Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

November 19, 2021
John Bruggeman
Consulting CISO

Many companies these days either have cyber insurance or are thinking about purchasing it. It’s a smart choice given recent ransomware attacks and the risk to a company locked out of its critical business systems or important business files for hours or days or weeks. If the risk of ransomware isn’t already on the CEO’s and CIO’s minds, a business e-mail compromise (BEC) or funds transfer fraud attack may have popped up on the risk registry in the quarterly Board meeting. 

But what is cyber insurance and does your company need it?  I will tackle these questions and others in a series of blog posts to help you make an informed decision.

What is cyber insurance?

What you get with cyber insurance—or more technically, Cyber-Liability Insurance—is a policy that helps mitigate the fallout or impact of a cyber attack, ransomware incident, or other technology event covered in the policy. Cyber insurance can help transfer the risk of a ransomware attack, BEC, or fund transfer fraud from your bottom line to the insurance company.

Read more: Getting ransomware-proof, continued: CIS controls for medium-size organizations

Do you need cyber insurance?  

The answer to that question is: It depends.

The minimum questions you want to ask yourself are:

  • Do you have PII (Personally Identifiable Information) that has to be protected?
  • Do you have a website that takes orders and stores credit card information (credit card data)? 
  • Do you have PHI (Protected Health Information) that you need to protect? 
  • Do you have intellectual property that needs to be protected?
  • Do you have other protected or sensitive data that needs to be protected (FERPA, CUI, ITAR, EAR, etc.)?
  • Does your company use automation to produce or ship your products?

If you answered yes to any of those questions then you probably need it.

Read more: How do you ensure the security of your supply chain?

What do you get with cyber insurance?

It depends on the policy of course but generally policies provide the following coverage:

  • Cost to recover data or systems—and sometimes losses incurred by your business—from a cybersecurity event, like ransomware or a DDoS attack.
  • Cost to perform forensics if required or needed by you or your legal team.
  • Payment of the ransom for encrypted data or lost funds in transfer fraud.
  • Costs of legal defense if needed after the event.
  • Cost to make customers whole if needed.

Some policies can also assist in these ways:

  • Help create your incident response plan.
  • Provide online training material for your employees to improve cybersecurity awareness and defense.
  • Provide a team that will help if you are hit with a ransomware attack.

What does cyber insurance cost?

The cost varies from insurance providers and for the coverage you choose. A number of variables will impact the cost of insurance: 

If you are a small company with a limited number of customers and limited exposure, cyber insurance could be very affordable. If you are a medium size customer with hundreds or thousands of customers and more exposure, you could be looking at several thousand or tens of thousands of dollars per year.   

In my next blog post I’ll talk about what you need to have on hand to prepare for answering the questions that the insurance companies will ask.

Need more help with your cyber defense? Contact the CBTS cybersecurity team today.


Cyber Insurance series from John Bruggeman:

Part 2: Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Part 3: Cyber Insurance, part 3: Filling out the questionnaire

Part 4: What do you do if your cybersecurity insurance policy is denied?

Stocking your cybersecurity toolbox?  Read more from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Subscribe to our blog