What Is Cyber Insurance and How Does It Impact Cybercrime?

By Alex Popa . 5 August 2024

Cybersecurity Journalist

Fact-Checked this

With cybercrime becoming more common than ever before, businesses are turning toward cyber insurance to take away some of the risks associated with conducting business online.

Cyber insurance or cybersecurity insurance provides a robust protection again online security threats and data breaches.

Here’s a summary of the benefits of cyber insurance:

They protect against cyber risks by offering timely assistance in mitigating cyberattacks
They provide network-wide security coverage against any cyber threats, including cyber terrorism
They cover financial damage occurring because of cyberattacks, including fees for investigations, legal responsibilities, credit monitoring services, and more
They provide compensation for business interruption or loss of revenue in the case of a cyberattack
They offer legal assistance in the aftermath of a cyberattack, paying for legal counsel and any lawsuits that appear because of privacy violations or data breaches
They guarantee the financial stability of a business even in the event of severe cyberattacks
They improve the reputation of a business by highlighting their dedication to protecting client data

While cyber insurance does not replace cybersecurity good practices, it brings peace of mind and mitigates much of the aftermath of a successful cyberattack.

According to Embroker, over 70% of businesses were attacked with ransomware variants.

In 2016, a business was attacked by a ransomware every 40 seconds. This has turned to 11 seconds in 2021, according to a report by Cybersecurity Ventures. It’s a 72.5% increase in ransomware occurrence.

In the first quarter of 2023, there were 831 victims of ransomware, which is a higher victim count compared to Q1 2022 (763 victims).

There’s also been a noticeable surge in the global cyber insurance market size from 2018 to 2021, as shown by Statista:

2018 – $4.7 billion market size
2021 – $9.2 billion market size
*2025 – $22.1 billion market size (prediction)

Clearly, businesses have started to realize the importance of preemptive protection!

What Does Cyber Insurance Cover?

Image of an umbrella in cyberspace

Cyber insurance comes in many forms, just like auto or home insurance. There are different policies, services, and coverage depending on which insurance you get.

Here’s a summary of what most cyber insurances will cover:

Customer notifications in the event of a data breach. In the EU, the GDPR requires all businesses to notify their customers about a data breach, while the US is a bit more complicated with different data privacy laws (HIPAA, GLBA, FISMA, etc.) These notifications are costly, and a cyber insurance will shoulder the costs
Data breach expenses. If a data breach occurs and personal data is stolen, there’s bound to be financial damage involved. The insurance will cover this, offer legal assistance, and more
Personal identity restoration. When the customers of a business lose their personal identities through a data breach, the insurance will help restore them
Ransomware demands. In the event of a ransomware demanding a fee, the cyber insurance covers the costs of such demands if the company decides to pay it
System repairs. Following a cyberattack, it’s likely that computer systems have been damaged. The insurance covers the cost of repairing these systems
Data recovery. The insurance can pay for any costs associated with recovering the data lost during a cyberattack
Cyberattack mitigation. The insurance can shoulder the costs of cyber-forensic experts that will assess the damage, mitigate the damage, and recover the lost data
Legal fees. Following a cyberattack, a company may be found guilty of violating privacy regulations and policies, incurring various legal fees. The insurance can pay these fees and offer legal assistance
Business interruption and loss of revenue. Cyberattacks often leave businesses crippled, leading to a loss of revenue and the interruption of business operations. Insurances can provide credit monitoring services and financial assistance for responding efficiently to a data breach

That’s not all, though. Cyber insurances offer coverage for a wide number of cyberattacks, including:

Data breaches
DDoS attacks
Computer fraud
Cyber extortion
Network security liabilities
Zero-day exploits
Doxing

A robust cyber insurance can make the difference between near-bankruptcy and just another easily-avoidable crisis.

Small and large-scale businesses alike will benefit significantly by acquiring a cybersecurity insurance to protect against the increasing risk of cybercrime.

No defense is ever impregnable, and this applies to cybersecurity too. Whether through social engineering, security faults, or zero-day exploits, every business will fall prey to cyberattacks at one point.

That’s the idea with cyber insurance – when you do get attacked, you’ll have a fallback protection plan to mitigate the damage inflicted by criminals.

What Isn’t Covered by Cyber Insurance?

Image of an umbrella on a circuit board

Knowing what isn’t covered by your insurance can better prepare you for unforeseen events.

Here’s what a cyber insurance doesn’t cover most of the time;

Human error: most cyber insurances won’t offer coverage in the case of attacks caused by your employees
Prior data breaches: cyber insurances don’t offer coverage for data breaches that occurred before purchasing the insurance
Poor security: if the cyberattack is caused by the business’ poor security system, the insurance will become void
Insider attacks: if one of your employees steals data from the company (insider attack), the insurance won’t cover your losses
Preexisting vulnerabilities: any data breaches caused by a previously-known vulnerability will turn the cyber insurance void, even if the data breach takes place after getting the insurance
Infrastructure damage not caused by cyberattacks: the cyber insurance will not cover any failure of infrastructure that wasn’t caused by a cyberattack, even if the damage is technological in nature

Essentially, a business has to prove that they’re acting in good faith to benefit from cyber insurance coverage.

