Cyber Insurance: Protect Your Business from Digital Threats
Cyber insurance covers the financial fallout of a cyber incident — data breaches, ransomware, business interruption, and the liability you owe to affected third parties. It combines first-party coverage (your own losses) and third-party coverage (claims made against you), because standard business policies usually exclude digital risks. It is one of the core lines a modern business needs.
What is cyber insurance?
The average cost of a data breach reached $4.88 million globally in 2024 (IBM, Cost of a Data Breach Report 2024), and because traditional policies rarely cover digital threats, cyber cover has become a core part of business risk management.
What does cyber insurance cover?
Coverage splits into two halves — your own losses and your liability to others:
| First-party (your own losses) | Third-party (claims against you) |
|---|---|
| Forensic investigation of the breach | Payments to affected customers |
| Data recovery and system restoration | Litigation and regulatory defence |
| Customer notification, call centre, credit monitoring | Settlements, damages, and judgments |
| Lost income from business interruption | Media liability (defamation, IP infringement) |
| Cyber extortion and ransomware | |
| Crisis management and PR | |
| Regulatory response costs | |
| Social engineering / BEC fraud |
Some items — especially social engineering / business email compromise (BEC) fraud, where funds are wired on fraudulent instructions — are often a sub-limit or endorsement rather than full standard cover. Check the limit.
A comprehensive policy combines both halves, so you are covered for direct losses and any liability arising from the same incident.
What cyber insurance does not cover
| Usually not covered | Why |
|---|---|
| Poor maintenance of systems | Operational, preventable issue |
| Known vulnerabilities the insured ignored | Preventable risk |
| Fraud by owners or executives | Intentional act |
| Future lost profits beyond policy terms | Coverage limitation |
| Reputational damage with no measurable loss | Hard to quantify |
| Ransom paid to a sanctioned entity | Legally prohibited (e.g. OFAC sanctions) |
Cyber insurance vs general liability insurance
Business owners often assume general liability covers cyber events. It does not — the two respond to different risks:
| Cyber insurance | General liability |
|---|---|
| Data breaches | Physical injury claims |
| Ransomware | Property damage claims |
| Privacy liability | Third-party bodily injury |
| Network interruption | Non-cyber incidents |
Relying on general liability for a data breach is a common and costly mistake.
Common cyber risks it mitigates
- Data breaches — covers notification, credit monitoring, and PR after sensitive data is exposed.
- Ransomware — covers ransom payments (where legally permissible), data recovery, and downtime.
- Business interruption — replaces income lost while systems are down. Note this is cyber business interruption, triggered by a network security failure or covered cyber event — not the physical-damage trigger that standard commercial business interruption requires.
Example: ransomware attack on a small business
A ransomware attack encrypts a small firm's systems and halts operations. A cyber policy can cover:
- Forensic investigation to find the entry point.
- Legal advice on notification and regulatory obligations.
- Data restoration and system rebuild.
- Customer notification.
- Business interruption income during the downtime.
Any ransom payment is covered only where legally permissible — and never to a sanctioned threat actor, which can itself be unlawful.
Do small businesses need cyber insurance?
Yes — often more than large companies, because they have fewer defences:
- Small businesses are frequent, deliberate targets.
- Ransomware affects companies of all sizes.
- Holding any customer data creates liability.
- Recovery costs routinely exceed expectations.
Who needs cyber insurance?
Every business with data has some exposure, but priority rises with the sensitivity and volume of data held:
| Business type | Priority |
|---|---|
| Healthcare | Very high |
| Financial services | Very high |
| E-commerce | High |
| IT services | High |
| Professional firms | High |
| Retail | Medium–high |
| Manufacturers | Medium |
How much cyber insurance do you need?
It depends on your industry, size, the sensitivity of the data you hold, and your regulatory exposure (GDPR, CCPA, HIPAA). As general guidance:
| Business size | Typical coverage range |
|---|---|
| Small business | $250,000 – $1 million |
| Mid-sized business | $1 million – $5 million |
| Large enterprise | $10 million+ |
General market guidance only; figures vary by insurer and risk profile. Brokers' annual studies such as the Hiscox Cyber Readiness Report publish indicative SMB benchmarks.
High-risk sectors (healthcare, finance, retail) and businesses holding large volumes of personal data should size up. Estimate your worst-case breach cost and check existing policies for gaps before settling on a limit.
How to choose a cyber insurance policy
- A "duty to defend" — the insurer defends you in a lawsuit or regulatory investigation.
- Global coverage for incidents anywhere, not just domestically.
- A 24/7 breach hotline for immediate response.
- Clear treatment of ransomware and social-engineering fraud, including sub-limits.
- Whether it is primary over your other policies.
- The retroactive date — cyber cover is usually claims-made, so the incident must occur after that date and be reported during the policy period. When switching insurers, watch for a retroactive-date gap.
