Cybersecurity is now a major priority for every business. Cyber crime is expected to cost global businesses $6 trillion by the year 2021, and the victims are not limited to major enterprises. Out of the 28 million small businesses in the US, 14 million had been victims of cyber crime by 2016. The risk is real for all companies, and the consequences run deep. In order to manage that risk, companies are increasingly relying on data breach insurance to recoup costs and provide stability. This overview will help you decide if this coverage option is right for your business.

What is data breach insurance?

This type of coverage is more commonly known as cyber liability insurance, and it may go by a slightly different label depending on the insurer. In all cases, however, this type of coverage kicks in after a company has fallen victim to a cyber incident. The types of incidents covered, types of damages paid, and types of coverage limits offered are entirely up to the insurer. But with the right data breach insurance policy, companies are protected from one of the most common and consequential types of risk they face.

What does data breach insurance cover?

There are not any policies on the market that offer "complete coverage" against all types of cyber attacks and any form of damage. Instead, companies identify the types of threats they are most vulnerable to and then seek out appropriate coverage options and limits. The details of coverage are up to the insurer, but typically they cover against some or all of the following components:


In the wake of any kind of data breach it's necessary to thoroughly investigate the causes and authoritatively identify ways to prevent the problem in the future. Investigations may be conducted by third-party firms or involve official law enforcement. Coverage is available to cover the cost of the investigation, and, in some cases, the cost of the upgrades and additions that must be made to the cybersecurity infrastructure.

Business losses

A data breach creates a number of immediate and ongoing costs. The cost of network downtimes and interrupted business workflows cuts deeply into the bottom line. Damage to the reputation of a brand makes it difficult to retain old customers and recruit new ones. Certain types of data breach insurance pay for these costs so that cyber incidents don't lead to financial catastrophes

Privacy and notification

In many states and municipalities companies are required by law to notify anyone affected by a data breach. They may also be mandated to provide credit monitoring services or other forms of restitution. Considering that data breaches can easily affect thousands or millions of users, the response is often expensive. Specific coverage options offset some or all of that cost.

Lawsuits and extortion

Cyber crime often exposes companies to lawsuits or fines/fees from regulatory agencies. In the instance of ransomware, companies must pay to restore access to critical data and applications. These two costs are very different but potentially very significant. With data breach insurance in place the financial burden does not fall entirely on the company.

Who needs data breach insurance?

It is a mistake to think that some companies are more vulnerable to attack while others are more immune. If the recent history of cybersecurity has anything to teach us it's that every company is vulnerable and no level of protection is complete. The techniques of cyber crime have matured, and hackers now the incentive and the ability to target almost any organization, public or private, large or small. That being said, the following five industries were the most likely to be attacked in 2017:

  • General business
  • Medical/healthcare
  • Education
  • Banking/credit/finance
  • Government/military

Does business insurance cover cyber crime?

Many businesses learn the hard way that it does not. It's understandable to think that general liability insurance would cover some types of data breaches, but the coverage is very limited when it exists at all. A company may be protected if data is degraded because of something like a fire at the office. The same is not true when the damage is due to cyber crime. As with all types of insurance, assuming your business is protected is never a sound strategy. Understanding the gaps that exist in your current coverage levels helps to underscore just how important data breach insurance is.

Does data breach insurance make business sense?

There is no business on earth that carries every single type of insurance available. That level of protection borders on paranoia, and the ongoing costs outweigh whatever payouts the policies provide. However, the opposite strategy is just as risky. Choosing to forego coverage gambles that cyber crime will never be a problem or just an inexpensive one. The question that all decision makers must ask is whether the value of protection outweighs the cost. In order to aid your calculations, consider a few statistics:

  • Cyber attacks cost U.S. enterprises $1.3 million on average in 2017.
  • 60 percent of small businesses fail within six months of a cyber attack.
  • Consumer concerns about data privacy cause delays in 65 percent of sales cycles.

Is a data breach insurance broker necessary?

One of the more frustrating things about data breach insurance is how new it is. It has existed for over a decade but has only recently become a common coverage option. As a result, there is a lot of confusion about what various policies entail. It may be tempting to seek out an insurance broker to clear up questions and confusion, but it's less of an asset than many expect.

There are now extensive resources online that empower companies to compare the terms, conditions, limits, and deductibles of various policies on their own. In the process, they avoid the middleman markup and get access to information on their own time and terms. Considering data breach insurance is essential, but considering it with the aid of a broker is not.

How to select data breach insurance

The important question is not whether or not your business needs data breach insurance. Rather, the question is which types of coverage provide sufficient levels of protection at sustainable levels of investment. That is not an easy question to answer, and it's different for every business. Further complicating things is the fact that so much is riding on the policy you choose. As you being to survey your options, follow these steps to calibrate your coverage needs:

Assess your risk

Some companies are more vulnerable because they have a heavy dependence on technology, work with particularly valuable data, or have a history of difficulty in terms of cybersecurity. No company is free of risk, but some need insurance more than others.

Estimate your assets

In the immediate aftermath of an attack companies must cover myriad costs. Determining much they have available to invest and how that affects their finances over the short and long-term reveals a lot about the real consequences of an attack.

Evaluate your current coverage

Understanding how much other types of insurance will or will not cover cyber incidents further illustrates how damaging an attack will be. Reach out to your current insurer if there is any uncertainty about the strict definition of coverage limits.

Compare various policy options

Finding the right policy depends on comparing quotes from multiple insurance providers for the same basic types of coverage. Comparison shopping helps decision makers find the best price available while highlighting the differences between various coverage options. Online tools like this site make it easy to compare options in depth

Upgrade existing security

This point must be understood – data breach insurance does not protect against data breaches. It merely aids in the recovery effort. It's up to each company to put cybersecurity technologies and policies in place intended to deflect a data breach rather than just mitigate or minimize it. Data breach insurance policies often mandate that companies maintain certain baseline levels of protection.

Look for value-added services

Some insurers offer policyholders free or discounted access to cybersecurity consulting services, training resources, or legal aid. These services alone are not enough to recommend one policy over another, but they should be factored into the decision-making process.

Explore the details in depth

Minor difference in language may lead to major differences in coverage. Before committing to any particular policy, it's essential to explore every detail and analyze exactly where coverage begins and ends. The insurer should be eager and able to provide information to clear up any confusion. One particular area to focus on is whether the insurer requires claimants to work with only pre-approved vendors or allows working with any vendor.

Review the claims process

If a business is paying for coverage it should understand exactly how to access that coverage. That process should then be integrated into the cybersecurity response plan. Since data breach insurance provides resources that apply in the immediate aftermath of a breach, there cannot be any confusion or delay when making a claim.

Signing up for data breach insurance is the start of the process, not the end. Policyholders have added an important component to their cybersecurity arsenal, and they should feel much-better protected as a result. But they should not feel completely protected, especially as hackers become more sophisticated and more tenacious as the same time. Adding data breach insurance is just one crucial step in an ongoing and proactive cybersecurity strategy.