Business Security

Cyber Insurance Guide: Coverage, Costs, and Claims

By AntiPhishers Published

Cyber Insurance Guide: Coverage, Costs, and Claims

Cyber insurance transfers some of the financial risk of a cyberattack to an insurer. Policies typically cover incident response costs, legal fees, regulatory fines, business interruption, data recovery, and liability from data breaches. As cyberattacks have surged, cyber insurance has evolved from a niche product to an essential component of business risk management. The global cyber insurance market exceeded $14 billion in 2023.

What Cyber Insurance Covers

First-party coverage compensates your organization directly: incident response and forensic investigation costs, data recovery and system restoration, business interruption and lost income during downtime, ransomware payments and negotiation costs, crisis communications and PR, notification costs for affected individuals, and credit monitoring services for breach victims.

Third-party coverage covers claims against your organization by others: legal defense costs, regulatory fines and penalties (where insurable by law), settlements and judgments from lawsuits, payment card industry fines and assessments, and media liability claims.

What It Typically Does Not Cover

Pre-existing vulnerabilities known but not remediated. Losses from unencrypted data if encryption was required by policy. Infrastructure failures unrelated to a cyberattack. Reputational damage beyond the policy’s crisis management allocation. War and state-sponsored attacks (war exclusion clauses have been expanding post-NotPetya). Acts of intentional fraud by employees.

Cost Factors

Premiums depend on your industry, revenue, data volume, security controls, and claims history. Average premiums for small businesses range from $1,500 to $7,500 annually. Mid-market companies pay $10,000 to $100,000. Large enterprises negotiate custom policies in the hundreds of thousands to millions. Insurers increasingly require specific security controls as conditions for coverage: MFA, EDR, offline backups, email filtering, and employee training. Failure to maintain these controls can void coverage.

Making a Claim

Document the incident thoroughly from the moment it is detected. Notify your insurer within the timeframe specified in your policy (typically 24-72 hours). Use the insurer’s approved incident response vendors, as using non-approved vendors may reduce coverage. Maintain detailed records of all costs incurred during response and recovery. Cooperate with the insurer’s forensic investigation.

Choosing a Policy

Work with a broker specializing in cyber insurance who can compare policies across carriers. Key questions: What is the retroactive date (does it cover breaches that occurred before the policy started)? What are the sub-limits for specific categories (ransomware, business interruption)? Does the policy cover social engineering and BEC losses? What security controls are required to maintain coverage?

For the incident response plan that insurers want to see, refer to our incident response plan guide. To understand the security controls that affect your premium, explore our small business cybersecurity guide.

The Application Process

The cyber insurance application process has become a security assessment in itself. Insurers ask detailed questions about your security controls: MFA deployment, backup architecture, endpoint protection, email filtering, employee training, and incident response planning. Answering these questions accurately is critical; misrepresenting your security posture can void coverage when you need it most.

Use the application process as a gap analysis. If you cannot truthfully answer “yes” to questions about specific controls, those gaps represent both insurance risk and security risk. Many organizations improve their security posture during the application process simply because the insurer’s questions highlight deficiencies they had not addressed.

Premium discounts are often available for organizations that demonstrate strong security controls, recent penetration testing, and completion of security awareness training programs. Ask your broker about available discounts and the specific controls that qualify.

Post-Claim Considerations

After a cyber insurance claim, expect premium increases at renewal, similar to auto insurance after a car accident. Some insurers may also add exclusions for the type of incident you experienced. Use the post-claim period to address the root cause of the incident, as demonstrating improved security posture can mitigate premium increases. Document all security improvements made after the incident for your renewal negotiation.

More in Business Security

M&A Cybersecurity: Due Diligence and Integration Risks API Security Basics: Protecting Your Business Integrations Endpoint Detection and Response: Beyond Traditional Antivirus Security Policy Templates: Creating Effective Company Policies

View all Business Security articles →