Cybersecurity Insurance: What It Covers, Who Needs It

Cyber insurance can protect your business in case of a hack. You may be able to add it onto a business owner’s policy.

Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

Published · 4 min read
Profile photo of Whitney Vandiver
Written by Whitney Vandiver
Writer
Profile photo of Ryan Lane
Edited by Ryan Lane
Assigning Editor
Fact Checked
Profile photo of Rosalie Murphy
Co-written by Rosalie Murphy
Lead Writer
Nerdy takeaways
  • You should have cybersecurity insurance if you handle customer data or store information about your business online.

  • Cybersecurity insurance can cover the cost of notifying your customers about a breach, legal defense and more.

  • Data breach insurance and cyber liability insurance are types of cybersecurity insurance.

  • You may be able to add some cyber coverage to your business owner’s policy.

Cybersecurity insurance protects businesses against financial losses caused by incidents like data breaches and theft, system hacking, ransomware extortion payments and more. If your small business stores sensitive information online or on a computer, you should carry at least some cyber insurance coverage. 

Some insurers offer cyber insurance as an add-on to a business owner’s policy, but you can also purchase this coverage separately. Here's what cybersecurity insurance covers and where you can buy a policy.

Looking for tools to help grow your business?

Tell us where you're at in your business journey, and we'll direct you to the experience that fits.

on NerdWallet's secure site

What are the types of cybersecurity coverage?

Cybersecurity insurance generally comes as either first-party or liability coverage; these policies protect companies in different circumstances. If you’re a technology business, you’ll want to consider adding the different, but related, technology errors and omissions coverage, as well.

First-party coverage

First-party cybersecurity insurance covers the costs of things like: 

  • Investigation of the incident.

  • Risk assessment of future cyber incidents.

  • Lost revenue due to business interruption.

  • Ransomware attack payments based on coverage limits.

  • Notifying customers about the cyber incident and providing them with anti-fraud services such as credit monitoring.

The most common first-party cybersecurity coverage is data breach insurance.

Third-party or cyber liability coverage

Cyber liability coverage can protect your business if a third party sues you for damages as a result of a cybersecurity incident.

Cyber liability coverage generally pays for:

  • Attorney and court fees associated with legal proceedings.

  • Settlements and court judgments.

  • Regulatory fines for noncompliance.

General liability insurance excludes coverage for data-breach-related liability claims, so if your business stores customer data, you’ll want to consider a separate cyber liability insurance policy. 

Technology errors and omissions

A technology errors and omissions, or E&O, policy kicks in if a cybersecurity incident occurs in a customer’s business because of an error on your part. You should consider buying this coverage if your business manufactures a technology product or provides technology services. 

For example, if a customer’s financial data is stolen from your computer, first-party or liability insurance would provide coverage. However, if you write an accounting software program that has an error in the code and the customer’s data is stolen directly from their computer as a result, you’re now in tech E&O territory.

Technology E&O pays for items similar to that of cybersecurity liability insurance, such as legal fees, court costs, and judgments or settlements but only in covered circumstances relating to products or services. 

Which businesses need cybersecurity insurance?

Almost any business — no matter its size — can be at risk for cybercrime. But cybersecurity insurance is especially important for:

  • Businesses that store important data online or on computers. If your business stores important data, such as phone numbers, credit card numbers or Social Security numbers — either online or on a computer — you are at risk of a cyberattack. You should consider data breach insurance. If you store sensitive customer data, consider cyber liability coverage, too. 

  • Businesses with large customer bases. Insurance can help cover certain regulatory fines these businesses might be subject to following a data breach. Notifying customers of data breaches is often required by state law, and first-party policies can cover this cost, which can be significant for companies with large consumer bases.

  • Businesses with high revenue or valuable digital assets. The costs associated with cyber incidents can be difficult to predict, and larger companies are likely to have more valuable data, which could come with a more expensive ransom. 

If you are unsure whether you need cybersecurity insurance, consider speaking to a business insurance agent near you to assess your risk level and potential premiums to determine if it's the right investment for your company.

What does cybersecurity insurance exclude?

Cybersecurity insurance does not pay for the following: 

  • Property damage. Cybersecurity insurance generally doesn’t pay for any property damage stemming from a data breach or cyberattack, such as hardware that was fried during the cyber incident. These sorts of claims are usually covered by commercial property insurance.

  • Intellectual property. During a cyber incident, intellectual property losses and any lost income associated with it are commonly excluded from cybersecurity insurance coverage. 

  • Crimes or self-inflicted cyber incidents. Virtually no cybersecurity policy is going to cover a business that is charged with committing a crime related to or causing a cyber incident. Commercial crime insurance generally covers theft by employees, though.

  • Costs for proactive preventive measures. Protective measures to avoid a future cyberattack, like training employees on cybersecurity and setting up a virtual private network, probably won’t be covered by a cyber insurance policy. 

How do I get cybersecurity insurance?

