- Email security and payment verification matter because the most common financial losses still start with a message that looks routine.
- Backups only count if they are tested, segmented, and usable under pressure.
- Vendor risk is now operational risk. If a critical partner fails, your customers will still hold you responsible.
- Insurance helps fund response and recovery, but it does not replace MFA, patching, approval controls, or incident ownership.
The 12 Questions
A strong self-assessment is short enough to complete honestly and specific enough to expose weak operating habits. If more than three of these answers are 'no' or 'not sure,' the business likely has meaningful cyber readiness gaps.
- Do all admin, finance, email, and remote-access accounts require enforced MFA with no exceptions?
- Are wire changes, vendor bank updates, and urgent payment requests verified out-of-band by phone or another trusted channel?
- Can you identify every outside provider that hosts, processes, or stores critical business or customer data?
- Are backups segmented, immutable or protected from routine credentials, and tested for restoration on a defined schedule?
- Do you patch internet-facing systems and perimeter devices on a clock your leadership team can describe?
- Do you know who has privileged access, and is that access removed promptly when roles change?
- Do employees receive phishing-resistant training tied to realistic payment, invoice, and login scenarios?
- Can your business continue core operations for 24 to 72 hours if email or one major SaaS platform is unavailable?
- Do contracts with key vendors define security responsibilities, notice timing, and indemnity expectations?
- Is there a named incident leader plus backups for legal, communications, finance, and technology decisions?
- Have you documented which systems contain regulated or sensitive data and what notification duties would apply after an event?
- Does your cyber policy match your actual exposure, including social engineering, business interruption, privacy claims, and incident-response services?
What 2026 Claim Data Says About Priorities
The reason this checklist puts so much weight on email, approvals, and recovery is simple: that is where the claims are clustering. Coalition’s 2026 report shows that business email compromise and funds-transfer fraud still dominate frequency, while ransomware drives large-severity events.
- Coalition reports that 52% of funds-transfer fraud claims originated as business email compromise.
- It also found that 71% of all funds-transfer fraud claims were driven by social engineering.
- CISA’s small-business guidance continues to emphasize enforced MFA, patching, and verified account compliance rather than policy-by-memo approaches.
The Minimum Response Standard
Cyber-ready does not mean perfect. It means the business can detect, contain, communicate, and continue. That standard is realistic for a U.S. small or mid-sized company, but only if leadership treats cyber operations as part of normal business continuity.
- Document a one-page incident escalation plan with names, phone numbers, and authority levels.
- Separate technical recovery work from payment authorization, customer communication, and legal review.
- Run at least one tabletop exercise built around a ransomware event or vendor compromise, not just a generic phishing example.
Prepared by AZBIZINS for U.S. commercial insurance buyers who need current, plain-English guidance.
Back to insights