Cyber insurance is critical to every business risk management plan. Get the details on cyber insurance and learn about your options.
Recent statistics show that over 2,200 cyberattacks occur daily. Small businesses are prime targets because many lack strong cybersecurity defenses.
As more companies adopt multifactor authentication, cybercriminals have pivoted their attack strategies, increasing phishing, malware and brute-force/password attacks to gain access to legitimate accounts. Once in, they crawl networks for high-value data to exploit or sell. According to Microsoft’s Digital Defense Report 2024, around 7,000 password attacks per second were blocked during the year.
Stats like these highlight the need for tight cybersecurity protocols, like zero-trust architecture. Zero-trust frameworks treat every account, even legitimate ones, as a potential threat. Employee training on cybersecurity and email scams is also critical to keeping threat actors out.
Even large companies aren’t immune to data breaches. Many multinational corporations have been hacked. Here are some real-life examples:
In 2024, hackers infiltrated Change Healthcare, a subsidiary of UnitedHealth. Change Healthcare is a payment platform that handles transactions between doctors, pharmacies and health care professionals. The cyberattack was caused by a lack of multifactor authentication.
A 2025 HIPAA Journal article estimates the number of individuals whose personal data was exposed in the attack at 192.7 million. That’s over half of the U.S. population. Change Healthcare paid $22 million in Bitcoin as a ransom to unlock the data, without a guarantee that the data hadn’t been copied or sold.
In 2021, hackers hit Colonial Pipeline, the largest oil pipeline in the U.S. The attack shut down the pipeline for days, leading to fuel shortages and panic-buying throughout the Eastern U.S. The company reportedly paid nearly $5 million to the hackers to restore its operations.
In 2023, a ransomware gang exploited a flaw in a widely used enterprise file transfer service, Moveit. At the time, the flaw was unknown to Moveit. This is called a zero-day threat. The hackers initiated unauthorized file transfers and stole data from over 2,500 Moveit customers. Affected customers included government, public and private organizations worldwide. According to the antimalware company Emsisoft, the Moveit breach affected the following industries the most:
- Education (39.1%)
- Health care (20.1%)
- Finance and professional services (13.3%)
No matter your industry or size, you need cyber liability insurance. Read on to learn more about cyber risk and how to protect your business.
How are cyberattacks discovered?
You may not realize a hacker has accessed your systems until months later. According to IBM’s “Cost of a Data Breach Report 2025,” data breaches were identified in the following ways:
- By an organization’s security teams and tools (50%)
- By a benign third party or outsider (31%)
- By an attacker as part of a ransomware attack (19%)
According to IBM’s report, if the cyberattacker disclosed the breach, the cost of the hack rose to $5.08 million. That’s compared to $4.18 million for those discovered by a cybersecurity team. In any case, repairing the damage after an attack is difficult, time-consuming and expensive.
How might a cyberattack affect your business?
The consequences of a cyberattack vary depending on the severity of the attack, the time it takes to discover the breach and the data exposed.
If you suffer a ransomware attack, you will have to decide between giving a hacker thousands or millions of dollars and losing all your valuable data. And you can’t guarantee you’ll get your data back even if you pay the ransom.
Then you’ll need to hire a cybersecurity team to identify and remove malware from your system. You may even have to buy new IT equipment. You can expect days of downtime after an attack, directly impacting your sales and services. Morale could suffer as employees struggle to do their jobs while the IT system is being repaired. And the hit to your reputation can last for years.
Legally, you’ll have to notify customers, suppliers and business partners if their data was compromised. You’ll also need to pay for credit monitoring for each compromised account, which can be costly. Many people may decide not to work with you anymore because of the attack. If local journalists publish news of the attack, it could deter potential customers from doing business with you.
You’ll probably face legal action from affected individuals. And if you’re in the medical industry, you could face fines for Health Insurance Portability and Accountability Act (HIPAA) violations.
It could take years to recover from a cyberattack. Some businesses never do.
What is cyber insurance?
Regular business insurance policies don’t cover damage caused by cyberattacks. Enter cyber insurance.
Cyber insurance covers costs associated with criminal hacks and data theft. How much coverage you will get depends on the policy and the deductible you choose. Here’s what you can expect from a cyber liability insurance policy.
