# What Is Cyber Insurance? A Guide for Small Businesses | Capterra

> Understand what cyber insurance is and whether your small business needs it. Learn about different cyber insurance types, benefits, exclusions, and get advice from a cybersecurity expert.

Source: https://www.capterra.com/resources/what-is-cyber-insurance

---

Digital SecurityLegal

# Should Your Small Business Buy Cyber Insurance? Get an Expert’s Take

By Bhavya Aggarwal

Bhavya Aggarwal

Bhavya Aggarwal is a Technical Content Writer at Capterra, covering Information Technology, Cybersecurity, and Emerging Technologies, with a focus on improvi...

[See bio & all articles](https://www.capterra.com/resources/author/bhavya-aggarwal/)

  

Published July 12, 2023

9 min read

## All businesses face cyber risks, but not all have cyber insurance. If you're unsure whether your small business needs it, learn about cyber insurance here.

More than half (62%) of small businesses have been attacked by ransomware, according to a Capterra survey[\*](#methodology). Imagine the strain on your company’s finances and reputation if you were in those small businesses’ shoes. Cyber insurance, however, can offset the financial impact of such cyberattacks on your business. 

Ahead, we explain everything about cyber insurance—its types, exclusions, and benefits. We also share insights from James Hendler[\[1\]](#sources), a cybersecurity expert and director of the RPI-IBM Artificial Intelligence Research Collaboration, to help you determine whether your small business needs cyber insurance.

“Any company nowadays has some sort of cyber exposure. However, measuring risk is quite complicated. Just as an individual or company has to work out risk-benefit for health insurance, theft insurance, etc., cybersecurity is the same.”

James Hendler

Director of RPI-IBM Artificial Intelligence Research Collaboration

## What is cyber insurance, and who should get it?

Cyber insurance, also known as cyber liability insurance, safeguards against financial losses caused by various [types of cyberattacks](https://www.capterra.com/resources/types-of-cyber-attacks/), such as ransomware, phishing, data breaches, identity theft, and malicious use of company data. It covers costs related to legal fees, business disruption, brand reputation damage, and regulatory fines.

Cyber insurance is essential for businesses that deal with the following types of sensitive data:

-   **Customer details**, including credit card numbers, bank account details, or personal identifiers such as social security numbers.
    
-   **Healthcare details** of customers or employees, including medical histories, insurance data, or data on specific health conditions.
    
-   **Corporate intellectual properties** and **proprietary business information**, such as patented technologies, trade secrets, or detailed business plans and strategies.
    

Cyber insurance is particularly vital for startups or smaller businesses with fewer resources, as the aftermath of data breaches can be devastating. However, Hendler cautions: "Purchase cyber insurance only if your business handles sensitive data and follows cybersecurity practices. But remember, not all small companies need it. Consult with a trusted advisor to evaluate your specific risk."

Note

Cyber insurance isn’t a replacement for immature security programs. It’ll not prevent a cyberattack or immediately reduce its impact on customer service delivery. Hence, investing in a [security program](https://www.getapp.com/resources/cybersecurity-best-practices/) and getting cybersecurity insurance is crucial.

## Types of cyber insurance coverage

Cyber insurance coverage is mainly of two types: 

1.  **First-party coverage:** Covers losses your own business sustains after an attack.
    
2.  **Third-party coverage:** Covers losses third parties, such as customers or vendors, sustain after a cyberattack on your systems.
    

The need for each cyber coverage type varies from business to business. For instance, an IT support company might face a higher risk of third-party financial loss than a small retail shop. Let’s break down these categories further.

### First-party cyber liability insurance

This insurance is designed to cover your business from financial losses due to a cyberattack. It includes costs for restoring lost data, repairing damaged systems, credit monitoring services, and notifying affected customers. 

It can also cover lost business income and extra expenses incurred while your business is recovering from the attack. First-party coverage is best described as covering your business’s financial losses due to a cyber event.

#### Types of coverage under first-party cyber insurance:

-   **Cyber/data breach coverage:** If you deal with sensitive customer data such as personally identifiable information (PII) or intellectual property (IP), consider this coverage. It offsets the business costs associated with a data breach, including expenses related to forensic investigations, notification and credit monitoring services for affected individuals, legal fees, and regulatory fines.
    
-   **Network/business interruption coverage**: Would a network downtime severely disrupt your business operations and lead to significant income loss? If yes, this coverage would be a lifesaver. But remember to check if your general business interruption policy specifies cyber incidents before purchasing additional coverage.
    
-   **Cyber theft/crime coverage:** Is your business at high risk of cybercrimes such as phishing attacks, fraudulent transfers, or ransomware? This coverage offers protection against direct loss of money due to such cyber thefts. If cyber risks substantially threaten your business finances, including this coverage in your cyber insurance policy could be worth it.
    
-   **Property cyber insurance:** Do you rely heavily on physical assets such as industrial control systems or IoT devices that could be targeted in a cyberattack? If so, consider property cyber insurance. It protects against physical damage resulting from cyberattacks.
    

### Third-party cyber liability insurance

This insurance is designed to cover your business from claims made by third parties, such as customers or vendors, who have suffered financial losses due to a cyberattack on your systems. It covers the costs of lawsuits filed by third parties, including legal fees, settlements, and judgments.

