What is cyber insurance and does your small business need it?

Cyber liability insurance, also known as cyber insurance, can cover your business for any financial or legal liability that results from a security-compromising cyber incident.

Author profile picture

Susan Meyer

Senior Editorial Manager

  • Licensed Insurance Agent — Property and Casualty

Susan is a licensed insurance agent and has worked as a writer and editor for over 10 years across a number of industries. She has worked at The Zebr…

Author profile picture

Ross Martin

Insurance Writer

  • 4+ years in the Insurance Industry

Ross joined The Zebra as a writer and researcher in 2019. He specializes in writing insurance content to help shoppers make informed decisions.

Ross h…

Cyber insurance: background

Cyber attacks on businesses are on the rise, and it’s not just affecting large enterprises. About 76% of small to medium-sized businesses (SMBs) reported being attacked in the past 12 months.[1] And with businesses depending on an online presence to stay relevant and conduct vital operations, it’s important now more than ever to protect your business from cybercrime. As a business owner, you might already be covered by small business insurance, so you may be wondering what cyber insurance is and if you really need it.

Whether you’re a big corporation or a smaller home-based business, if your business is online, it’s susceptible to data breaches and cyberattacks. The effects of cyber attacks can be devastating financially, with a report finding that SMBs lose an average of $101,000 per data breach.[2] Although large corporations can overcome the repercussions of a hefty payout and some bad press, the effects of cybercrime can ruin small businesses and result in closure.[3] Ensure your livelihood and the longevity of your business by making sure you’re covered for major cyber events like social engineering or malware attacks, in case they ever come your way.

For more information on cyber insurance and how to safeguard your business, keep reading or jump to the infographic below.


What is cyber liability insurance?

Cyber liability insurance, also known as cyber insurance, can cover your business for any financial or legal liability that results from a security-compromising cyber incident. In the event that sensitive customer or client information is accessed and stolen, cyber insurance will help with the process of recovering from the event and repairing the damage.

What does cyber insurance cover?

It’s important to have cyber insurance to cover a wide range of fees and expenses that can result from cyberattacks. Cyber insurance typically covers the following recovery costs and services:

  • Notification of individuals whose information is affected
  • Recovery and restoration of compromised data
  • Credit monitoring services
  • Computer forensics and repair of devices
  • Public relations costs to restore reputational damage
  • Civil damages from lawsuits
  • Any lost transferred funds

These restorative actions are covered by insurance if they’re remedying problems created by some of these common cyberattacks:

  • Malware (e.g., ransomware, DoS or DDoS attacks, spyware)
  • Hacking
  • Social engineering or phishing attacks

What’s not covered by cyber insurance?

Although cyber insurance offers protection for many cybersecurity events, there are a few notable exclusions. The following isn’t covered by cyber insurance:

  • Financial reimbursement for future profits lost to a cyber event
  • Lawsuits based on potential cybersecurity risks that are present prior to a breach or incident
  • Losses from theft of intellectual property
  • Attacks caused by foreign cyber criminals
  • Expenses incurred improving cybersecurity after an attack

How much does cyber insurance cost?

Policies for small businesses tend to average around $1,500 annually, but the cost of cyber insurance varies based on many factors like your policy coverage or the size of your business. Additionally, the growing prevalence of cyberattacks is projected to drive up premium costs for small, medium and large businesses alike.[5] For a breakdown of what will influence your premiums, check out the factors below.

Level of coverage and deductible

Policy terms like your coverage limits and deductible both influence the cost of your insurance premiums. If you choose to pay a smaller deductible — or the amount your business is responsible for paying if you experience a cyberattack — your premiums will be greater. If you opt for larger coverage limits, you’ll have greater protection but pay more in premiums too.

Security of your business

One way to save on your cyber insurance is to have robust cybersecurity systems and practices in place. The stronger your cybersecurity defenses are, the more insurers will reward you with lower premiums.

It’s especially important for companies who deal with sensitive data to have extensive systems in place for employees and infrastructure. Things like hardware and software should be constantly monitored and updated. Employees should be trained to identify security risks and also have knowledge of proper protocol in case an event occurs.

Amount of sensitive data

Whether or not you store a lot of sensitive information like credit card numbers, Social Security numbers, health records or other highly personal information will influence the cost of your premiums. If you’re a small business that keeps limited client information, you’ll most likely pay much lower premiums than a large investment firm or private health care facility.

Business industry and size

Your industry will determine the level of risk that insurers will assign, and this plays a role in determining your insurance costs. Typically, there are three tiers of risk — low, medium and high — and these tiers are determined by the amount of data your business is responsible for keeping secure.

