What does cyber insurance cover?

Cyber insurance can offer vital financial protection against a growing number of online threats. Here’s a detailed look at what cyber insurance covers and how it could protect your business.

While even the best cyber insurance cover can’t stop an attack on your business, it could help you recover and get your business back on track.

Cyber insurance helps you deal with the consequences after a data breach or cyber-attack, this can include things like:

  • Revenue loss
  • Legal fees
  • Reputational damage
  • Loss of staff

However, the cover you can get will depend on the type of policy you choose and what extras you decide to add.

What types of attacks are covered?

As there are many kinds of potential cyber-attack (and more are being invented), cyber insurance needs to cover a broad range of eventualities.

Some of the most common threats that cyber insurance can guard against include:

  • Malware attacks: Where cyber criminals install malicious software and use it to gain access to your data or carry out unauthorised actions on your system.
  • Phishing scams: Which apply to various methods criminals use to extract sensitive information from their victims, most commonly passwords, credit card or banking information and crucial identity information.
  • Ransomware attacks: Where hackers gain access to a company network and then lock users out until they are paid a ransom; or they will threaten to make any sensitive information on the company network public – at a potentially devastating cost to the company in question.
  • Email fraud: Where fraudsters intercept a company’s email server and send emails, either internally or externally to extort information or funds.
  • Denial of service (DoS) attacks: Where attackers flood your network with false requests to take down your system and crash your website. A distributed denial-of-service attack (DDoS attack) is where the attack comes from multiple locations making it incredibly hard to stop.

All these types of threats will be covered by a comprehensive cyber insurance policy.

Types of cyber insurance cover

There are two main types of cover:

  • First party protection: which is included with all cyber insurance policies
  • Third party protection: which you usually have to pay extra for

What does first party protection cover?

It covers the immediate effects of a cyber-attack and is your frontline damage control policy.

First party cyber cover will protect you against loss or damage to data, for example,

If your database is wiped and you lose all your customer information, any costs associated with recovering or rebuilding should be covered.

Loss of income is also covered for business down time – provided the loss is caused as a direct result of cyber-attack. First party cover will also help with notification or communication costs incurred by a cyber-attack.

What does third party protection cover?

This type of cover protects your company against the indirect consequences of a cyber-attack, this can include.

  • Public relations management: If for example, customer information is compromised, or if any loss occurs on the part of the customer as a result of your business being attacked
  • Legal costs: If a customer takes legal action because their information was compromised, third party insurance will also cover your legal costs
  • Regulatory regulations: If an attack means you have breached regulatory obligations it can provide cover against regulatory violations (within certain parameters).

If you’d like to include third party cover, you’ll usually have to pay extra because it offers more comprehensive protection than first party cover alone.

What cyber insurance won’t cover

Every policy has its limits, and while insurance can cover you for some of the consequences of cyber-attack, no policy can cover them all. Common exclusions include:

  • Intellectual property: most policies won’t extend to the loss of intellectual property. This is partly because it can very difficult to calculate the financial impact when assessing a claim.
  • Brand impact: again, it can be difficult to assess the ongoing damage to a brand’s reputation from a specific cyber breach.

It’s also important to remember your claim could be declined if your security measures were insufficient, or if you didn’t take preventative measures.

If negligence on your part is involved in any way, you won’t be covered.

Always check the policy wording before you choose your cyber insurance cover because this will list all the exclusions.

Is cyber insurance worth it?

Unfortunately, cyber-attacks against businesses large or small are now a regular occurrence making cyber insurance a necessity for many companies.

Customer data and system passwords have been stolen from household names like Facebook, WhatsApp and Carphone Warehouse over the last few years.

Small businesses aren’t safe either. According to CPO magazine, half of all cyber-attacks are targeted at small businesses, with the assumption that cyber security won’t be as tough as with larger competitors.

Some recent examples of major attacks include:

  • 2019 Phishing attack on DLA Piper: Global law firm DLA Piper was hit by phishers who convinced their clients that they represented the organisation. This happened despite staff training, and warnings about what constitutes suspicious communication to clients. Victims were convinced by the scammers to pay funds over to fraudulent accounts.
  • 2017 Notpetya Ransomware: Several large corporate companies were attacked by “Notpetya” ransomware from Russia, in 2017, which was aimed at extorting exorbitant amounts of Bitcoin from its global victims.
  • 2018 Dixons Carphone data breach: Hackers attempted to access 5.9 million customer credit card records and 1.2 million personal records.
  • 2019 Wikipedia DDoS attack: Wikipedia was taken down by a large DDoS attack in Germany in September 2019, with access being unavailable in some areas for several days.

Cyber-attacks also affect a broad range of industries, with healthcare, retail, finance, insurance and PR all in the top five most targeted sectors in 2019.

If your business relies of the internet to trade, handles sensitive data or works directly with customers you should seriously consider taking out cyber insurance.

What other measures can you take?

Cyber insurance can help your business deal with the cost of an attack, but it’s important to ensure your digital security measures are up to date as well.

Preventing an attack is always better than repairing the damage afterwards.

Being prepared will also strengthen your insurance claim and your knowledge of what happened and why an attack occurs. To get started, consider:

  • Antivirus software: This is key to protecting your company against attack. The right antivirus programme will pick up a cyber threat before it even gets to you.
  • Staff training: All staff should be trained regularly in staying safe, and all vendors should be vetted. Many cyber insurance providers offer support with this for free if you take out a policy.
  • Server security: You should make sure all email and web servers are secure with strong firewalls, and that plans are in place should an attack occur. If you’re unsure how to do this, it might be worth speaking to a cyber security specialist to help.

For more tips, read our Cyber security and data breach prevention guide.

Cyber Insurance Cover FAQs

Yes, most cyber insurance policies can help pay for this, but the amount they pay out may vary and there may be conditions and exclusions.

It depends on the insurer, but most cyber insurance policies will pay the cost of locating and removing a virus from your computer system.

You can check the policy terms of a cyber insurance policy for a full list of exclusions, some of the most common are:

  • Confiscation of your equipment by a government or public authority
  • Damage caused by external network failure
  • Intentional sabotage by company directors

If your business uses, stores, or sends electronic data then cyber insurance is worth considering. If you process personally identifiable information (PII), for example customer details, then it is even more of a necessity.

No, it is not a legal requirement in the same way as employer’s liability insurance is for businesses that employ staff.

However, it could prove to offer invaluable financial protection should your business suffer a data breach or be the victim of a cyber-attack.

Martin Lane
Written by Martin Lane, Head of Content
Martin is an experienced writer in the financial services sector previously serving as Managing Editor at money.co.uk with regular guest slots on BBC Radio 4 and featured in the national press.

Cyber insurance buying guide for SME’s




Free for a limited time