The Business Owner’s Guide to Cyber Liability Insurance

J.J. Starr

According to research by SCORE, 43 percent of cyber attacks target small businesses, and 60 percent of small businesses go out of business within six months of a successful cyber attack. That’s because cyber incidents cause serious financial damage to businesses, especially when sensitive customer information is lost or stolen. Cyber threats are present whenever businesses store data, and cybercrime is on the rise—incidents are increasing 15 percent year over year, according to Embroker, a business insurance provider. 

Unfortunately, many business owners find out too late that their current business insurance policy doesn’t cover many of the damages that result from a cyber incident. This article covers cyber liability policies in depth—what they cover, how much they cost, and how they differ from a general liability policy.  Plus, we’ll cover which businesses need cyber policies the most. 

What is cyber insurance, and what does a cyber policy cover?

Cyber liability insurance is a business insurance product that covers cyber incidents. It is often purchased as a stand-alone policy but can sometimes be included in a general liability policy. Cyber liability insurance covers exposures—incidents that would cause your business harm— that are particular to cyber risk, which can include:

  • Data breach coverage protects you when information is stolen from an internal or external storage system. Coverage may specifically include legal fees, security fixes, and identity theft protection services (e.g., credit monitoring) for affected customers. 
  • IT outages coverage protects from loss of data or proprietary code during a fire, natural disaster, or other covered events. Though physical property, such as a hard drive, is covered by a general liability policy, non-physical property like coding and data are not.  
  • Cyber attacks and hacking coverage makes your business whole after a malware attack, phishing attack, and other types of hacking. 
  • Ransomware extortion payment coverage protects you when hackers attack your business and demand payment in return for ending the attack. Attacks come in many shapes but most commonly involve ransoming stolen data. This is sometimes called cyber extortion coverage. 
  • Third-party damages coverage protects you when a cyber incident affects a third-party (mainly customers) who may have the right to sue your business for damages. 
  • Business interruption coverage protects your business from revenue loss when your business can’t operate due to a cyber incident.

Your policy documents will outline exactly what your cyber liability policy covers both on the declarations page and elsewhere. Cyber insurance covers you up to coverage limits as set in your policy. Review your quote documents closely before you buy to ensure you have the right coverage types set at the right amount. If a policy doesn’t cover one of the perils above, you may be able to add additional coverage in the form of a rider to your cyber policy. 

Why is cyber liability insurance important?

Cyber incidents, especially data breaches, cause big problems that result in business disruptions, legal fees, and revenue loss. Recovering from a cyber incident often involves additional expenses for investigative services, public relations, and compliance with federal rules regarding data breaches. Plus, a business may need to pay a ransom fee to get its data returned. These expenses are why so many small businesses have to close their doors after a cyber attack.

According to Coveware, a ransomware as service (RaaS) business, the median cost of a ransom payment was $36,360 as of March 2022. That’s about half the median cost from the year prior. But this by no means implies that the risk for businesses is also diminishing. The downtick, instead, has been caused by market trends. RaaS, cyber insurance, and cyber security businesses have been successfully marketing to and signing mid-range small businesses, which have historically been most vulnerable to attacks. Because of this, fewer attacks have been successful. 

Though there are many things you can do to protect your small business from cyber hacking, nothing can replace strong cyber security and a cyber liability policy. Luckily, many cyber insurance products come with cyber security coaching, discounts for cyber security systems, risk management services, and other benefits to help you protect your business. 

What are the most common cyber-attacks?

Cyber attacks come in many shapes and sizes, but a few tactics tend to be most successful. Here are a few of the most common tactics used by hackers:

  • Phishing is when a hacker sends an email posing as a trusted source. The email asks for sensitive information, such as passwords, or tricks the recipient into downloading malware.  
  • Social engineering is any cyber attack that uses human interaction to exploit victims. Sending phishing emails is one form of social engineering. But this can also be done through text message, social media, and even in person. 
  • Ransomware occurs when hackers steal sensitive data, install malware, or otherwise hold a business’s systems hostage until they receive a ransom payment.
  • Web attacks include any attack on a web-based application used by a business. The two most common web-based attacks use Structured Query Language (SQL) injection and cross-site scripting (XSS).

Beyond these three, hackers use many other creative avenues to get what they want. 

How much does cyber liability insurance cost?

According to Insureon, the average cost of a cyber insurance policy is around $1,675 annually ($140 a month). But, nearly one-third of businesses pay less than $1,000 a year ($83 a month).

The cost of your policy will largely depend on your coverage level (how much you’re insured for) and your deductible (what you pay out of pocket in case of a claim). Other factors also impact your costs, including where your company is based, business revenues, type of business, and the number of sensitive records you need to protect. 

Most policies come with a standard $1,000 deductible, though you may be able to lower or raise the deductible depending on the company you work with. If you lower your deductible, your premiums will increase, while raising your deductible should lower the cost of your policy. This rule is generally true of all insurance policies.