Additionally, bigger businesses have more employees, and more employees increase vulnerability to social engineering attacks like phishing. From the insurer’s perspective, big businesses are a higher risk than micro businesses with less than 10 employees.

Annual revenue

Companies with large annual revenue are big targets for cyber criminals. This generally means that insurers will require more in premiums because of the financial risk. Smaller companies with less annual revenue benefit from lower policy premiums.

Like The Zebra, Bold Penguin compares several insurance companies at once to offer tailored quotes to your insurance needs— at Bold Penguin, commercial insurance is their specialty.
Get a Quote at Bold Penguin today


Who needs cyber insurance?

Any business that deals with information online should strongly consider obtaining cyber insurance. Businesses are responsible for keeping their clients’ or customers’ sensitive data secure, and this responsibility can become costly in the event of a breach or other cyberattack.

In 2020, a report by Kaspersky found that data breaches cost small-to-medium-sized businesses over 100,000 dollars on average. In comparison, paying an average of $1,500 per year for a cyber insurance policy is much more cost-effective and will offer you better peace of mind.[2]

How to create a cyber incident response plan

Even if your business is covered for cyber liability, it’s smart to have procedures in place for employees in case a cyberattack happens. The best cybersecurity practice is to have a cyber incident response plan. This type of plan will provide guidance for containing the incident, as well as protocol for recovering devices and repairing damage. Additionally, having a good plan in place will help strengthen your business’s cybersecurity and help lower your insurance premiums.

To help you understand the basics of putting together a plan, read up on the six stages of incident response plans outlined below.

1. Prepare your business

The first stage in an incident response plan is preparation, which provides the foundation for all other stages hereafter. In this stage, you’ll want to outline your team’s workflows in response to an incident. This includes identifying exactly who is responsible for specific actions that must be performed to remedy the situation. The plan should include, but is not limited to, the following:

  • Who is responsible for locating where and when a breach or attack originated
  • Guidelines for triaging the event based on your security capabilities and what types of incidents require third party support
  • A list of vetted vendors to provide incident response support
  • Workflows for how other teams like legal, PR and customer service will respond
  • An established hierarchy of command for the incident with approval from top stakeholders
  • Procedures for storing important credentials in a centralized location

2. Identify the event

With this preparation in place, if an incident occurs, you’ll have a guideline to begin diagnosing the problem. This typically involves specialized personnel and cyber incident response software to begin documenting information that will help identify the origin and level of threat.

At this stage, the type, severity and scope of the event should be determined and stored in case of legal action later. It’s important to be proactive about detection and use technology like antivirus software and programs that can detect malware.

3. Contain the incident

After successfully identifying the event and the scope of the threat, you can start containing any compromised devices and isolating them from the network to prevent any further progression of an attack. Depending on the incident, it’s smart to have both short-term and long-term containment strategies prepared to respond accordingly.

4. Eliminate the threat

Once containment of the threat is achieved, you and your team can work on eliminating it. This will look different depending on the attack. For example, malware attacks will need to be disarmed and ransomware will need decryption. You should continue to gather evidence in this stage and preserve details for future analysis. It’s also good practice to patch systems, replace hardware and update networks and firewalls as needed.

5. Restore systems, services and processes

After the threat has been eliminated, your business will need to restore systems and return to regular work. To do this, you’ll need to have clean data backups and any affected devices should be rebuilt and recovered. Additionally, updating relevant credentials and logins after an incident will prevent compromised information from being used in the future. Continue to monitor your network and systems in case of further issues.

6. Learn and adapt for the future

Once normal business is restored, it’s important to reflect on the incident and your response plan. You can accomplish this in a post-incident review (PIR) meeting, which will involve all relevant personnel from the response. Discuss what worked well and what could be improved and implement any improvements in your incident response plan moving forward.


In a world of remote work and online goods and services, cyberattacks are becoming more prevalent. It’s important to protect your business from the negative financial, legal and reputational consequences of cyberattacks. Before investing in cyber insurance, make sure to take steps to reduce your premiums by bolstering your cybersecurity and creating the proper protocol to handle whatever may come your way online.


Data Sources: Blue Corona | Kaspersky | Keeper Security |

Additional sources
  1. 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses. Keeper

  2. IT Security Economics 2020: Part 2. Kaspersky

  3. Garmin 'paid multi-million dollar ransom to criminals using Arete IR', say sources. Sky News

  4. The 9 Worst Recent Data Breaches of 2020. Okta

  5. Ransomware losses drive up cyber security costs. Dark Reading