First-party cyber coverage
First-party cyber insurance protects your business from the fallout of a cyberattack. There are several ways to customize a cyber insurance policy. For example, your policy could cover the following:
Coverage for your business | What it includes |
Investigation of the cyberattack | You need to know how the hacker breached your system. Did the attack come from a third-party vendor with poor cybersecurity? Or did an employee working from Starbucks use an open network that allowed cybercriminals to access your system? First-party cyber insurance will enable you to hire a computer forensics investigator or cybersecurity company to investigate the incident. It will also cover the removal of malware from your system and a risk assessment to determine the likelihood of future cyberattacks. |
Legal assistance | Your legal obligations in the wake of a cyberattack vary depending on your geographic location. For instance, in Illinois, you have to notify the state attorney general if the breach compromised more than 500 records of Illinois citizens. And companies in the health care industry have additional reporting requirements under HIPAA. Given the legal nuances, you might find navigating your obligations after a cyberattack difficult. Thankfully, first-party coverage provides the financial resources to hire one or more lawyers for the job. |
Credit monitoring | California, Connecticut, Delaware, Massachusetts, Pennsylvania, Rhode Island and the District of Columbia have requirements for free credit monitoring or identity theft protection to affected third parties. Even if you aren’t legally required to offer these services to customers, you should do so as a goodwill gesture. First-party cyber insurance will pay for monitoring costs, up to your policy’s limit. |
Ransom funds | This form of insurance pays for ransoms. However, most policies have a limit on how much they will pay and others won’t pay at all. If the limit is lower than the hacker’s demands, you would need to pay the rest out of pocket. Often there are nondisclosure clauses associated with policies that pay ransoms. |
Data recovery | Ransomware, malware, worms and other malicious code can cause the loss or corruption of important files. First-person cyber insurance will pay for an IT company to recoup the data. But policies won’t pay to improve your systems to be better protected against future attacks. Ask your agent about coverage for cybersecurity improvements. |
Business interruption or loss of revenue | A cyberattack can disrupt your business. When your company’s systems aren’t accessible, workers can’t do their jobs and you can’t make sales. But you still have to pay salaries and overhead expenses. This type of policy provides the funds you’ll need to keep your business operational while you repair or upgrade your systems. Remember that standard business interruption insurance only kicks in when there’s a physical property loss. Even if you already have standard business interruption coverage, you’ll also need to add business interruption to your cyber policy. |
Public relations | A data breach can wreak havoc on your reputation. All 50 states have some form of requirement to notify data breach victims, so you won’t be able to keep it under wraps. First-person cyber insurance will pay for a public relations campaign to rebuild your brand. You can also use the money to hire a reputation management firm to boost your standing with the public. |
Government inquiry costs, fines and penalties | Since all states have data breach reporting laws, you may face a state or federal inquiry into the attack. According to IBM’s report, 32% of respondents said data breaches resulted in government fines. In such an instance, third-party cyber insurance will cover the costs of responding to the inquiry. It will also cover fines and penalties, up to a predetermined limit. |
Third-party cyber coverage
Third-party cyber insurance addresses fines and legal action brought by other individuals or organizations. It covers:
Coverage against other parties | What it includes |
Additional legal costs | You’ll need to hire a lawyer to defend your company in court, settle a lawsuit brought by a third party, or represent your company when dealing with government officials. Legal help can resolve matters faster and more efficiently, and this type of insurance policy will cover the costs. |
Third-party monetary losses | Third-party cyber insurance helps if your business can’t deliver on its obligations, products or services because of a cyberattack. Clients might sue you for their monetary loss due to the incident. |
Settlement costs and court-ordered damages | Third-party cyber insurance provides money for settlements and court-ordered damages. If you settle, you can quickly compensate affected third parties. If the case goes to trial and you’re found liable for the attack, it will cover court-ordered damages. But if the settlement or court-ordered damages exceed the policy’s limit, you’ll pay the difference out of pocket. |
Technology errors and omissions insurance
Technology errors and omissions (tech E&O) insurance is for companies offering IT-related products or services, such as software manufacturers and engineers, IT technicians, cybersecurity businesses, and website designers.
A tech E&O policy covers you if you or one of your employees makes a mistake and a client suffers a cyberattack as a result. For example, if a website you designed gets hacked, your client could sue you. It covers legal fees, court costs, settlements and judgments.
