What Is Cyber Insurance?

Cyber insurance pays to help your small business recover from a data breach or cyberattack. Many people are aware that a cyberattack can be costly. But, many fail to understand just how damaging they can be to a small business. When a company's IT systems are compromised, business can be interrupted or forced to halt.

A public relations firm may need to be hired to assist with managing the damage to reputation. New employees may need to be hired to take calls from concerned customers. Government fines might be levied against the business. The law might require a forensic investigation. This is to assess the extent of the damage. The cost of these scenarios can be astronomical and can even sometimes force a business to close. A breach of cybersecurity has harmful and expensive repercussions. Cyber insurance protects your business from some of them.

What does it cover?

Most cyber insurance policies are split into two types of coverage. They are first-party liability and third-party liability. To put it simply, first-party coverage protects your business from losses that could occur as a direct result of the breach itself. Third-party coverage protects you from the "domino effects" of the event. Particularly, they cover lawsuits from other businesses that might be filed as a result of a data breach.

The following are some common examples of first-party coverage options for cyber insurance policies.

  • Business interruption: Protects against money lost from having to halt regular operations. This could mean after organization data is compromised, a website is broken, e-commerce functionality is lost, etc.
  • Data loss and restoration/e-theft: Provides coverage to protect against damages from stolen data and/or software. Data loss and restoration also pays for recovery of data when possible. This sometimes includes unauthorized fund transfers that occur in an attack.
  • Damaged or lost equipment: Pays for replacement or repair of computers. This includes hardware, assets, or other technological equipment that could be stolen or harmed by cyber criminals.
  • Loss of communication: Covers losses when a hack leaves a business unable to correspond with internal colleagues or clients. Loss of communication sometimes covers the loss of email data.
  • Forensic investigation: Pays fees associated with figuring out whether a breach happened or not, how much damage occurred, and how to stop it.
  • Extortion: This coverage protects a business from cyber criminals who may demand a ransom for information or threaten to disclose sensitive data unless they are paid. It pays for information to be released back to its proper owner. Extortion coverage sometimes pays for a criminal to stop damaging or stealing a business's files.

The following are some examples of third-party coverage options commonly seen in cyber insurance policies.

  • Litigation coverage: Customers or other third parties may sue a business after their information is compromised in a cyberattack. Litigation coverage pays expenses associated with court fees, lawsuits, settlements, or judgments.
  • Transmission of malicious content/transmission of damage: This covers you if a customer or partner company's data or technology is damaged by a malware program. It would also cover a virus introduced.
  • Crisis management: Crisis management coverage pays for you to hire a public relations firm. This would be to manage customers and your business's reputation in the event of a data loss.
  • Media liability: Pays your expenses in managing copyright or trademark infringement as a result of a hack.
  • Notification costs/privacy notification: This is similar to crisis management coverage. It pays the costs of letting customers know their information may have been compromised.
  • Credit monitoring: Pays for costs associated with offering credit monitoring services to clients whose personally identifiable information may have fallen into the wrong hands.
  • Regulatory coverage: Regulatory coverage pays to complete a forensic investigation. It also pays to comply with other governmental inquiries after a cybersecurity breach. This may also cover fines and penalties owed by your business after a data security loss.
  • Privacy liability: This covers your business against the repercussions of losing a client's proprietary or personal information.
  • Defamation or slander: This provides coverage against reputational harm caused by a data breach.

Does my liability or third-party coverage cover cyberattacks?

Most business insurance policies will pay for the cost of physical damages to hardware or other assets. These may be harmed in a cyberattack. But, it is unlikely that your business's liability or third-party coverage will cover the costs associated with other losses from a data breach. You should read your business insurance policy to confirm what type of coverage you have. Most business owners should be prepared to purchase a separate cyber insurance policy.

Most of the financial burden that follows a data breach has several sources. These include government fines, system downtime, and reputational damage. Other sources are data recovery and other expenses. These may include external vendors such as forensics investigators, public relations firms, and lawyers. Your policy must explicitly state that those expenses will be covered in a cyberattack. Otherwise, your business is unlikely to receive a claims settlement from your insurance to cover the costs described above. Many companies providing cyber insurance are able to customize coverage. This extends the coverage that is not included in your standard business insurance policy.

What happens if I am not covered?

Let's say your current insurance does not provide the cyber insurance coverage your business needs. In that case, you will need to buy a separate policy elsewhere. We recommend contacting several insurance providers. You should gather at least two or three quotes to compare prices, coverage limits, and special features.

Conducting a regular risk analysis will help you understand what types of coverage you need. It will reveal what cyber risks exist in your particular industry and circumstances. It will also find the gaps in your IT systems. Most experts recommend performing a risk analysis annually. You should correct as many problems as possible internally. Make a plan for how your organization will respond should a cyberattack be discovered. It will alert you of where the weak points lie in your current framework. An initial risk analysis will also inform you of what coverage features you need. It will help guide your purchase of insurance.

