Cybersecurity Insurance: What It Is, Which Businesses Need It

Even minor cyber incidents can disrupt small businesses in major ways. Cybersecurity insurance can help them recover.

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

Cybersecurity insurance protects businesses against financial losses caused by cyber incidents, including data breaches and theft, system hacking, ransomware extortion payments and denial of service. For small businesses that store sensitive information online or on a computer, this coverage could prove useful.

Among small businesses with fewer than 250 employees, the average reported cyberattack cost was about $25,600, according to a 2021 report from Hiscox, an insurance provider. That amount could be enough to shutter some small firms.

“Cybercrime is very opportunistic,” says Nathan Little, vice president of digital forensics and incident response for Tetra Defense, a cyber risk management company that assists insurers and companies in preventing and recovering from cyberattacks. “Every company, no matter what the size, is an opportunity for a cybercriminal to make some kind of money.” He adds that hackers often programmatically look for targets and attack small firms because of certain vulnerabilities, not because they're set on attacking a specific company.

As cyber incidents have become more frequent, insurers have added more types of cybersecurity policies. Here's what you need to know.

What's the best fit for your business?
Answer a few questions and we'll match you with an insurance partner who can help you secure quotes.

What are the types of cybersecurity coverage?

Cybersecurity insurance generally comes as either first-party or liability coverage; these policies protect companies in different circumstances. If you’re a technology business, you’ll want to consider adding the different but related technology errors and omissions coverage, as well.

First-party coverage

First-party coverage provides financial assistance to help an insured business with recovery costs. Depending on the type of cyber incident, a policy generally covers:

  • Investigation of the incident.

  • Risk assessment of future cyber incidents.

  • Lost revenue due to business interruption.

  • Ransomware attack payments based on coverage limits.

Policies commonly cover the cost of notifying customers about the cyber incident and providing them with anti-fraud services such as credit monitoring.

Some policies will cover additional items such as repairing systems that were damaged by the incident, but coverage will differ with individual policies. The most common first-party cybersecurity coverage is data breach insurance. » MORE: Don't speak tech? Cybersecurity for the rest of us

Liability coverage

Whether your customers are individuals or other businesses, you might be liable to cover the damages if their information is compromised through a cyberattack on your company. Cybersecurity liability coverage protects a business when a third party sues the policyholder for damages as a result of a cyber incident.

The potential for a cyber liability claim might be more likely than you think. Employees' lost cell phones can grant access to customer information, and ransomware attacks can keep you from fulfilling orders or completing projects, leaving you liable for customers’ financial losses.

Cybersecurity liability coverage protects businesses if such scenarios occur and generally pays for:

  • Attorney and court fees associated with legal proceedings.

  • Settlements and court judgments.

  • Regulatory fines for noncompliance.

Technology errors and omissions

A technology errors and omissions, or E&O, policy can protect small businesses that provide technology services when cybersecurity insurance doesn't provide coverage. Tech E&O kicks in if a business’s product or service results in a cyber incident that affects a third party directly.

The difference is a matter of whether the incident occurred in your business — like a data breach on your network — or in a customer’s business because of an error on your part. For comparison, if a customer’s financial data is stolen from your computer, first-party or liability provides coverage. However, if you write an accounting software program that has an error in the code and the customer’s data is stolen directly from their computer as a result, you’re now in tech E&O territory.

Technology E&O pays for items similar to that of cybersecurity liability insurance, such as legal fees, court costs, and judgments or settlements but only in covered circumstances relating to products or services. If your business doesn’t manufacture a technology product or provide technology services, you can probably skip this coverage altogether.

Which businesses need cybersecurity insurance?

Businesses that store important data online or on computers. If your business stores important data such as phone numbers, credit card numbers or Social Security numbers — either online or on a computer — you are at risk of a cyberattack and could benefit from cybersecurity insurance.

Businesses that store their own financial data and any personal customer data should at least consider first-party coverage. For example, a business that is the victim of a ransomware attack can lose valuable data, such as financial records, if it is unable to respond to the payment demands. With first-party coverage, the business's insurer can step in to cover part or all of the ransom, depending on the coverage limits of the policy.

