Cyber Risk Insurance: Choosing the Best Policy for Your Small to Medium-Sized Business


January 24, 2022

If it seems like all the business owners you know are getting cyber risk insurance these days, it’s because they are. Companies are buying the insurance because cyber crime is growing, and so is the damage it can do. In fact, according to the latest stats from, the United States is the most expensive country in the world to have a data breach, with the average incursion costing a company $8.64 million in 2020. Is it any wonder that the Cyber Risk Insurance market is expected to grow to $20 billion by 2025?

When disaster strikes, cyber risk insurance can help you recoup losses, pay for investigations, cover legal costs, and give you the funds you need to get your business back up and running.

What can a cyber risk insurance policy do for your business? A lot. Let’s review what’s covered.

What is Generally Covered Under a Cyber Risk Insurance Policy?

Most cyber risk insurance policies cover the fallout from a breach, helping to cover the costs directly related to the incident. Depending on the policy you choose, this coverage can include:

1. Network security damages as a direct result of a cybercrime, such as:

  • Payment of ransomware
  • Data breach notifications
  • Identity restoration and credit monitoring
  • IT forensics
  • Legal expenses
  • Data restoration
  • Public relations intercessions

2. Business Interruptions

This allows the policyholder to recover some expenses following a breach, such as fixed operational expenses and lost profits. These clauses generally cover system failures, human error, and security failures.

Some cyber risk insurance policies also cover profit losses due to reputational damages following a cyber breach.

If a breach has kept you from fulfilling customer and client obligations, you can be held legally liable for damages. A good cyber risk insurance policy can help you mitigate these costs.

4. Breach of Privacy

Many verticals have stringent privacy rules and regulations. HIPAA is one that most people think of, with fees and fines for any violation they deem “negligent.” These regulations cover every employee working in the office, remotely from home, and even third-party vendors. Most cyber risk insurance policies will cover the legal costs and fees for violations resulting from a cyber breach that exposes data. It can also cover your business from class-action litigation actions and penalties awarded by the courts following a breach.

5. Replacement Hardware

Since many forms of malware can render hardware useless, a good cyber risk insurance policy will cover the replacement of damaged equipment following a cyber attack.

So, as you can see, cyber risk insurance covers the great majority of liability from an attack. But it doesn’t cover everything. Here’s where you’ll commonly find the loopholes in these policies.

What is Usually Not Covered

Again, reading the fine print will help you understand the limitations of your cyber risk insurance policy. Many small to medium-sized businesses were taken by surprise when their claims relating to COVID19 security breaches were not covered. All insurance coverages are different, but you need to double-check your policy to make sure it covers:

1. BYOD and Remote Worker Claims

Be aware for exclusions on BYOD and remote workers. Some of these exclusions can be very specific, like not covering a device that is unencrypted or refusing to cover employees who haven’t signed an acceptable use policy. In these cases, an employee’s personal device replacement costs will not be covered, even if it was destroyed as part of a malware attack. Read the fine print and make sure your coverage includes BYOD and remote worker claims.

2. “Acts of War”

This stipulation has been snuck into some cyber risk policies to disallow payment for cyber breaches occurring from state-sponsored actors and foreign hackers. Considered “an act of terrorism,” you may be unpleasantly surprised to find your coverage doesn’t protect you from larger, organized groups of hackers.

3. Potential Profit Loss in the Future

Your cyber risk insurance policy may cover profit loss to a degree, but many will not cover “future” losses and may have a limited amount of time following the breach where they will reimburse you for lost profits.

4. Upgrading Technology

Unless the devices and hardware were damaged because of a cyberattack, most cyber risk insurance policies will not cover updating or upgrading equipment even if doing so increases your overall cybersecurity.

Choosing the Best Cyber Risk Insurance Policy for Your Business

Choosing the right policy, like choosing your car insurance or health insurance, will depend on your company’s size and your industry’s threat levels. When comparing coverage, look for these key points:


Cyber risk insurance will have deductibles, just like any other insurance policy. The average deductible, per a study from AdvisorSmith Solutions Inc, is around $10k for $1 million in liability coverage. The annual cost of a policy averages $1500 per year for that same $1 million policy, based on location and industry.

Stand-Alone Policy vs Add-On

Your existing business insurance company may offer cyber risk insurance as an add-on to your coverage. Look at what they offer and compare the pricing and coverages to cyber risk insurers; most of the time, a stand-alone policy will provide more comprehensive coverage than add-on policies.

Accidental Actions

Since employees often inadvertently cause most breaches, it’s important to choose a policy that covers unintentional employee actions such as responding to a phishing attempt, clicking infected attachments, or falling for a “spoofed” website.  Make sure your policy covers “social engineering,” a blanket term that includes most of these email-related attacks.

Just like getting a car insurance discount for taking a safe-driving course, your policy may include discounts for employee cyber-security awareness training.

APTs (Advanced Persistent Threats)

APT cyber risk insurance coverage is tricky. The threat is not a single targeted incident; it is a slow process taking place over weeks, months, and even longer. Check to see how the cyber risk insurance carrier covers APT’s and choose a policy with longer time frames to collect for damages caused by them.

Third-Party Coverage

Any policy you find will cover breaches to your own business…but what if the threat came from a third-party vendor? Your point-of-sale software, your financial institution, your MSP, and even your accountants or attorneys are all closely connected with your business. When bad actors hack third-party vendors, they are looking for the bigger prize at the end of the game…your business’ sensitive data. Your customers will still hold you responsible, even if this breach wasn’t your fault. What type of coverage does the insurance company offer for damages resulting from third-party vendor breaches?

Attack Target

Some breaches occur because hackers cast out a wide net hoping to catch anyone they can while other attacks target a company specifically. There may be hidden clauses in the policy stating that you are only covered in the event of a targeted attack and not a wider spread hacking scheme.

So, now that you know some things to look out for in your policy, how do you know if you qualify?

Qualifying for a Cyber Risk Insurance Policy

Getting cyber risk insurance isn’t always as simple as making a few calls and writing a few checks. But most companies do qualify, so long as they have good cybersecurity procedures in place.

Specifically, insurers want to be assured that you have proper data handling protocols, especially if you’re handling customers’ financial data, or you’re operating in an industry like healthcare, which must adhere to HIPAA data mandates. They will also want assurances that you have a product like SIEM, (Security Incident and Endpoint Management), that can provide forensic reports in the event of a breach.

You can prepare for this by having a professional network assessment performed for your organization. This assessment will show you, and the insurance carrier, how prepared you are to meet current cybersecurity trends and threats.

Iconic IT Offers a Comprehensive Network Audit at No Cost or Obligation to You

Iconic IT, a leading MSP in the industry, is offering a 100% free, no obligation network assessment to companies looking for cybersecurity risk insurance. Your audit will give you a clear picture of your overall network and strategies, showing you any gaps and vulnerabilities you may need to patch up before applying for a cyber risk insurance policy.

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as,, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...