What is Cyber Insurance and is It Worth It?

Subscribe to our cybersecurity blog

There is a lot of minutiae that goes into exactly how cyber insurance is defined. At its base, cyber insurance is essentially like any other type of insurance required in life and business. Cyber insurance generally covers expenses related to a cyber attack or data breach against your organization. Cyber insurance can cover several aspects of the aftermath of a cyber attack depending on your type of coverage and the type of contingencies and requirements you have in place with the insuring company.

Do I Need Cyber Insurance?

Constant news about cyber attacks and threats show that there isn’t an industry or sector that is safe or not at risk of suffering a cyber attack. Due to cyber criminals targeting third party vendors, MSPs, and supply chains, it doesn’t matter if you are an organization in a high-value, highly-targeted sector, a community college, or a mom-and-pop type organization.

That means everyone, in theory, needs cyber insurance.

Who Needs Cybersecurity Insurance?

  • Any organization or business that stores critical data online or in a database
  • If your organization collects and stores data including personally identifiable information (PII) such as names, addresses, phone numbers, social security, medical info, or credit numbers, you want to invest in one of the levels or cyber insurance, possibly data breach insurance and cyber liability coverage.
  • Organizations or businesses with large customer or client bases
  • These types could be at risk of fines, depending on state laws, or potential lawsuits. These costs could potentially be covered under the right type of cyber insurance.
  • Organizations with high-revenues and digital assets
  • Financial organizations are always high-value targets of cyber crimes and data breaches because of their access to funds and information held. Any highly sensitive, proprietary data are also popular targets.

Reasons You Need Cyber Insurance

Unfortunately, the costs associated with being the victim of a cyber attack don’t end with what it costs to get your network back online.

The costs of cyber crimes are expected to rise to $10.5 trillion by 2025.

These are just some of the costs associated with a cyber attack or data breach:

  • Regulatory fines
  • Lawsuits
  • Hiring a PR firm
  • Offering credit monitoring services to victims
  • Legal services
  • Expenses of notifying victims
  • Lost income due to outage
  • Software updates
  • Investigation
  • Reputation
  • Possible cyber insurance premium increases

In a ransomware attack, you should NOT use cyber insurance to pay the ransom. 80% of organizations that paid a ransom were attacked again and 40% never received a key to the encrypted files. Restoring your backups is cheaper and more reliable than paying a ransom, so be sure to have good backup policies and procedures in place. The 3-2-1 backup rule is recommended.

The unfortunate part of cyber insurance is that if you do suffer a cyber attack and have insurance, the premium will go up just as it would after a car accident. In most cases, having insurance even with an increased premium may still be cheaper than facing the financial ramifications of a cyber attack without insurance, depending on the size of the attack and type of insurance.

Cybersecurity insurance firm Coalition predicted that there will be an average of over 1,900 critical vulnerabilities and exposures (CVEs) in 2023, up 13% from 2022. Regular updates, patching, network monitoring, and vigilance are key to not having those vulnerabilities get exploited on your network. Not every CVE can be caught in time. Sometimes for a CVE to be caught, unfortunately, someone ends up as patient zero.

Not having the right type of coverage or no coverage at all could end up costing your organization more.

What Does Cyber Insurance Cover?

When it comes to cybersecurity and cyber insurance, it’s all about your budget. Making sure that you get the right type of cyber insurance for your organization is important so that you’re not overpaying. It's also important to not be underinsured for the type of coverage you need, avoiding having a cyber attack still cost your organization more in the long run.

What Are the Types of Cyber Insurance?

First Party Coverage or Data Breach insurance

First party coverage for cybersecurity insurance protects your company from expenses related to data breaches after a cyber attack. It includes those directly involved in the incident as well as a range of other potential issues:

  • Lost revenue
  • Incident investigation
  • Cost of notifications for affected victims
  • Anti-fraud service and credit monitoring for affected victims
  • Data Destruction
  • Risk assessment for potential future cyber attacks

In some cases, it’s possible that first party cyber insurance may cover the cost of extortion or ransom payment. Paying the ransom is never recommended, as it only helps cyber criminals get stronger, know that you will pay if attacked again, and have more resources and confidence to attack similar organizations. As stated, paying the ransom DOES NOT guarantee you will get your data back. It makes it more likely you will get attacked again, no matter what happens with your data.

Third-Party Coverage or Liability Coverage

Liability or third-party cybersecurity insurance can include protection for damages from lawsuits and other types of payouts related to cyber attacks and data breaches to those affected parties.

Third-party cyber insurance can cover fees for:

  • Legal fees or lawsuits
  • Settlements
  • Regulatory fines and fees

In some cases, depending on the type of insurance or insurer, cyber liability insurance can cover notification of those affected by the incident or extortion costs.