A tech E&O policy covers mistakes you make while doing your job, but doesn’t cover damage caused by cyberattacks on your network. For example, if a hacker steals data from your computer networks and uses it to breach a client’s account, your tech E&O policy wouldn’t respond. You’d look to your cyber liability insurance policy for help.
What doesn’t cyber insurance cover?
Cyber insurance has much to offer. Even so, it won’t cover the following:
Events standard cyber liability won’t cover | Ways to get coverage |
Social engineering attacks | Cyber insurance doesn’t cover damage caused by social engineering attacks, such as baiting, phishing or fraudulent emails. For example, say a hacker poses as a company executive and tricks an employee into wiring funds to a bank account. Cyber insurance wouldn’t cover the lost funds or the cost of checking IT equipment for a breach. Ask your agent about adding social engineering and commercial crime coverage. Social engineering coverage is for outsider attacks and commercial crime coverage is for insider attacks. Each insurance company is different and might have coverage limits and exclusions. |
Property damage | If a breach damages your physical property such as computers, routers or machinery your IT system controls, you will need to file a claim with your commercial property insurance. |
Intellectual property theft | Hackers don’t just look for personal and financial information. They also go after intellectual property (IP). A hacker can hold your IP for ransom or sell it on the dark web. Standard cyber insurance doesn’t cover losses from IP theft, but more comprehensive policies might allow you to add coverage. Ask your agent about IP insurance. IP or copyright infringement insurance only covers you when you’re sued for infringing others’ IP, not when someone steals yours. |
Insider threats | Like other commercial insurance policies, cyber insurance won’t cover businesses that intentionally commit crimes. However, you can purchase commercial crime or employee theft insurance to cover your systems if an employee maliciously breaches them. |
Post-attack strengthening | First-party cyber insurance will cover an assessment of your IT system to determine the likelihood of a future attack and what you can do to prevent it. However, it won’t pay for IT cybersecurity upgrades such as new antimalware software, improved networks or employee cybersecurity training. Ask your agent about cyber betterment coverage for help with computer and network improvements after a covered incident. |
Projected revenue loss | Cyber insurance covers lost revenue directly tied to an attack. For instance, your insurance may cover employees’ wages if they can’t work for a week after the attack. However, it won’t cover projected revenue loss. There’s no physical damage in a cyberattack, so your standard business interruption coverage won’t respond. You’ll need to add business interruption, aka non-damage business interruption, coverage to your cyber policy. |
All geographic locations | Cyber insurance purchased in the U.S. may not cover branch offices or attacks outside the U.S. For example, if you access your system while traveling outside the country and your system is breached as a result, cyber insurance may not respond to the incident. The same holds true if you hire contractors who work with your firm but don’t live in the U.S. Ask your agent to explain your policy’s international coverage, especially if you travel internationally or work with an international team. |
Cyber liability insurance isn’t standardized. Each insurance company has its own version of coverage, exclusions, terminology and definitions. Using a seasoned agent who understands your cyber liability exposure and the coverage variations and gaps is critical to managing risk.
Who needs cyber insurance?
If your business stores or processes customers’ personal or financial information, you need cyber insurance. This is true for businesses of all sizes, including single self-employed operations. What matters is the amount of data you have or have access to, not the size of your business or how many people work for you. First-party coverage may be enough, but you should consider third-party coverage if you’re part of a complex supply chain or contract with service providers.
If you provide goods or services to other businesses, you need all forms of coverage outlined above. This is because you have access to other businesses’ online accounts, and a breach of your system also puts those accounts at risk.
Hackers place no limits on who they will target. Schools, hospitals, universities, self-employed individuals, and businesses of all sizes in all industries have been victimized.
How much does cyber insurance cost?
Several factors determine how much you’ll pay for cyber insurance. They include your:
- Business size and revenue. Large firms with high volumes of personal and financial information are prime targets for hackers. And it costs far more to repair the damage to a large IT system than it does to fix one or two computers at a small business. Big companies generally pay more for cyber insurance than small firms. Prices can range from several hundred to tens of thousands of dollars.
- Industry. Health care companies, financial institutions, educational facilities, government agencies, and energy and utility companies are highly targeted industries. These industries are high-value targets because they handle sensitive information and critical infrastructure services. They generally pay more for cyber insurance than others.
- Claims history. If your business has been breached in the past, you’ll likely pay more for cyber insurance than a company that has never been hacked.
- Cybersecurity protocols. There are measures you can take to decrease your likelihood of an attack. These include:
- Hiring an IT firm to manage your cybersecurity
- Providing employees with ongoing cybersecurity training
- Updating your software regularly
- Limiting access to your database to employees who need it for their jobs
- Creating company policies governing password selection and storage
- Creating a cyber incident response plan
- Regulatory landscape. Regulatory requirements vary by industry and geographic location. The more requirements you have, the more you’ll pay for cyber insurance.
How do you pick the right cyber insurance policy for your business?
Have an expert audit your IT systems before you start researching cyber insurance providers. An audit will show vulnerabilities you need to address and help you determine which forms of coverage would benefit your organization. For example, if ransomware attacks are commonplace in your industry, choose a policy with a high ransom payment limit.
Once you know what you need, start looking for a company to work with. A good company will have experience meeting the needs of firms in your industry. For example, cyber insurance policies tailored to health care institutions won’t always meet the needs of businesses in the financial or B2B market.
You’ll also want to consider the size of your business. Some cyber insurance providers specialize in large corporations or small to midsize businesses. Choosing an insurance agency familiar with the laws of your state is wise, especially if your state has many regulatory requirements for cyberattack reporting.
Evaluating cyber coverage and customer service
When considering an insurance carrier, check its track record to ensure it offers efficient services, 24/7 support and fast compensation for claims. Some insurance companies offer cyber training, network audits and consultations to review your exposures. You can find this information online or ask other businesses for recommendations.
Another factor to consider is whether the insurance policy is underwritten by an “admitted” or “nonadmitted” carrier. Admitted insurance carriers are vetted, overseen and financially backed by the states they sell policies in. If an admitted carrier goes bankrupt, the state will pay out on the remaining policies. On the other hand, nonadmitted carriers haven’t been vetted and approved by the state. If they go bankrupt, the state will not back their remaining policies.
Also make sure you can get help immediately after a cyberattack. This will avoid delays in meeting regulatory requirements, informing customers of the breach and assessing the damage. Generally, it’s best to pick a company that has been in business for a long time. Such firms are more stable and reliable than new companies that may not have the financial resources to cover a costly attack.
Finally, carefully review any policy you’re considering to see what it does and doesn’t cover. If you don’t understand something, ask for information and get the answer is in writing. If you’re allowed to set a deductible, choose one that you can afford. Remember, your policy isn’t just one more expense to cover. It’s a financial lifeline that will keep you afloat if your business is breached.
Balancing cost with coverage
You’ll also need to consider cost when selecting a cyber insurance policy. If you find the cost of a good insurance policy is higher than you expected, talk with different insurers about ways to lower your premiums.
For example, you could raise the deductible and take on a larger out-of-pocket expense. In other cases, you could lower costs by implementing strong cybersecurity guidelines, training employees or outsourcing your cybersecurity to an IT company.
It’s best to have these cybersecurity controls in place before you apply for a policy. Be ready to show proof. If you have employee cybersecurity training, keep records and provide them as part of your application. The same goes for your written incident response plan. If you run an internet-based company in a state with many regulatory guidelines, consider moving to another state with fewer regulations.
Never compromise your coverage to save a bit of money each month. You don’t want to deal with the aftermath of an attack without the resources you need to recover.
Cyber insurance can save your business
Cyber insurance doesn’t replace sound cybersecurity tools or policies. However, it can provide the financial resources you need to deal with the aftermath of an attack. It can help you recover faster than would otherwise be possible. According to IBM’s report, 65% of businesses that suffered a cyberattack said they had not fully recovered, even after they contained the breach. And of those that recovered, 76% took over 100 days to get there. Only 2% reported a recovery in less than 50 days.
In today’s world, cyber insurance is essential for any company that works with, stores or processes third-party personal data.
Don’t know where to start? Call your insurance agent!
Cyberattacks are common, and no business is immune. Having adequate cyber insurance can mean the difference between recovering quickly and being forced to shut your doors. Call your agent for help with your application. They’ll match you with an insurance company that fits your operational exposures.
Call us for more information
We’re ready to assist you in the case of a disaster, reach out to our Business Insurance team.
This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.
Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.
Written content in blog post: Copyright © 2025 Applied Systems, Inc. All rights reserved.