This could mean having a good cybersecurity system, actively trying to prevent cyberattacks, and implementing employee cyber-awareness.

Tips for Choosing an Adequate Cyber Insurance Policy

Image of cyberspace

Cybersecurity insurances differ based on their coverage, pricing, and the scale of the protection offered.

This last aspect is dependent on the insured entity’s organization size, annual revenue, industry, and extent/type of coverage required.

Depending on these factors, cyber insurance premiums can range from $500 to $5,000 per year.

Here are a few tips you should consider when choosing a cyber insurance:

Submit to a security audit or offer documentation after assessing your business with an approved assessment tool. Insurance companies will need to see that your business meets their requirements
Find out what costs you will shoulder in the case of a data breach and what the insurance covers
Find out if the insurance covers cyber extortion and ransomware costs
Learn if the insurance offers legal assistance, privacy liability coverage, and litigation in the case of a breach of confidential personal data
Understand the cybersecurity risks that your business is facing so that you can select a specialized cyber insurance coverage
Consider your risk tolerance and understand what you need and don’t need from your cyber insurance
Look at how much it costs per month in premiums and deductibles

It’s important to know that not all cyber insurances are a fit for your business. Pay attention to how they’ll assess your cybersecurity risks.

Questionnaires are extremely inefficient because often, the person answering the questions doesn’t have enough knowledge to comment on complex cybersecurity topics.

Instead, the insurance company should have an expert perform on-site analytics and gather telemetry data to understand how your organization operates online. They should consider your current cybersecurity systems and account for possible data leaks or vulnerabilities.

Impact of Cyber Insurance on Cybercrime

Image of a shield in cyberspace

In this section, I’ll show you two sets of data from Statista:

Share of global ransomware incidents in 2021 where the costs were covered by cyber insurance, by industry
Share of global ransomware incidents in 2019-2021 where the costs were covered by cyber insurance, by type of payout

These stats will reveal the significance of implementing a cyber insurance on your business, and how it can help you mitigate cyber threats.

1. Global Ransomware Incidents Paid by Cyber Insurance in 2021, by Industry

Industry	Insurance Paid Out	Insurance Paid Clean-up Costs	Insurance Paid the Ransom	Insurance Paid the other Costs
Average	98%	77%	40%	27%
Higher Education	100%	87%	36%	20%
Distribution and Transport	100%	83%	45%	29%
Business and Professional Services	99%	78%	40%	23%
Media, Leisure, Entertainment	99%	82%	40%	27%
Central/Federal Government	99%	74%	46%	29%
Lower Education	99%	58%	53%	27%
Construction and Property	98%	78%	36%	23%
Retail	98%	82%	35%	29%
Healthcare	97%	81%	47%	26%
IT, Technology, and Telecoms	97%	76%	37%	28%
Manufacturing and Production	97%	75%	30%	34%
Energy, Oil/Gas, and Utilities	96%	77%	44%	23%

The clean-up costs consist of expenses necessary to restore functionality and operations to the organization.

The “other costs” refer to the cost of downtime, lost opportunities, and other expenses suffered because of a cyberattack.

As you can see, in most industries, insurance companies paid over 72% of organizations the clean-up costs required to get back up and running.

Less than half of the organizations across most industries (except Lower Education) got their ransoms paid out by the insurance company.

And less than 30% of organizations across all industries got “other costs” paid out by the insurance company.

2. Global Ransomware Incidents Paid by Cyber Insurance in 2021, By Type of Payout

Year	Insurance Paid Out	Insurance Paid Clean-up Costs	Insurance Paid the Ransom
2019	95%	67.5%	44%
2021	98%	77%	40%

This survey was conducted in September 2022 and had 5,600 respondents from 31 countries participate.

There’s a noticeable increase in payments made by the insurance company, including clean-up costs from 2019 to 2021.

However, there was a decrease of 4% in the number of cases that insurance companies paid the ransoms to clients.

Judging by this statistic, it seems that insurance companies recognize the negative impact of paying ransoms to criminals.

It’s true that paying the ransom only emboldens criminals to keep launching attacks because they make a profit out of it.

Who Should Get a Cyber Insurance?

Image of a lock on a circuit board

The first question asked by many entrepreneurs is “Do I need a cyber insurance?”, and it’s one that deserves a detailed answer.

First of all, all companies and businesses have a legal responsibility to safeguard their customers’ personal data.

This information is often sensitive, like Social Security Numbers, credit card information, names, addresses, health data, and so on.

The question is “what are the lengths you should go to in order to protect that data?”, and the answer is “anything and everything”.