#### Types of coverage under third-party cyber insurance:

-   **General/product liability coverage** protects against claims made by third parties for bodily injury or property damage caused by your business operations or products, such as a medical product’s failure resulting from a cyberattack. It might be worth investigating whether your current insurance policy covers cyber incidents, and if not, adding this coverage would be a wise step.
    
-   **Media liability coverage** protects against third-party claims alleging damage from the content published on your website or other online platforms. It covers defamation, copyright infringement, and privacy invasion claims.
    

Consider the case of Mother Jones[\[2\]](#sources), a magazine Idaho businessman Frank VanderSloot sued for defamation. The lawsuit cost the magazine more than $3 million over three years. Importantly, their media liability insurance covered about 75% of this cost. Without the coverage, Mother Jones would have had to bear the full brunt of the cost, which could have been financially devastating.

## Benefits of cyber insurance for your small business

Your cybersecurity insurance policy offers so much more than you might know.

###    Coverage for non-IT costs

Cyber insurance covers recovery costs from incidents such as ransomware or system damage and covers non-IT-related expenses that might arise after a cyberattack. This includes managing reputational damage through the services of PR firms/breach coaches and taking care of legal fees related to lawsuits.

However, having insurance alone is not enough. It’s also crucial to have a [robust cybersecurity framework](https://www.capterra.com/resources/small-business-cyber-security/) complemented by regular employee security awareness training. A sound strategy is to [prevent as many incidents as possible](https://www.capterra.com/resources/how-to-prevent-cyber-attack/) and let the insurance handle the unexpected ones.

That said, Hendler advises, “There are ongoing court cases to decide if losses from cyber incidents should be covered by business or theft insurance instead of cyber insurance. So, for small businesses, the extra cost of cyber insurance might not always be worth it.”

_Employee security awareness training in Hoxhunt (_[_Source_](https://www.capterra.com/p/233248/Hoxhunt/)_)_

###    Instant access to industry experts

Response time is critical to getting your business back up and running after a cyberattack. Many business owners have no idea how to manage a breach, let alone all the associated regulatory issues. 

One of the qualitative benefits of cybersecurity insurance is immediate access to a team of experts. These professionals, employed or contracted by the cyber insurance company, offer expert advice during incidents. Their services extend beyond incident response and forensic services to legal, public relations, and law enforcement contacts. Additionally, having a cyber claims advocate immediately accessible helps implement proactive measures to fortify your digital infrastructure.

On the other hand, Hendler points out, “Instant access to experts is usually more affordable for larger companies. Small businesses should check if these services are included in their coverage or if they come at an additional cost that could surprise them later.”

###    Hands-on assistance with planning, response, and recovery

Cyber insurers offer hands-on assistance in planning, responding, and recovering from cyberattacks via proper cybersecurity tools and protocols. These resources can complement your existing team or, in cases where they don’t exist in-house, significantly enhance your ability to respond and recover.

It’s important to regularly engage with your insurer to ensure you’re fully benefiting from their resources and expertise. Preparation is key, and having a well-crafted [incident response plan](https://www.capterra.com/resources/cybersecurity-incident-response-plan/) can make all the difference during a cyber incident. Additionally, investing in [cybersecurity software](https://www.capterra.com/cybersecurity-software/) can help you stay ahead of attacks with real-time monitoring.

In contrast, Hendler offers a word of caution: "This is crucial, but one needs to be careful because some third-party companies can provide these services easily, at affordable pricing, while advising on how much insurance you need. If you use an insurance company to answer these questions, remember they are incentivized to see you buy more costly plans."

## Note the exclusions in your cyber insurance policy

It’s essential to understand that there might be a gap between what you expect from a cyber insurance policy and what the insurer covers. Not all incidents are included, and certain types of losses, such as regulatory fines, funds transfers, and IP thefts, might not be covered under all policies.

Let’s take an example of the NotPetya ransomware attack of 2017.[\[3\]](#sources) Companies such as Merck and Mondelez International suffered substantial losses from this incident. However, their insurance claims of $1.3 billion and $100 million, respectively, were denied by their insurers. This denial was based on invoking the “war and terrorism” exclusion clause, a provision in their insurance policies that excludes coverage for damages caused by acts of war or terrorism.

### Common exclusions in cyber insurance policies:

-   **Acts of terrorism or war:** Damages from violent acts by groups to create fear or political change are not covered.
    
-   **Bankruptcy:** Losses related to a company’s insolvency or financial collapse are not covered.
    
-   **Contractual liability:** Any liabilities or damages resulting from contracts with third parties are not included.
    
-   **Criminal activity:** Damages arising from illegal actions (performed by the policyholder or their employees) are not covered.
    
-   **Employment-related damages:** Any damages arising from employment disputes, such as discrimination or wrongful termination, are not included.
    
-   **Losses due to natural elements or pollutants:** Damages from natural disasters, pollution, or other environmental factors are not covered.
    

Exclusions often depend on specific factors such as your business type, your security measures, and your business’s geographical location. The final exclusions are also specific to each carrier and need to be addressed by an individual agent. In addition, some policies may include coverage but, on a sublimated basis, not up to the full policy limits.

Key takeaway

Understanding your policy’s exclusions and potential limitations is crucial. Working with a cyber insurance professional experienced in cyber liability and various policy forms can help you customize the policy to suit your business needs while keeping you aware of the potential coverage limitations.

## Parting advice for small businesses considering cyber insurance

Balancing your business growth with solid cybersecurity is essential. