Cyber Security Insurance – Is It Worth It?

Cyber Security Insurance – Is It Worth It?

We’ve all seen or heard about it – the dreaded cyber-attack – and it is happening all too frequently these days. In today’s digital world businesses are relying on the online space more heavily and collecting more sensitive data than ever before. Hackers are becoming more sophisticated by the day.

This leaves small and medium sized businesses struggling to manage the budgetary pressures that go hand-in-hand with paying for top-notch cyber protection. Many business leaders are unaware of the volume of sensitive data that their business maintains and is required to protect. As a result, these businesses are falling behind in their cyber defense efforts and becoming easy targets for cyber criminals.

More than half of small businesses that experience a cyber-attack will close within a year. Some estimates show that small US business owners spend between $1-2 million on business restoration efforts and “getting back to normal” after an attack.

It is no surprise then, that the cyber insurance market is a rapidly growing industry. According to researchers from Swiss Re Institute, after a whopping $945 billion in estimated global cyber related losses for 2020, insurance premiums reached $10 billion globally in 2021. With a surge in cyber security incidents, the risks of not having insurance are quickly escalating. However, many businesses find that the cost of cyber insurance and the threshold requirements for insurability are increasingly difficult to meet.

So, what exactly does cyber insurance coverage mean and how does a business get it?

Like most insurance, it is designed to protect businesses from liabilities and monetary loss, but it also requires a more immediate response than other types of insurance. When a business experiences a cyber-attack, waiting for days or weeks to get help is out of the question. Any delays would likely increase the level of damage caused.

There are two types of cyber coverage any business should secure.

First party coverage – This covers out of pocket expenses that your organization incurs because of a cyber security event. For example, a bad actor gets into your system, disables your software and equipment, and demands a ransom payment. The costs associated with business interruption, getting systems up and running again, ransom payment, and breach notification all fall within first party coverage.

Third party coverage – This covers any liabilities from outside of the business, where a person or entity could potentially raise a lawsuit. For example, payments to consumers harmed by a data breach, litigation expenses, regulatory penalties, and costs associated with responding to government investigations.

Businesses should also look for the most comprehensive policies they can afford that will cover most or all of the following:

· Data breaches of personal data

· Cyber-attacks on data held by vendors and third parties

· Cyber-attacks on its network

· Cyber-attacks that occur anywhere in the world

· System failure

· Business interruption/losses

· Data retrieval and system restoration

· Cyber extortion/ransomware

· Social engineering attacks (e.g., phishing attacks)

As far as how to get it – that is sometimes a challenge.

The cyber insurance market is evolving and in recent years has become more astute about measuring risk and denying coverage if the risk is too high. Insurance companies expect to see that businesses are compliant with state and federal data privacy and security regulations and keep tight security controls. Some insurance companies require vulnerability scanning or risk assessment prior to offering coverage.

Cyber Security Insurance – Is It Worth It?

There are a several things that businesses can do that may improve their options for cyber coverage:

· Implement multifactor authentication

· Tighten controls on remote access to your systems/data

· Maintain stringent backup and patch policies and practices

· Mitigate possibilities of insider threats

· Decrease the volume of sensitive data that is maintained

· Create a company culture of cybersecurity awareness

· Provide regular cybersecurity training to employees, contractors, agents, and business partners who access your systems

Most of these steps are good business decisions whether or not a business seeks cyber security insurance. It should go without saying that cyber security insurance can pay off big when a business falls victim to a cyber-attack. For those that are still unsure, these 5 key benefits sum it all up pretty concisely:

1. Protection of business reputation: When businesses prioritize cyber security, they show a commitment to protecting their customers’ data. This commitment is increasingly valuable to consumers.

2. Financial protection: One way to reduce the risk of financial harm and costly litigation expenses that could result in a business shuttering its doors is to maintain adequate levels of cyber insurance.

3. Protection from business interruption losses: The aftermath of a cyber-attack is costly, but business interruption coverage means you can keep the business afloat and pay the bills even when operations are not at normal levels.

4. Regulatory and breach notification support: Insurance providers can help navigate complex regulations of insurance requirements and breach notification rules.

5. Data recovery and forensic investigation: Insurers may support business owners after an attack by identifying issues and helping with a forensic investigation.

Clearly, cyber security insurance is an extremely important means of protection for businesses everywhere. It is vital that you take the time to assess your risks, consider ways to reduce risk, research policy options and providers, and strike the right balance between need and affordability.

Most importantly, do not continue to put this on the back burner. This extra layer of protection could be a lifesaver for your business.


Every effort is made to provide accurate, complete, and current information in Milestone Law Group’s blog.  However, Milestone cannot guarantee that there will be no errors. In addition, note that articles are current as of the date of original publication and therefore may no longer reflect the current state of the law.   

The information in our blog is shared for informational purposes, not to provide specific legal advice. Receipt of this material does not establish an attorney client relationship. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Please contact us if you have any questions. 

Leave a Reply