Coverage · 5 min read

The $1M policy that only pays $50K

Your cyber policy can carry a $1M limit and still pay a small fraction of that on the claim you're most likely to have. The reason is a single word most owners have never had explained to them: sublimit.

What a sublimit actually is

A sublimit is a smaller cap buried inside the big headline number. The policy says $1M across the top — but for specific, common types of loss, it quietly limits the payout to a much smaller figure. Think of the $1M as the size of the tank and the sublimits as a series of taps, each of which only lets so much out for a given kind of claim.

The catch is that the losses SMEs actually suffer tend to be the ones with the lowest sublimits.

The buckets that get capped

Social engineering / fraudulent transfer. An employee gets tricked into wiring money to a fake account. This is one of the most frequent SME losses — and it's routinely sublimited to $25,000–$50,000, or excluded entirely unless you've specifically endorsed it.
Ransomware & cyber extortion. Some markets cap the ransomware payout well below the policy limit, and may require proof of multi-factor authentication before they'll pay at all.
Funds transfer fraud. Separate from social engineering, and often carries its own smaller cap.
Regulatory fines & penalties. Where insurable, frequently limited.
Vendor / dependent business interruption. If a supplier's outage hits your income, the recovery is often sublimited or excluded.

What this looks like in real life

A 20-person Ontario firm received what looked like an urgent invoice from a known vendor. Under pressure, an employee wired $80,000 to the account in the email. The money was gone. When they turned to their cyber policy, they found the social-engineering sublimit was just $10,000 — and even that was denied, because they hadn't enabled MFA. A $1M policy, a $70,000-plus hole.

The policy wasn't "bad." It just wasn't read closely before it was needed.

The three questions to ask your broker

"Show me every sublimit on this policy — not just the headline limit."
"Is social engineering covered, and at what amount? What conditions trigger it?"
"What controls (MFA, backups) do I have to maintain for ransomware to pay in full?"

The takeaway: a cyber policy is only as strong as its smallest relevant sublimit. The headline limit is marketing; the sublimits are what actually pay. Know yours before an incident reveals them for you.

Find your sublimit gaps in 2 minutes

Run your policy through the free Coverage Assessment, or have me read your actual wording and flag the buckets that would leave you exposed.

Assess my coverage Book a free review

By J.R. Genua, CCIS — Certified Cyber Insurance Specialist. Adapted from the free guide Cyber Risk & Canadian SMEs.