If you want to lower your rate even more, look for policy discounts, especially in the form of “multi-line” or “bundling” discounts. These are discounts for carrying more than one insurance policy with the same company. You can often bundle a cyber insurance policy with your general liability policy and other insurance products you use for your business, such as professional liability insurance (aka errors and omissions insurance). 

Who should carry cyber liability insurance?

Businesses that store customer information or other sensitive data online or on the computer benefit from carrying cyber insurance. This is true whether the information is stored on in-house electronic devices or with a cloud-based storage service. 

Sensitive information includes names, addresses, medical records, financial records, Social Security numbers, tax identification numbers, and payment information (e.g., credit card numbers). This is often referred to as personally identifiable information or PII. 

Which businesses are most at risk for a cyber incident? Businesses with a large customer base, high revenues, and high-value assets are most at risk, as they offer the greatest rewards to hackers. Think retail businesses, healthcare businesses, eCommerce businesses, and financial services businesses. But any business, no matter the industry, that stores a large amount of PII is potentially at risk.

How much cyber liability insurance should I carry?

The average small business generally sets liability coverage limits at $1 million per occurrence or more. Be sure to check annual limits as well, as most policies have caps both per occurrence and per policy period (called the “aggregate” limit in insurance-speak). A cyber insurance policy is typically 12 months. 

You can estimate your needs if you’re unsure whether $1 million is enough for your business. According to Insureon, the average data breach costs about $180 per customer. Multiply the average cost by your customer base to see your estimated exposure, like this: 

$180 x 5,354 customers = $963,720

Be sure to speak with an insurance agent about the level of coverage you need. And, though it takes extra time, consider speaking with agents from a few different companies while you’re at it. That way, you’ll get a range of opinions and quotes to help you decide on the right policy. 

Finally, if your business stores medical records—i.e., your records must comply with HIPAA regulations—you will likely need to carry higher limits. That’s because a data breach can cause your business to fall out of compliance with government regulations, which could result in additional fines. 

Which insurance companies offer the best cyber insurance policies?

There are many reputable insurance companies that offer cyber insurance policies. But some providers stand out for their reputation and services. We’ve identified several insurers that are often cited as top-tier within the industry:

  • Chubb  is a Swiss-based insurance company that offers policies to businesses no matter their size or industry. 
  • CNA provides industry-tailored policies and risk-control services to help business owners understand their risks and protect themselves.
  • The Hartford is a long-standing insurer based in Connecticut and offers cyber breach policies to small businesses. Larger businesses can purchase a cyber liability policy. 
  • Travelers offers a ton of perks as part of their CyberFirst Essentials package for small businesses, including cyber security coaching. 
  • American International Group (AIG) offers many types of prevention services along with cyber policy limits up to $100 million.
  • Blue Cross Blue Shield offers a cyber policy tailored to small businesses called the BCS Micro Cyber policy, which can be purchased in under two minutes. 

Some insurance companies specialize in specific industries, such as The Doctors Company, which specializes in cyber insurance for healthcare professionals. 

We recommend comparing insurance quotes from three to five companies before deciding on your policy. Be sure to take into account differences in coverage limits and other policy features, not just the premium cost. 

Cyber Insurance Frequently Asked Questions

What is the difference between cyber liability and cyber security?

Cyber security is meant to protect from a cyber-attack or other malicious incident and is a preventative service. Cyber insurance makes you whole after a cyber incident such as a data breach and is a remedial service. Most cyber security companies do not offer cyber insurance but may have some protections if their services fail. Most cyber insurance companies offer cyber security training and other services (often for free!) to help you secure your business. 

What is the difference between cyber liability insurance and traditional liability insurance?

Most businesses carry general liability insurance, but these policies do not necessarily protect them from cyber incidents. Traditional liability policies cover people (bodily injury), and products, services, or operations (property damage). Cyber insurance can sometimes be added to a traditional business policy as a rider.

What kinds of businesses need cyber liability insurance?

Any business that stores private information online or on an electronic device needs cyber insurance. Luckily, cyber insurance costs are relative to business needs. Small businesses, for example, may not need high coverage limits—small policies are typically around $250,000 in coverage and cost around $600 a year. 

Is cryptocurrency covered by insurance?

Cryptocurrency uses blockchain networks to track transactions. Though blockchain hacks are rare, there are other “entry points” for hackers to get in. Mainly crypto bridges (which connect blockchain networks) and digital wallets (where cryptocurrency owners store their funds). 

Cryptocurrency is unlike funds in a bank account as they are not insured by the FDIC, and people rarely recover stolen funds. In most cases, a cyber insurance policy does not cover cryptocurrency funds or transactions. You’ll need a separate rider or a cryptocurrency insurance policy for that. If your business accepts cryptocurrency, it’s a good idea to carry a crypto-specific policy. 

J.J. Starr J.J. is an educator, personal finance writer, and former registered banker. She's helped dozens of small businesses set up and manage their day-to-day expenses, secure business loans, and develop financial plans.
Back to top