Cyber Insurance: What Does It Cover and Do You Need It?

By Corey Shields | January 27, 2022

Every organization that manages or handles digital data is at risk of a cyber attack, and in the past few years we've seen a massive uptick in attacks and threats. But is cybersecurity insurance worth it? Here's what you need to know.

There are many misconceptions about cyber insurance and most businesses don’t think they need it, but this couldn't be farther from the truth.

Many companies learn too late - e.g. AFTER an attack or breach - that their existing insurance policy doesn’t cover damage from ransomware, viruses, or any kind of malicious digital activity.

This can cost an unprepared organization hundreds of millions of dollars, and eventually cause them to close their doors forever.

Video: Cyber Insurance Explained

HubSpot Video


What is Cyber Insurance?

IT Consultant Cyber Insurance InfographicSimply put, cyber insurance is a coverage policy for your business’ liability in the event of a data breach involving customer information.

If your organization falls victim to a cyber attack, cyber insurance will cover you in the way car insurance covers you when your vehicle is in an accident.

We’ve reached a point where we all work with data so much that we need protection from the financial devastation caused by data loss or breach.

Cyber insurance comes in many different forms of coverage, and to understand what’s best for you and your organization, you’ll need to work with an insurance agent.

Cyber insurance typically covers items such as:

  • Legal fees
  • Cost of recovering data
  • Cost of restoring the identities of affected clients
  • Cost of notifying customers of the breach/data loss

Surviving a data breach will be costly, and without cyber insurance, many small businesses will not be able to continue after an event occurs.

To put all this risk in perspective, last year alone almost 80% of businesses experienced a phishing attack, which is now the number one way hackers get into your network.

Hackers have gotten increasingly clever, and its getting harder and harder for employees to identify phishing emails. One click on a misunderstood malicious email can unleash viruses that compromise data on your network, and can bring your company to it's knees for days.

Let's take a look at exactly who is most at risk!


Who Needs Cyber Insurance?


IT Consultant Cyber Insurance ImageEvery business who relies on digital data. Which is everyone.

If you have client data saved anywhere on your network or cloud, you should have cyber insurance.

We often think that only very large businesses, or industries such as finance, legal and healthcare are more at risk, but EVERYONE is at risk.

But what about small to medium-sized businesses?

Over 60% of small businesses close within 6 months of a cyberattack.

For most, the financial burden of a cyber incident is just too great to recover from. This is especially disheartening when you realize that SMBs are targeted specifically because they can’t afford the protection of larger entities.

Ransomware, frequently the result of a phishing attack, is now a favorite of hackers, creating havoc for businesses, hospitals, and even city and state governments. 

One insurance firm stated recently that ransomware alone represented 40% of cyber insurance claims to date.

Of course, your goal is to minimize the possibility that you get attacked in the first place! This means your business needs to take security steps in advance to reduce your risk.

A great first step in stopping ransomware is training your employees on the dangers of, and how to identify, phishing emails.

As mentioned above, phishing is the #1 way hackers get into your network to launch ransomware attacks., so it pays to invest in employee training!


What Is Not Covered by Cyber Insurance?

In a recent study of more than 100 CFO's by FM Global, a commercial property insurer, almost half believed they their insurer would cover "most" related loses from a cyber security event.

Almost a third said they expected their carrier to cover "all" related losses.

But here's a list of what is typically NOT covered:

  • Discredit of the company's brand and reputation - after a breach, customers tend to scatter to the wind
  • Increased scrutiny from the investment community
  • Decline in revenue/earnings
  • Decline in market share
  • Decline in share price

Note that while insurance might cover lost revenue during the span of the actual disruption, lost revenue related to the after affects is not normally covered.

Don't get us wrong - cyber insurance is still considered essential to relieve as much pain as possible.

It just doesn't relieve your organization from the necessity of implementing the most proactive cyber security protection possible in the first place.

The Cloud IS NOT a Cyber Insurance Policy

In most cases, cloud service providers will not cover your losses in the event of a cyberattack.

Our friend Tom DeOrnellas, the Director of Risk Management at Lindsey Business Group said recently, “A cloud provider is a great source of data management, and helps you do business, but your cloud provider is not an insurance policy.”

IT Consultant Cyber Insurance Quote



In today’s world of tech jargon, and confusing general statements about “THE CLOUD” and “cloud computing,”  it’s easy to see why many think that their cloud service provider would cover the cost of data loss, but this simply isn’t the case.

Rest assured your cloud provider such as Google, Amazon or Microsoft offer the most secure environment you could hope for - much better than any servers you might have on your premise.

But note that security breaches are rarely caused by poor cloud data protection -  they're caused by humans.

You can read more here on tips for improving cloud security, but this still doesn't negate the need for cyber insurance!


Where is Cyber Insurance Heading in 2022?

Cyber attacks aren’t going away any time soon. In fact, cyber attacks are the fastest growing crime in the U.S. and are a very profitable business. 

Insurance professionals believe that this sector will continue to grow exponentially over the next year, and will reshape cybersecurity as we know it.

Gone are the days of installing anti-virus software and going about your business. With the popularity of mobile devices, the perimeter you need to protect has changed and goes far beyond the four walls of your office.

Further, the launch of 5G networks and the related growth of IoT means that cyber risks are likely to grow exponentially.

Security is going to get a lot more complicated in the coming years which is why most companies, whether they have an internal IT team or not, are outsourcing their security to cyber security experts.

Insurance companies are well aware that security risks are increasing at an unprecedented rate, and that some policies only cover a small percentage of overall losses.

Cyber insurance contracts are already beginning to be re-written to explicitly define what is or is not covered in order to reduce lawsuits and disputes, so be sure to read your policy very carefully.

We highly recommend you speak to a cyber insurance specialist to help you figure out which is the best policy for your company.


Take Proactive Cyber Security Steps BEFORE You Get Hit

Cyber insurance policies don't eliminate the need for organizations to take proactive steps to secure their data.

In fact, insured customers are often required to do so or their policies will be voided.

Many companies are left high and dry by cyber insurance policies that didn't fully protect them after an attack, because they failed to implement what the insurer deemed "due diligence" beforehand.

A proper security risk assessment from a qualified third party is the best way to make sure you're doing all you can to prevent cyber attacks in the first place.


New call-to-action


Tags: Cybersecurity