Cyber insurance is a hot topic because cyber attacks continue to be on a steep incline. Small to mid-sized business (SMB) leaders have many questions such as:
- Is cyber insurance necessary?
- Who needs cyber insurance?
- What is cyber insurance exactly?
- What does it cover?
- How much does it cost?
Let’s get these questions answered!
Table of Contents
What is Cybersecurity Insurance?
Cyber insurance (also known as cyber liability insurance or cyber risk insurance) is a coverage plan offered by most major insurance companies. It protects your business’s digital assets in the event of a data breach or cybersecurity threat.
An insurance provider may also offer tools and resources to prepare you for a breach and reduce your cyber risk.
Why Cyber Insurance May Be Worth it to Your SMB
Today’s modern business is reliant on cloud technology. This makes cybersecurity threats and breaches unavoidable. Here are some key facts:
- 43% of cyberattacks target small businesses (CISA, 2021).
- The costs of cyber attacks can be far greater than cyber insurance and cybersecurity costs (Teal, 2024).
- 60% of SMBs go out of business within six months of a cyber attack (Verizon, 2022).
Cyber liability insurance can strengthen your cybersecurity plan when combined with basic cybersecurity measures (e.g., MFA, endpoint protection, updated and patched systems, etc.).
Your cybersecurity can be handled in-house or by a managed service provider, but it’s important to remember that this should complement—not replace—your established cybersecurity best practices. Cyber insurance provides an additional layer of protection that offers you another layer of protection that can make recovery easier.
A good policy covers many expenses your SMB will incur after an incident. Small businesses can get detailed coverage plans. Plus, many insurance providers offer industry-specific coverage to ensure your regulatory needs are met.
Be sure you understand what is, and what is not, covered by any policy you are considering.
What Does Cybersecurity Insurance Cover?
A cyber insurance policy covers businesses in any industry after a cyber attack. The coverage includes costs tied to the digital attack. This may include:
- Downtime costs
- Data recovery costs
- Costs of notifying customers
- And more
Most insurance providers offer the following cyber insurance coverage:
Legal
This includes legal counsel and defense related to a breach.
Cyber Extortion
Cyber extortion is when a cybercriminal prevents access to data and/or devices. Or threatens to release sensitive personal data, in return for a ransom (i.e., a ransomware attack).
This coverage includes expenses associated with a ransom charged during an attack.
Betterment
Expenses related to improving your digital assets after a breach. Both hardware and software items.
Crisis Management
The cost of limiting a breach’s damage to your company’s reputation. This includes costs associated with notifying affected customers.
Forensic Investigations
Covers the costs of breach investigation to determine the source, type, and scope.
Business Disruption
Financial losses related to the disruption of standard operations because of a breach. Both income and expenses.
Regulatory Defense Fines and Expenses
Financial coverage for regulatory or compliance fines or sanctions.
What May Not Be Covered by Cyber Insurance?
It’s important to know what is often not covered by cyber insurance. That way your expectations are in alignment. You can expect that many policies will not cover:
- Future profits
- The cost associated with improving cybersecurity after an attack
- Loss of value linked to the theft of intellectual property
- Loss suffered from a breach due to war, invasion, or terrorism
- Damage to the company’s reputation or brand (Learn how to regain your customer’s trust.)
How Much Does Cyber Insurance Cost?
As you might expect, this is going to depend on your organization and your needs, but we’ll give you an average.
Premiums depend on:
- The strength of your cybersecurity measures
- The size of your business
- The coverage you want
- Your industry
- And more
AdvisorSmith reported the average cost of insurance in 2021 was $1,589 per year (or $132/month). However, costs have gone up. This is due to the increase in the cost of breaches, ransomware, and other cyber threats.
On average in 2024, small businesses can expect to pay around $1,740 annually, roughly $145 per month, for cyber insurance coverage.
Cyber Liability Insurance vs Data Breach Insurance
Cyber liability insurance gives you the strongest protection. This is because it offers first-party (e.g., cost to repair damaged property, lost revenue, investigation costs, etc.) and third-party coverage (e.g., legal fees and/or compliance fines related to the attack). Data breach insurance only provides first-party protection.
5-Step Cyber Insurance Shopping Guide
1. BEFORE YOU SHOP: Find Out Whether Your Current Business Owners Policy Covers Cyber Losses
If you have standard business insurance coverages such as General Liability, Professional Liability, and Errors and Omissions, ask your insurance carrier whether these cover losses related to data breaches or other cyber threats.