It’s important to note that some traditional insurance policies may exclude cyber risks. This is why there has been a growth in cybersecurity insurance as a separate, stand-alone type of coverage.

What is NOT Covered by Cyber Insurance?

What is and isn’t covered varies by the insuring company and how your policy is written. Here are some cases where cyber insurance may not pick up the bill in the case of a cyber attack or data breach:

  • Preventable security issues caused by human error and mishandling of systems or digital assets
  • Preexisting cyber incidents before the policy was purchased
  • Cyber incidents caused by employees or insiders
  • Infrastructure failures
  • Failure to correct known vulnerabilities or patches
  • Cost to improve or upgrade tech
  • Hardware damage due to cyber attack

What to Look for in Cyber Insurance

Due to the cyber threat landscape growing in severity and complexity, there has been large growth in the search and need for cyber insurance of all types.

In fact, the cyber insurance market is projected to continue to see growth, from $7.8 billion in 2020 to $20.4 billion in 2025. Some insurers even suggest that the demand for cybersecurity insurance outstrips the supply.

If supply and demand continues to trend this way, cyber insurance will not be able to sustain covering organizations without knowing a total picture of the individual risk involved. This is why understanding risk and cyber risk quantification is important in helping organizations and insurers to understand the risk they are undertaking in cybersecurity insurance coverage and how to correctly underwrite policies to standardize solutions.

To get a better understanding of cyber risk quantification and how it works, hear from our cyber experts by downloading our on-demand webinar for free - Cyber Risk Reduction and Cyber Insurance: ​Calculating Your Risk.

A recent survey showed that nearly 80% of companies have had to use their cyber insurance, and more than half have used it multiple times.

When you are looking for cyber insurance, take into consideration that there are coverage limits. An example of cybersecurity insurance coverage limits may look like this:

  • Coverage limits per incident
    • The maximum amount that the insurer will payout per single cybersecurity incident
  • Coverage limits per aggregate
    • Limits the maximum amount the insurer will payout for all events during the policy period

It’s also important to remember that cyber insurance is NOT a silver bullet.

Reasons Not to Invest in Cyber Insurance

Given that we know every organization or industry could be the victim of a cyber attack, directly or indirectly, are there reasons for you not to invest in cyber insurance?

Demand does outweigh supply right now and is expected to continue to outpace it in costs on the current trend.

In addition, here are some other reasons why your organization may decide cybersecurity insurance isn’t the right option.

  • Organizations are being increasingly required to have higher levels of cyber protection for systems before being considered by insurance companies for a policy
  • Ransomware coverage is being scaled back
  • There are nation-state attack exclusions as well as attack attribution requirements
  • Challenges meeting policy requirements
  • Your organization may already be self-insured for cyber risks
  • Your cyber insurance investment is only based on an insurer’s questionnaire
  • Incident remediation may be cheaper than insurance premiums, which rise after attacks
  • Investments can be better spent on improving cybersecurity posture

Is Cyber Insurance Worth It?

Ultimately, you must decide as an organization if cyber insurance is the right investment in cybersecurity.

Consider the rising costs and frequency in cyber attacks, and that the average cost of a business email compromise (BEC) is $183,00 depending on the goal of the attack.

Cyber insurance is important for small businesses, which are less likely to have the resources to recover from a cyber attack. In most cases, cyber attacks cost more than the cost of a cybersecurity insurance policy. With the correct policy, cyber insurance is worth it, if the policy and insurer you are working with meets the needs of your organization.

Here are some additional tips and reminders to put on your list when considering cyber insurance:

  • If you have a cyber security company you already work with, make sure they are included as part of the companies your insurer will pay for you to use in when you need to make a claim
  • Review your cyber insurance policy every time it is up for renewal.

For help putting together a cybersecurity plan that will help you meet the complicated requirements of cyber insurance, contact SecuLore to get started before you purchase your policy. Make sure to have us included in your list of approved cybersecurity vendors so we can assist you when you make a cyber incident claim with your insurance company.


Additional resources:









You may also like

What to Know About the Cyber Incident Reporting for Critical Infrastructure Act of 2022

If you haven’t been living under a rock, it would be hard not to notice the ...

Read More

Balloons, Apps, AI and Data Privacy

With the increasing rise in cyber attacks across all industry sectors, there ...

Read More

Prioritize Network Monitoring, Vigilance with CISA’s Cloud Security Technical Reference Architecture

Last year, Executive Order 14028 was signed to help with, “Improving the ...

Read More

Russian Cyber Threats to U.S. Critical Infrastructure

On February 16, 2022, the Cyber Security and Infrastructure Security Agency ...

Read More

What You Should Look for in Cloud Security

The trend to use cloud-based applications and services saw its growth ...

Read More