If you store more significant personal information about your customers, you will want to look into liability coverage, also called third-party coverage. Unlike first-party coverage, cyber liability policies cover legal fees and judgments in cases where people sue your business for damages caused by a cyberattack. Certain types of information such as credit card numbers or Social Security numbers can have a more significant impact on customers if their data is stolen from your company because they can be used in identity theft.

If an affected customer decides to sue because of the fallout from the data breach, you’ll need liability coverage to cover the legal fees and expenses. Small businesses that work with other companies’ data should also consider liability coverage as a viable option.

Businesses with large customer bases. For businesses with a large number of customers, cybersecurity insurance could be especially worth getting. Policies can help cover certain regulatory fines these businesses might be subject to following a data breach. Notifying customers of data breaches is often required by state law, and first-party policies can cover this cost, which can be significant for companies with large consumer bases.

Businesses with high revenue and valuable assets. For mature small businesses with high revenue and valuable assets, cybersecurity insurance can greatly reduce financial risk. The costs associated with cyber incidents can be difficult to predict, and larger companies are likely to have more valuable data, which could come with a more expensive ransom. By contrast, smaller businesses with low revenue might find it difficult to financially justify the cost of cybersecurity premiums if they believe the cost of responding to a data breach will be less than a year's worth of premiums.

If you are unsure how you feel about the value of cybersecurity insurance, consider speaking to an insurance agent to assess your risk level and potential premiums to determine if it's the right investment for your company.

What does cybersecurity insurance exclude?

Property damage. Cybersecurity insurance usually only covers monetary damages, so generally it doesn’t pay for any property damage stemming from a data breach or cyberattack, such as hardware that was fried during the cyber incident. These sorts of claims are typically considered part of commercial property insurance.

Intellectual property. During a cyber incident, intellectual property losses and any lost income associated with it are commonly excluded from cybersecurity insurance coverage. To get this coverage, a business will need intellectual property insurance.

Crimes or self-inflicted cyber incidents. Virtually no cybersecurity policy is going to cover a business that is charged with committing a crime related to or causing a cyber incident.

The cost of taking certain protective measures. Protective measures to avoid a future cyberattack are also not traditionally covered by a cybersecurity policy. This includes training employees on cybersecurity and setting up a virtual private network. However, insurers are starting to recognize the benefit of these steps and so coverage will vary with individual providers.

How do I get cybersecurity insurance?

Cybersecurity insurance can be purchased through most reputable business insurance providers and stands as its own policy. It is not considered part of more traditional business insurances like general liability or business owner’s policies, though some insurers might provide related cybersecurity endorsements that will let small businesses add it as part of a package.

Technology E&O can often be bundled with cybersecurity policies so that a small tech business is covered when it needs it.

How much cybersecurity coverage do I need?

Most small businesses carry around $1 million in cybersecurity coverage limits, which generally protects them against most cyber incidents. Businesses have different risks and needs, though, so an insurance agent can help you determine what level of coverage is right for your business.

The worst-case scenario of a cybercrime is losing a business altogether, says Little. Without sufficient coverage, many businesses might not be able to bounce back after a cyber incident. While the premiums on these policies can be significant, it's generally cheaper to pay to recover information or unlock ransomed data than to rebuild a business from scratch.

What's the best fit for your business?
Answer a few questions and we'll match you with an insurance partner who can help you secure quotes.
Frequently asked questions

Cybersecurity and insurance experts recommend that all businesses that store any form of digital data consider having coverage, even if they have low limits. Consider talking with a cybersecurity insurance agent to learn more about coverage so you can evaluate which risks you are willing to tolerate when it comes to cybersecurity.

Not necessarily. There are many good insurance brokers that are experienced with cybersecurity, Little says. If you work with an insurance provider who understands cybersecurity needs, they can likely help you choose a good policy with appropriate coverage limits.

An insurance agent should be able to answer your questions about potential risks to your business, what coverage is available, how that coverage helps you in certain situations and how much you’re likely to pay in premiums. If you are unsure after speaking with an agent, consider reaching out to another insurance company to compare information.

No, tech E&O insurance is only relevant if you design or manufacture technology-related products or provide technology services. It will be relevant for companies like those writing software code, providing IT services to other companies or designing apps.