Does my outsourced IT team cover this?

In our research, we have not been able to find an IT vendor that assumes liability for cyberattacks. Providers of external IT should carry their own (substantial) cyber insurance to protect themselves against the risk of compromising your business's data. But, you cannot expect them to manage the fallout if a breach of your organization's system occurs. For most IT teams, this type of work is simply outside the scope of their contract.

If you work with an outsourced IT vendor, it is important to realize that doing so may increase your organization's risk of a cyberattack. This does not mean that you should seek to bring your IT work in-house. Doing so is impractical in most cases. Besides, an internal employee is just as likely as an external one to make mistakes. However, small businesses need to make smart decisions to limit the amount of access outsourced teams may have to company data. Limiting the administrative controls of your external IT provider or dividing administrative permissions between several system users is often a good way to decrease risk in this area. Regardless of how you choose to mitigate the risk of your outsourced IT team, make sure you are not relying on them to manage a cyberattack if one occurs

What are specific small business cyberattack concerns?

Many small business owners know that they are not fully prepared to deal with the consequences of a cyberattack. But, they feel too paralyzed to protect themselves and end up simply hoping for the best. Doing so can be very dangerous. There are several reasons cybersecurity is of particular concern to small businesses.

  • 1

    Many small businesses have somewhat lax rules surrounding the use of their equipment or lack the resources to adequately protect it. For example, many small business employees take their work laptops home with them. If company information is accessed on a non-encrypted network while the computer is out of the office, the business's intellectual property and sensitive data could easily fall into the wrong hands.

  • 2

    Most small businesses lack the resources to deal with a data breach. And, they frequently underestimate the cost of such an event. A 2017 Cost of a Data Breach Study published by the Ponemon Institute concluded that the average cost per compromised record in a data breach was $141. Also, the average cost of a data breach in 2017 is $3.62 million. Do not cite a lack of resources as an excuse for failing to purchase cyber insurance. The cost of an attack is likely to be devastating. But, insurance is quite affordable for most businesses.

  • 3

    Small businesses are less likely to have checks and balances separating employee's tasks. When people think of cybercrime, they usually picture a tech-savvy nerd sitting in a dark room with binary code flashing across his screen. The truth is that cybersecurity attacks are very frequently the result of internal employees either purposefully stealing information or accidentally publishing it. Employees of small businesses frequently have cross-functional jobs and access to large amounts of company data.

  • 4

    Many business owners assume that their company is too small to be of interest to hackers because of their small market share. Nothing could be further from the truth. Cybercriminals know that small businesses usually lack sophisticated IT systems. That makes them easy targets. Think about in terms of a bank robbery. It is easier to rob a local community bank than it is to rob a huge bank in Manhattan.

  • 5

    Small businesses frequently underestimate the likelihood of a cyberattack. Most businesses either have been victims of a cybersecurity breach or eventually will be. A study published by the Federation of Small Businesses reported that although 93% of small businesses have cybersecurity measures in place, 66% of them have been victims of cybercrime. The same report also stated that on average, a small business is a victim of four cybercrimes every two years.


Cyber insurance protects businesses against devastating financial, reputational, and property loss in the case of a cybersecurity attack. In recent years, the world has seen an increase in cyberattacks and data losses, causing many business owners to feel a sense of unease and powerlessness to stop their business from being the next victim.

Although every business is likely to experience a negative cybersecurity event eventually, cyber insurance provides a safety net to ensure that businesses are able to recover. Most business liability and third-party insurance policies do not include coverage for cyberattacks. Plus, business owners cannot expect their outsourced IT teams to manage such an event if it occurs. Business managers should read their existing insurance policies carefully to understand their gaps in coverage. They must also conduct regular risk analyses to identify vulnerabilities to their systems. Once vulnerabilities have been pinpointed, the business should endeavor to reduce as many weaknesses as possible. And, they should make a "worst-case scenario" plan to follow in the event of an attack. This process should be iterative and repeated at least once a year.

Cybersecurity poses particular concerns to small businesses for a variety of reasons. Small business owners frequently underestimate both the cost and the likelihood of a cyberattack. They also traditionally lack the resources to manage sophisticated IT systems. Also, they have less restrictive employee and equipment policies than larger firms. Finally, small businesses are often easy targets for cyber criminals and may be particularly vulnerable to attacks.

Cyber insurance is becoming increasingly commonplace. The market for it is likely to grow as technology advances. With cyberattacks on the rise and being unlikely to disappear any time soon, businesses of all industries would be smart to protect themselves with cyber insurance.