- The ability to add additional insureds where business relationships require it.
Cyber insurance and compliance (GDPR, CCPA)
Data-protection laws such as GDPR and CCPA impose strict breach-notification and privacy rules, and non-compliance can mean heavy penalties. Cyber insurance supports compliance by funding breach response, legal defence, and crisis management. It may also cover regulatory fines — but only where those fines are legally insurable, and typically only fines arising from a data breach or unauthorised disclosure. Fines for other GDPR violations (such as transparency or consent failures) are usually not covered. Confirm the wording with your insurer rather than assuming fines are covered.
What does cyber insurance cost?
Premiums depend on business size, industry risk, your security posture, and claims history. You can lower the cost by demonstrating strong controls — multi-factor authentication (MFA), regular security audits, and staff training — and by bundling with other policies. Many insurers now require MFA as a condition of cover; see cyber insurance MFA requirements with Silverfort for how that plays out in practice.
How a cyber claim works
- Notify immediately — report the incident as soon as it is detected so cover engages without delay.
- Document — provide a timeline, what happened, and the impact on the business.
- Assessment — the insurer investigates the extent of the damage and estimates the cost.
- Payout — covered costs (recovery, legal, crisis, interruption) are paid up to your policy limit.
Common cyber insurance mistakes
- Assuming general liability covers cyber events.
- Buying too little coverage.
- Ignoring ransomware and sanctions exclusions.
- Not implementing MFA (often a condition of cover).
- Failing to train employees against phishing and BEC.
- Not reviewing vendor and supply-chain cyber risk.
ACORD forms for cyber insurance
The cyber-specific form is the ACORD 834 (Cyber and Privacy Coverage Section). It is submitted with an applicant section — either the ACORD 825 (Professional / Specialty Insurance Application) or the ACORD 125 (Commercial Insurance Application), which also carries a "Cyber and Privacy" line. When cyber is bundled with property or general liability, the ACORD 140 and ACORD 126 sections may also apply.
State-specific versions of the ACORD 834 exist (for example 834 MN for Minnesota and 834 MT for Montana) for those states' applications.
For the full picture, see what are ACORD insurance forms.
Frequently asked questions
Build resilience, not just cover
Cyber insurance is about more than transferring risk — paired with strong security controls, it lets your business recover quickly from an incident instead of being defined by it. Match the limits to your data and industry, and confirm exactly what the policy includes — and excludes — before you rely on it.
Next steps
See how MFA requirements affect your cover, and why insurance is core to your business.
Cyber insurance & MFA (Silverfort) Why your business needs insuranceHomeowner right to repair for insurance. Questions? Answers.
What is the homeowner’s right to repair?
The homeowner's right to repair refers to the policyholder's option to choose their own contractors to perform repair work on their property following an insurance claim, rather than using contractors selected by the insurance company.
Why would I choose to exercise my right to repair instead of using the insurance company’s contractors?
Exercising your right to repair allows you to have more control over the quality of materials and workmanship, ensures that trusted and reputable contractors handle the repairs, and can often lead to a faster resolution as you are directly involved in managing the project.
What should be included in the request letter to the insurance company?
The request letter should include:
- Your personal and contact information.
- Details of the incident (e.g., date of the fire or flood).
- Your policy number.
- A formal request to exercise your right to repair.
- Information about the chosen contractors, including their credentials and estimates.
- An invitation for the claims adjuster to inspect the property.
How do I choose the right contractors for the repairs?
When selecting contractors, consider their experience with the specific type of damage (e.g., fire or flood), their reputation, licensing and insurance status, references from previous clients, and their ability to provide a detailed estimate and scope of work.
What if the insurance company denies my request to use my own contractors?
If the insurance company denies your request, you should ask for a detailed explanation. It may be helpful to review your policy to understand your rights and, if necessary, seek assistance from a public adjuster or legal counsel to advocate on your behalf.
Can the insurance company impose any conditions on my right to repair?
Yes, the insurance company may impose conditions such as requiring detailed estimates, using licensed and insured contractors, and ensuring that the repairs meet certain standards. It’s important to comply with these conditions to ensure your claim is processed smoothly.
What should I do if the repairs exceed the initial estimates?
Inform your insurance company as soon as you become aware of additional costs. Provide them with updated estimates and an explanation of why the additional expenses are necessary. Most policies will have a procedure for handling cost overruns, but it’s important to get prior approval from the insurer.
Can I be reimbursed for temporary living expenses while repairs are being made?
Yes, if your home is uninhabitable due to the damage, your policy may include additional living expenses (ALE) coverage, which can reimburse you for temporary housing, food, and other necessary expenses while your home is being repaired. Check your policy details and discuss this with your insurance adjuster.
Leave a comment