You can purchase cybersecurity insurance through most business insurance providers

Many business insurance companies offer cybersecurity or data breach insurance as an add-on to their business owner’s policies, though this may not be enough coverage for businesses with more complex needs. 

To get a sense of how much cybersecurity insurance is likely to cost for your business, get multiple business insurance quotes. You can do this in a few minutes from online business insurance companies or work with a business insurance agent, who can help you compare quotes and find the best coverage at the best price. 

Best cybersecurity insurance options

Consider the following business insurance companies for your cyber insurance coverage. 

Chubb: Best overall cyber insurance for small businesses

5.0

NerdWallet rating 

Chubb’s Cyber ERM (Enterprise Risk Management) policy can help protect your business finances in the face of lots of different costs. It covers ransom payments, data recovery, customer notification and legal defense costs, if any — and can also pay out to help make up for the income your business loses while it recovers. You may be able to purchase a policy online. Read NerdWallet’s review of Chubb small-business insurance

The Hartford: Best for adding coverage to a business owner’s policy 

5.0

NerdWallet rating 

If your business needs more than just cyber protection, The Hartford allows you to tack data breach insurance onto a business owner’s policy or general liability insurance policy. Its cyber coverage can help cover the costs of notifying your customers of the hack, investigating what happened and defending your business in court, if necessary. Read NerdWallet’s review of The Hartford business insurance.

Travelers: Best for cyber liability coverage

5.0

NerdWallet rating 

Travelers offers a wide range of cyber insurance coverages, including cyber liability insurance tailored to a variety of fields and technology errors and omissions insurance. Smaller businesses may want to consider the company’s CyberFirst Essentials product, which covers data breach investigations, notifications to customers and legal defense and settlement costs. You’ll have to work with an agent to get a quote. Read NerdWallet’s review of Travelers business insurance.

Three Insurance: Best for comprehensive insurance coverage

This product is not rated by NerdWallet.

Three is an insurance policy from Berkshire Hathaway that purports to offer all the coverage business owners need, including lots of types of liability coverage, commercial auto insurance and more. It also provides cyber liability and data breach protection. This policy may be a good choice for business owners who don’t want to manage multiple policies — though it’s only available in 23 states as of this writing. Read NerdWallet’s review of Three business insurance.

How much cybersecurity coverage do I need?

Most small businesses carry around $1 million in cybersecurity coverage limits. Businesses have different risks and needs, though, so an insurance agent can help you determine what level of coverage is right for your business.

The premiums on these policies can be significant; the median cost of a policy is $140 per month ($1,675 annually), according to insurance marketplace Insureon. But that may be cheaper to pay than to rebuild a business from scratch. 

Among small businesses with fewer than 250 employees, the average reported cyberattack cost was about $25,600, according to a 2021 report from Hiscox, an insurance provider. That amount could be enough to shutter some small firms.

Frequently asked questions

Cyber insurance can pay out to cover ransom payments, investigation of the attack, lost revenue while your business recovers, providing credit monitoring services for customers and more. Cyber liability coverage specifically pays for your legal defense in case of a third-party lawsuit.

Cyber threats don’t apply only to large companies — the FTC says they’re a problem for companies of all sizes — but this coverage has gotten increasingly expensive as the cost of cyberattacks increases. You may be able to add some cybersecurity insurance coverage onto a business owner’s policy, which may be more affordable than buying a policy outright.

Cybersecurity and insurance experts recommend that all businesses that store any form of digital data consider having coverage, even if they have low limits. Consider talking with a cybersecurity insurance agent if you’re on the fence — they can help you learn more about coverage and decide what level of risk you’re comfortable with.

No, tech E&O insurance is only relevant if you design or manufacture technology-related products or provide technology services. It will be relevant for companies like those writing software code, providing IT services to other companies or designing apps.

Methodology

Business insurance ratings methodology

NerdWallet’s business insurance ratings reward companies that offer small-business owners reliability and ease of use. Ratings are based on weighted averages of scores in several categories, including financial strength, customer complaint data, shopping experience and customer service. Learn more about how we rate small-business insurance companies.

These ratings are a guide, but insurance policy details and prices can vary widely from business to business and provider to provider. We encourage you to shop around and compare several insurance quotes.

NerdWallet does not receive compensation for any reviews. Read our editorial guidelines.

Insurer complaints methodology

NerdWallet examined complaints received by state insurance regulators and reported to the National Association of Insurance Commissioners in 2018-2021.

To assess how insurers compare to one another, the NAIC calculates a complaint index each year for each subsidiary, measuring its share of total complaints relative to its size, or share of total premiums in the industry. To evaluate a company’s complaint history, NerdWallet calculated a similar index for each insurer, weighted by market shares of each subsidiary, over the three-year period.

Our star ratings consider ratios for both general liability insurance and commercial property insurance. When an insurer sells policies that are underwritten by several different insurance companies, we consider the NAIC complaint ratios of all the underwriters.

MORE LIKE THISSmall Business