Some coverages may be very limited. For example, losses from fraudulent wire transfers may only be covered if your employee followed certain security protocols when making the transfer. Or the coverage may apply only to officers and executives.
According to InsuranceBee’s Cyber Survey of SMB owners:
- 83% don’t have enough money set aside to recover from a cyber attack or data breach.
- Of the 17% that have set aside money, few have considered the reputational or legal costs of a cyber attack.
2. WHEN YOU DECIDE TO SHOP: Get Expert Assistance
Cyber insurance — especially for smaller businesses — has improved greatly, but it’s still relatively new. The coverages and terminology aren’t standardized yet, so don’t wade into this muddy water without a life preserver.
Look for a business insurance broker and/or an attorney who has specific experience with this type of coverage.
3. WHILE YOU SHOP: Look Beyond Coverage Names — Get Details
A broker or attorney can help you sort through the various coverages available. But let’s give you a head start. In general, cyber insurance coverages fall into two buckets: first-party and third-party.
The Federal Trade Commission has a useful breakdown of the coverages you should look for in those two categories:
First-party cyber coverage protects your data, including employee and customer information. This coverage typically includes your business’s costs related to:
- Legal counsel to determine your notification and regulatory obligations
- Recovery and replacement of lost or stolen data
- Customer notification and call center services
- Lost income due to business interruption
- Crisis management and public relations
- Cyber extortion and fraud
- Forensic services to investigate the breach
- Fees, fines, and penalties related to the cyber incident
Third-party cyber coverage generally protects you from liability if a third party brings claims against you. This coverage typically includes:
- Payments to consumers affected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Losses related to defamation and copyright or trademark infringement
- Costs for litigation and responding to regulatory inquiries
- Other settlements, damages, and judgments
- Accounting costs
Cyber insurance coverages and package names differ from carrier to carrier, more so than for more established products like auto and home insurance. That’s why you need to ask specifically about whether the policy you’re considering addresses the items above.
Also, for each coverage, check the restrictions and dollar limits, and the policy’s exclusions.
4. WHEN YOU’RE APPLYING FOR A POLICY: Fill Out the Application Very Carefully
When you fill out a cyber insurance application, you’ll probably be asked about certain data protections and policies you currently have in place. That information will be verified should you suffer a loss, and if your answers prove incorrect, your policy may be void.
This would be especially catastrophic if your firm is targeted by a class action lawsuit, which is becoming more of a possibility.
If you work with an IT services provider, you may need to bring them in on the process. We’ve helped Teal clients answer insurance application questions about their cybersecurity measures and IT infrastructure.
5. AFTER YOU HAVE CYBER INSURANCE: Notify Your Insurer Immediately if You Detect a Data Breach (Even if You’re Not Sure)
One of the more difficult, costly and time-consuming results of a data breach is complying with regulations regarding who must be notified, how, and when. Some insurance carriers have specialists or teams that help walk firms through these obligations, step by step.
"Even if data may have been exposed because of an internal mistake, notify your insurer right away."
- Reid Johnston
The sooner the insurance company knows there may be a problem, the faster and more efficiently they can help you fix the problem and clean up after it.
So, Who Needs Cyber Insurance?
So, who needs cyber insurance? Short answer, cyber insurance may not be right for everyone (or their wallet). However, even if your business has an excellent cybersecurity program — let’s call that Plan A — you can’t eliminate risks from hacking, fraud, or mistakes that can expose you to enormous costs.
That’s why you probably need a Plan B: cyber insurance.
It’s an excellent option that can give you extra protection in a fast-growing and increasingly volatile digital landscape.
There’s definitely a time when you shouldn’t be worried about cyber insurance at all…
And that’s if your SMB does not have a cybersecurity foundation yet. Our cybersecurity experts agree that you should implement our first 10 defense-in-depth measures before going shopping for any cyber insurance.
Download our strategy guide now to get started.
You’ll gain:
- An overview of the threat landscape as it stands today.
- An understanding of the impact this landscape can have on your small business.
- A checklist to help you understand your current cybersecurity posture.
- 10 prioritized cybersecurity measures you can start implementing as soon as today.
- 6 additional cybersecurity defenses you can deploy once you have the first 10 in place – including cyber insurance.
Discover 16 essential cybersecurity controls your small business needs to reduce risk and avoid costly damages associated with a cyberattack.
On the other hand, if you already have robust cybersecurity measures in place, cyber insurance may be the risk-management strategy you’re looking for.