What is cybersecurity insurance and why do you need it?

What does cyber insurance cover?

In general, cybersecurity insurance includes two types of coverage: first-party and third-party coverage. 

First-party coverage. This covers expenses incurred directly by your company as a result of a covered cyber peril. Some examples of first-party coverages include:

• Business interruption caused by the incident
• Forensic investigations and system repairs
• Data recovery
• Ransom payments
• Public relations expenses related to the covered incident

Third-party coverage. This covers the damages resulting from lawsuits or other litigation related to the cyber attack. Examples of this type of coverage include:

• Cost of hiring lawyers to defend yourself from lawsuits brought by clients
• Settlement fees
• Court-ordered damages
• Regulatory fines

Not all policies are the same, so read carefully before buying and ask questions of your agent or insurance company to ensure that you understand what is and isn’t covered.  

What does cyber insurance not cover?

Cyber insurance policies don’t cover all cyber incidents. Among possible exclusions:

• Cyber attacks that exploited a known vulnerability
• Incidents caused by employees, either intentionally or through neglect
• Attacks by other countries
• Loss of company value or future revenue
• Cybersecurity breaches that are the result of social engineering

Why is cyber insurance important?

Rates of both cybercrime and the cost of losses resulting from cybercrime increased over the past several years. The FBI’s Internet Crime Complaint Center’s (IC3) most recent annual report showed increases in the number of complaints related to cybercrime and the resulting losses from those complaints over the past five years. With the number of global complaints being just over 465,000 in 2019 and rising to over 880,000 in 2023. The total losses also increased from $3.5 billion in 2019 to approximately $12.5 billion in 2023. 

According to the National Association of Insurance Commissioners (NAIC) over 33,500 cyber liability claims were filed in 2023, an increase over the previous year. The NAIC also forecasts that ransomware, business email compromises and data breaches will continue to be the main drivers of claims going into 2025.

In this climate of increasing incidents and costs, having a plan to deal with a cyber attack is more important than ever. A cyber liability insurance policy can be an important part of that plan, helping to blunt some of the costs resulting from an incident.

Who needs cyber insurance?

Most small businesses – especially those that handle credit card or personal data – should consider cyber insurance. 

“A cyber insurance policy makes sense for any business that collects or uses personally identifiable information,” Bentz says. “Most third-party actions after a cyber incident are styled as class or mass actions. This means that the exposure to small business can be catastrophic unless the small business has adequate insurance that can respond to and mitigate that exposure.”

What small businesses benefit the most from cyber coverage?

Munich Re’s report, “Cyber Insurance: Risks and Claims 2024,” lists the top six industries filing privacy claims, such as data breaches, in order from most to least:

• Finance
• IT
• Healthcare
• Business and professional services
• Retail 
• Manufacturing

For ransomware, the industries are the same, but the order shifts with manufacturing being the most affected and finance being the least affected. 

If your business operates in these six industries, you may want to investigate whether a cyber liability policy is necessary. 

How does cyber liability insurance work?

Cyber crime insurance works by providing companies financial protection in the event of cybercrimes such as data breaches, ransomware and other covered perils. This can include the costs of hiring cybersecurity experts to track down the source and extent of a breach, paying for interruptions to your business if you have to close while the situation is resolved, or paying the ransom in a ransomware attack. 

Before offering you a policy, an insurance company may perform a security check on your system and make suggestions for improving your current security. 

Some insurers, after you notify them of an incident, may be able to put you in contact with professionals who can help mitigate and investigate the attack. How much help your policy provides will depend on the company. 

How much does cyber insurance cost?

The average cost of cybersecurity insurance is $1,740 a year, according to small business insurance broker Insureon.

However, what you pay will depend on several factors including your coverage limits, your cyber risk level, the number of employees you have, your history of insurance claims, the type of policy you purchase and the business you’re in.

Here are some sample average annual premiums by industry.

Source: Insureon

How to decide if cyber insurance is worth it

Each business, of course, will have to decide for itself whether the cost of a cyber liability policy is worth it.

Some questions you can ask yourself:

• Can my business afford to pay for all the potential expenses related to a cyber incident? If there was an incident, would your business be able to cover expenses such as the recovery of lost data or the services of a firm to track down and repair any system or network issues? 
• Does my business store customer or vendor information? Does your company keep data related to its vendors or customers? This could be financial information or contact or identifying information.
• Do my current insurance policies cover business interruption caused by a cyber attack? A policy, such as a business interruption policy or a business owners policy (BOP), that includes business interruption coverage will typically only cover perils such as theft or fire. 
• What are the chances of my company experiencing a loss? While any business with an online presence can be a victim of cybercrime, some industries, such as financial services or healthcare, may be more at risk than others.

How much cyber liability insurance do I need?

Here are some questions to ask yourself when determining how much cyber insurance you need:

How large is my business? Larger businesses will typically require more coverage than smaller ones. 

Does my business store any personally identifiable information (PII)? This could include names, dates of birth, payment information and Social Security numbers. If you store PII, you may be liable if the information is stolen. 

Does my business store any health information? Health information may be covered by HIPAA and result in higher fines than other types of information if it is compromised or breached. 

What is the cost of hiring a lawyer or forensic experts in my area? Hiring outside specialists can often be expensive.

When determining how much coverage you should carry, ensure you have enough to adequately pay for any services you need, whether legal or technical, after a cyber attack. 

“One of the biggest mistakes that we see companies make when they purchase cyber insurance is failing to make sure that they can hire the law firm and forensic providers that they want,” Bentz says. “When a carrier sets the defense rates too low, insureds find that they either cannot hire the law firms or forensic providers that they want to use, or that they have to pay a significant amount of the defense costs themselves.”

Bentz tells the story of a company that was the target of a consumer class action lawsuit after a data breach. Unfortunately, in that case, the company’s policy provided limited funds for legal defense – $209 per hour. This proved to be too low for many reputable law firms and Holland & Knight had to decline to represent the company – although they did offer the insured the option to pay the difference between its rates and what the insurance company would cover. The company declined the law firm’s offer.

The story serves as an example of how important it is to get the right coverage – and the right amount of coverage.

“Some insurance companies use artificially low rates … to try to control costs and provide lower premiums to their insureds,” Bentz says. “Insureds like the lower premiums until they have a claim and realize the true cost of those lower premiums.”

A licensed agent or broker can help you determine the right amount of coverage for your business.

Which insurers offer cyber liability insurance?

Many companies offering business insurance offer a cyber liability insurance option, either as an add-on for a business owner policy, a separate policy or both. Below is a list of just a few  insurers that offer cyber insurance policies:

• AIG
• Chubb
• The Hartford
• Liberty Mutual
• Nationwide

Limitations of cyber liability insurance

While cyber liability insurance covers a lot of things, ranging from paying for credit monitoring for clients and customers to covering losses resulting from business interruptions, it doesn’t cover everything. 

As discussed above, it typically doesn’t cover incidents that an insurance company determines to have resulted from negligence or employee misconduct. 

It also won’t cover all types of cyber attacks. For example, many policies won’t cover data breaches that result from social engineering. 

Cyber liability policies also are limited by the amount of coverage you have in your policy as well as any deductibles. 

What our expert says

Q: What small businesses should get cyber insurance?

Thomas H. Bentz Jr. Partner and co-chair of the Holland & Knight insurance industry team.

"A cyber insurance policy makes sense for any business that collects or uses personally identifiable information."