What is cyber insurance?

What is cyber insurance?

Cyber insurance, also called cyber liability insurance or cybersecurity insurance, covers financial losses that companies have as a result of ransomware attacks, data breaches and other cyber incidents.

In the same way that car insurance pays for vehicle damage and bodily harm in the event of an accident, cyber insurance policies pay for damaged computer systems, lost revenue, legal expenses and other cyberattack costs.

Security breaches are growing more common and more costly. According to IBM’s Cost of a Data Breach report, the global average cost of a data breach (March 2024 through February 2025) was USD 4.44 million. Cyber insurance can lessen the financial impact of these breaches, making it an important part of risk management for businesses today.

Think Newsletter

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

https://www.ibm.com/us-en/privacy

Why cyber insurance matters

Any company that stores customer information or relies on technology, which includes most businesses, faces cyber risks. Security teams can take steps to mitigate cyber threats, but they cannot prevent them entirely. According to the Travelers Risk Index, 57% of business leaders think cyberattacks are inevitable.

Standard business insurance products, like general liability coverage and errors and omissions policies, typically don’t cover losses from cyber events, leaving companies vulnerable for the full cost of phishing attacks, business email compromise scams, and other cybercrimes. These attacks can have a heavy financial toll. For example, the average data breach caused by a phishing attack costs USD 4.80 million.

Cyber insurance policies arose to close this coverage gap. By covering ransom payments, malware remediation and other costs, cyber policies can help companies limit their damage, recover more quickly and raise their overall level of cyber resilience.

Security Intelligence | 3 December, episode 11

Your weekly news podcast for cybersecurity pros

Whether you're a builder, defender, business leader or simply want to stay secure in a connected world, you'll find timely updates and timeless principles in a lively, accessible format. New episodes on Wednesdays at 6am EST.
Watch the latest podcast episode

What does cyber insurance cover?

Cyber insurance coverage can vary based on what the business needs, the types of data the business stores and the business’s industry. Many cyber policies offer options for first-party and third-party coverage. First-party coverage pays for the business’s direct losses, like the costs of recovering data and restoring systems. Third-party coverage pays for damage suffered by parties outside the business, like consumers who had their data stolen.

When it comes to specific losses, many cyber policies pay for things like:

Business interruptions

If a company loses revenue because a cyberattack takes computer systems offline, cyber policies may cover some or all of those losses.
Threat response and remediation

Insurance may pay for incident response, system repairs, forensic investigations and other services needed after a cyber event.
Legal expenses

Cyber policies may help pay for litigation arising from a cyberattack, such as lawsuits filed by customers. Some insurance companies may supply legal representation for the insured company.

Data breach recovery

When hackers steal personally identifiable information (PII) or other sensitive information like credit card or social security numbers, cyber policies can help cover the costs of notifying customers and providing services like credit monitoring.
Regulatory action

Cyberattacks may lead to regulatory investigations, especially in highly regulated fields like healthcare and financial services. Cyber policies may cover the costs of complying with these audits, including any fines the company must pay.
Reputation management

A company may need to hire a public relations firm or take other steps to repair its brand following an attack. Some cyber policies will help defray these costs.
Ransom payments

Many cyber policies cover ransomware payments, but some insurance providers are ending or limiting this coverage because of the high costs of ransoms.

Typical cyber insurance exclusions

While cyber policies can cover a lot, there are some incidents they won’t pay for. These are called exclusions. Common exclusions include:

Breaches of third parties

A company can have its data stolen or services disrupted when vendors and other partners are breached. Cyber insurance doesn’t always pay for these losses, but some insurers offer third-party breach coverage for an added cost.
Social engineering

Because social engineering attacks like phishing manipulate people into compromising cybersecurity from the inside, cyber policies don’t always cover these losses. However, social engineering coverage is often available at an additional cost.
Insider threats

Losses caused by insider threats like malicious or negligent employees are rarely covered.
State-sponsored attacks

Many cyber policies consider these attacks acts of war and will not cover them.

Cyberattacks that exploit a known vulnerability

If hackers exploit a flaw the company knew about but didn’t fix, many cyber policies will deny the claim.

Network failures not caused by cyberattacks

Most plans do not cover outages caused by misconfigurations and other internal errors.

The state of cyber insurance today

While demand for cyber insurance is high, rising cyber insurance costs are making it hard for companies—especially small businesses—to find coverage. According to Marsh McLennan, cyber insurance prices rose by 110% in the first quarter of 2022.

According to 451 Research, cyber insurance may contribute to increasing ransomware attacks. As more businesses buy cyber policies, they become more comfortable paying ransoms because insurance will cover them. Hackers, in turn, feel encouraged to keep asking for ransoms. One new strain of ransomware, HardBit, even asks victims to share the details of their cyber policies so the hackers can calculate a ransom the policy will cover.

Price turbulence is also fueled by the fact that cyber insurance is relatively new compared to other insurance products. Insurers have limited historical data on cyberattack costs, which makes it difficult to create accurate risk models and set stable prices.

As insurance companies see their losses climb, they respond by raising premiums and limiting coverage. Insurer AXA has stopped covering ransomware payments for policies issued in France. Lloyd’s of London will no longer cover state-sponsored cyberattacks, another source of major losses.

Insurers are also setting stricter network security requirements for insured companies. Some underwriters won’t even offer an insurance quote unless a company has multi-factor authentication, data encryption, zero trust or similar policies in place. Some insurance companies are taking on a more consultative role, giving policyholders and business owners access to security tools and service providers to help them improve security posture. Some experts predict that cyber insurers may become key figures in enforcing standards like the NIST Cybersecurity Framework, as companies that follow these standards will be less costly to insure.

Resources

Secure the post-quantum future: How quantum safety strengthens cyber-resilience for today and tomorrow

Advance your company’s readiness, infused by the findings of the new IBM Institute of Business Value Report on securing the post-quantum future.
IBM® X-Force® threat intelligence index 2025

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force threat intelligence index.
IDC MarketScape: Cybersecurity Consulting Services Vendor Assessment 2025

See why IBM has been named a Major Player and gain insights for selecting the Cybersecurity Consulting Services Vendor that best fits your organization’s needs.
Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
IBM® X-Force® cloud threat landscape report 2024

Understand the latest threats and strengthen your cloud defenses with the IBM X-Force cloud threat landscape report.
What is data security?

Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
What is a cyberattack?

A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

 Explore security solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

         Explore AI cybersecurity
    Take the next step

    Whether you need data security, endpoint management or identity and access management (IAM) solutions, our experts are ready to work with you to achieve a strong security posture. Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity solutions Discover cybersecurity services