What is cyber insurance?

What is cyber insurance?

Cyber insurance, also called cyber liability insurance or cybersecurity insurance, covers financial losses that companies have as a result of ransomware attacks, data breaches and other cyber incidents.

In the same way that car insurance pays for vehicle damage and bodily harm in the event of an accident, cyber insurance policies pay for damaged computer systems, lost revenue, legal expenses and other cyberattack costs.

Security breaches are growing more common and more costly. According to IBM’s Cost of a Data Breach report, 83% of organizations have had more than one data breach, and the average breach costs USD 4.35 million. Cyber insurance can lessen the financial impact of these breaches, making it an important part of risk management for businesses today.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


Why cyber insurance matters

Any company that stores customer information or relies on technology, which includes most businesses, faces cyber risks. Security teams can take steps to mitigate cyber threats, but they cannot prevent them entirely. According to the Travelers Risk Index, 57% of business leaders think cyberattacks are inevitable.

Standard business insurance products, like general liability coverage and errors and omissions policies, typically don’t cover losses from cyber events, leaving companies vulnerable for the full cost of ransomware attacks, business email compromise scams, and other cybercrimes. These attacks can have a heavy financial toll. For example, the average ransomware attack costs USD 4.54 million, not including ransom payments.

Cyber insurance policies arose to close this coverage gap. By covering ransom payments, malware remediation and other costs, cyber policies can help companies limit their damage, recover more quickly and raise their overall level of cyber resilience.

Mixture of Experts | 7 February, episode 41

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

What does cyber insurance cover?

Cyber insurance coverage can vary based on what the business needs, the types of data the business stores and the business’s industry. Many cyber policies offer options for first-party and third-party coverage. First-party coverage pays for the business’s direct losses, like the costs of recovering data and restoring systems. Third-party coverage pays for damage suffered by parties outside the business, like consumers who had their data stolen.

When it comes to specific losses, many cyber policies pay for things like:

Business interruptions

If a company loses revenue because a cyberattack takes computer systems offline, cyber policies may cover some or all of those losses.

Threat response and remediation

Insurance may pay for incident response, system repairs, forensic investigations and other services needed after a cyber event.

Legal expenses

Cyber policies may help pay for litigation arising from a cyberattack, such as lawsuits filed by customers. Some insurance companies may supply legal representation for the insured company.

Data breach recovery

When hackers steal personally identifiable information (PII) or other sensitive information like credit card or social security numbers, cyber policies can help cover the costs of notifying customers and providing services like credit monitoring.

Regulatory action

Cyberattacks may lead to regulatory investigations, especially in highly regulated fields like healthcare and financial services. Cyber policies may cover the costs of complying with these audits, including any fines the company must pay.

Reputation management

A company may need to hire a public relations firm or take other steps to repair its brand following an attack. Some cyber policies will help defray these costs.

Ransom payments

Many cyber policies cover ransomware payments, but some insurance providers are ending or limiting this coverage because of the high costs of ransoms.

Typical cyber insurance exclusions

While cyber policies can cover a lot, there are some incidents they won’t pay for. These are called exclusions. Common exclusions include:

Breaches of third parties

A company can have its data stolen or services disrupted when vendors and other partners are breached. Cyber insurance doesn’t always pay for these losses, but some insurers offer third-party breach coverage for an added cost.

Social engineering

Because social engineering attacks like phishing manipulate people into compromising cybersecurity from the inside, cyber policies don’t always cover these losses. However, social engineering coverage is often available at an additional cost.

Insider threats

Losses caused by insider threats like malicious or negligent employees are rarely covered.

State-sponsored attacks

Many cyber policies consider these attacks acts of war and will not cover them.

Cyberattacks that exploit a known vulnerability

If hackers exploit a flaw the company knew about but didn’t fix, many cyber policies will deny the claim.

Network failures not caused by cyberattacks

Most plans do not cover outages caused by misconfigurations and other internal errors.

The state of cyber insurance today

While demand for cyber insurance is high, rising cyber insurance costs are making it hard for companies—especially small businesses—to find coverage. According to Marsh McLennan, cyber insurance prices rose by 110% in the first quarter of 2022.

According to 451 Research, cyber insurance may contribute to increasing ransomware attacks. As more businesses buy cyber policies, they become more comfortable paying ransoms because insurance will cover them. Hackers, in turn, feel encouraged to keep asking for ransoms. One new strain of ransomware, HardBit, even asks victims to share the details of their cyber policies so the hackers can calculate a ransom the policy will cover.

Price turbulence is also fueled by the fact that cyber insurance is relatively new compared to other insurance products. Insurers have limited historical data on cyberattack costs, which makes it difficult to create accurate risk models and set stable prices.

As insurance companies see their losses climb, they respond by raising premiums and limiting coverage. Insurer AXA has stopped covering ransomware payments for policies issued in France. Lloyd’s of London will no longer cover state-sponsored cyberattacks, another source of major losses.

Insurers are also setting stricter network security requirements for insured companies. Some underwriters won’t even offer an insurance quote unless a company has multi-factor authentication, data encryption, zero trust or similar policies in place. Some insurance companies are taking on a more consultative role, giving policyholders and business owners access to security tools and service providers to help them improve security posture. Some experts predict that cyber insurers may become key figures in enforcing standards like the NIST Cybersecurity Framework, as companies that follow these standards will be less costly to insure.

Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

Explore cybersecurity solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

    Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

    Explore AI cybersecurity
    Take the next step

    Whether you need data security, endpoint management or identity and access management (IAM) solutions, our experts are ready to work with you to achieve a strong security posture. Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

    Explore cybersecurity solutions Discover cybersecurity services