Neither your client nor the law care about how you protect the data as long as it stays protected. If there is a data breach, it means you haven’t done enough to protect it.

This is where cyber insurance comes to your help. It assumes that your business will be attacked by cybercriminals and you will end up using customer data, which will incur hefty legal fees, operational recovery expenses, and so on.

Here’s a list of businesses that will benefit from cyber insurance:

Startups and Tech Companies – These companies are heavily digitized and deal with a lot of sensitive customer data that they store on their digital infrastructure. Hence, they’re exceptionally vulnerable to cyberattacks, which lead to severe financial and reputational damages
Financial Institutions – Companies like banks and insurance companies deal with highly-sensitive data, financial transactions, and so on. Cybercriminals prioritize these types of companies with ransomware attacks, identity theft attacks, and unauthorized transactions
Professional Service Companies – Companies like law firms, dentistry businesses, accounting firms, all deal with sensitive user data and/or intellectual property. Cyberattacks will often try to steal this data, causing a data breach that will cost these companies a lot of money
Healthcare Providers – Health data is classified as sensitive data, and it’s very attractive to cybercriminals. Health records and personal information are valuable commodities on the Dark Web, so hospitals, private clinics, and healthcare providers should expect more cyberattacks than usual
Small and Medium-Sized Businesses – It’s a mistake to believe that small-scale businesses are less targeted by cybercriminals. It’s quite the opposite, in fact. Small businesses don’t have as many financial or operational resources to allocate to cybersecurity, so they’re more vulnerable to attacks

Already, we can see that the Financial, Health, and Legal industries are included in this list. It’s not a coincidence that these industries are the most targeted by cybercriminals due to the high-value data stored on their servers.

Is Cyber Insurance Worth It?

Image of a man holding an umbrella in an office overlooking the cyberspace

In our analysis, cyber insurance is more than worth the costs of the monthly (or yearly) premiums paid. Just like how a home or auto insurance are also worth their costs in the long-term.

The reason for this is the impossibility of implementing impenetrable cybersecurity protection. There’s no airtight security system that can’t be broken.

Even the CIA has data leaks. Just look at the “Vault 7” debacle, which has been called “one of the most brazen and damaging acts of espionage in American history” by prosecutors.

If you’re a financial institution and you don’t have cyber insurance, here’s what could happen:

You get hacked and lose sensitive user data, resulting in unauthorized transactions and fraud
You get sued by several customers and lose the court trial
You’ll have to pay legal fees and reimburse your customers for the stolen funds
You may be penalized by the Data Privacy laws in your country and you’ll end up paying a fine

All of this can cripple your business, leading to unexpected substantial losses, damaging your reputation, and impacting your financial stability and operational status.

Having cyber insurance can provide significant financial protection, acting as a safety net in case of a data breach.

When disaster strikes and your company is overwhelmed with fees and expenses, the insurance company will be there to support you.

It’s even more important to consider cyber insurance with the emergence of cybercrime-as-a-service!

Sources

Embroker – 2023 Must-Know Cyber Attacks Statistics and Trends
Cyberint – Ransomware Trends Q3 2023 Report
Statista – Global Cyber Insurance Market Size in 2018 and 2020, with Forecast for 2025
Fortinet – What Is Cyber Insurance? Policies, Services, and Coverage
Privacy Affairs – GDPR Fines Tracker & Statistics
Privacy Affairs – Cybersecurity Deep Dive: Everything About DDoS Attacks
PrivacyAffairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
ProWriters – What Does Cyber Insurance Not Cover?
TechTarget – Cyber Insurance
Statista – Share of Ransomware Incidents Where Cyber Insurance Covered the Losses Worldwide in 2021, by Industry
Statista – Share of Ransomware Incidents Where Cyber Insurance Covered the Losses Worldwide in 2019 and 2021, by Type of Payout
Embroker – Cyber Liability Insurance
Forbes – Former CIA Staffer Convicted for Massive Data Breach to WikiLeaks
Justive.Gov – Statement of U.S. Attorney Damian Willians on the Espionage Conviction of Ex-CIA Programmer Joshua Adam Schulte
Privacy Affairs – Cybersecurity Deep Dive: What Is Cybercrime-as-a-Service?

Technology Analyst & Data Privacy Journalist Alex is an avid proponent of informational security and data privacy. Given how easily online information disseminates and how cybercriminals are always stepping up their game, self-security becomes a necessity. Alex has direct experience with many tools of the trade like 1Password, YubiKey, Ledger, VPNs, and he has an evergreen interest in emerging security technologies. Which is to say he’s geeking out on them a lot. You’ll often find him reading up on cybersecurity stats or the latest ransomware attacks, staying up-to-date with the evolution of informational security and infiltration tactics. Alex is also an experienced journalist, which makes him great at putting tech-savvy and complex topics into easy-to-understand guides and reports.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.