”
For the first time, business leaders everywhere started to understand that a cyber attack wasn't just an IT problem. It was an existential threat that could shut down the entire company. And that realization, painful as it was, has been a good thing for everyone involved.
You’re Not in This Alone: How Good Insurers Are Stepping Up
It’s one thing for an insurer to demand you have better security. It’s another thing to actually help you get there, especially if you’re a small or medium-sized business without a dedicated cybersecurity army.
Recognizing this, companies like PHLY started offering more than just a policy. They started providing real, practical risk management tools to their clients. It’s a shift from just paying claims to actively helping prevent them.
They offer two key resources that are honestly pretty cool.
A Lawyer on Speed Dial
The first is a platform called PHLYGateway. Think of it as having a team of legal experts on call. “They can schedule calls with these attorneys to discuss any management and professional liability-related risk, including cyber risk, and receive general advice and guidance,” Fenaroli explains.
They also host webinars on everything from ransomware to financial fraud schemes—which, by the way, are getting scarily sophisticated. Criminals are getting really good at tricking employees into wiring money to the wrong accounts. PHLYGateway provides a ton of content on how to build stronger accounting controls to stop that from happening.
Your All-in-One Cyber Toolkit
The second resource is the eRisk Hub. Fenaroli says “‘Hub’ is an appropriate description because it aggregates numerous resources from several different vendors.”
It’s basically a one-stop shop for cybersecurity tools and information. It has things like breach response cost calculators, guides for creating an incident response plan, and updates on all the different data privacy laws around the world.
For a business that’s just starting to build out its security program, this is huge. “It serves as an excellent springboard and starting point when clients are trying to generate or draft policies and procedures,” Fenaroli notes. It helps you get your arms around the problem instead of feeling totally overwhelmed.
Let’s Talk Basics: The Simple Stuff Still Matters Most
When you hear about sophisticated cyber attacks, it’s easy to think the solutions must be equally complex. But often, the most effective defenses are the simplest.
Fenaroli points to one thing above all else: Multifactor Authentication (MFA). That’s when you need a second piece of information to log in, like a code sent to your phone. “Multifactor authentication is a very low-hanging fruit,” he says. “It’s usually something that’s easy to implement.” Easy, and incredibly effective at stopping hackers in their tracks.
The other game-changer? Good backups.
And not just having backups, but having them readily available and, crucially, tested. “Having access to backups that you know you’ve tested the ability to recover from can make a huge difference,” Fenaroli advises. It can be the one thing that lets you avoid paying a ransom and gets your business back online quickly.
Finding the Right Fit, Especially for Smaller Businesses
Let’s be honest, if you’re running a non-profit or a local retail shop, your needs are way different from a Fortune 500 company. PHLY has really focused on this small-to-medium enterprise (SME) space—companies with revenues up to about $250 million.
“We have a dedicated team of underwriters focused on SME business,” Fenaroli says. “We pride ourselves on being flexible in our approach. We want to make sure that we’re tailoring the contract to the policyholder’s needs.”
This is where the human touch makes a real difference. Instead of relying on automated systems to spit out a quote, they have real underwriters looking at each application. This allows them to have a conversation and truly understand the business.
A lot of smaller organizations just don’t know what they don’t know. Fenaroli sees it all the time with social service agencies who are told they need cyber insurance for a state contract. “They often believe they only need third-party liability coverage if they’re sued for negligence,” he says. But that’s a huge blind spot.
He stresses the importance of having coverage that gives you immediate access to a breach response team, forensic experts, and even negotiators who know how to deal with hackers. That’s not something you want to be figuring out on your own in the middle of a crisis.
Unsurprisingly, their biggest success comes from talking to their existing clients. “That’s frankly where we have the most success: cross-selling our existing policyholders,” he notes, particularly non-profits and human services accounts.
So, Is Now a Good Time to Get Covered?
After the chaos of 2020-2022, the market has started to calm down a bit. According to Fenaroli, we’re in a much better spot now.
“We’re in a soft market now, and there’s probably never been a better time for buyers to consider cyber insurance,” he says.
The industry has matured. Policies are more standardized, making them easier to understand and compare. While PHLY and other carriers did pull back a bit when things got crazy, Fenaroli is clear: “we are in the market to stay.”
The threats aren’t going away. If anything, they’re just going to keep evolving. Having an insurance partner who gets the risks and understands the needs of your business is more valuable than ever. It’s not just about a piece of paper; it’s about having a team in your corner when things go wrong.
As Fenaroli puts it, “There’s significant expertise built into our relationships that clients can immediately access.” And in today’s world, that expertise might just be the most valuable thing you can buy.
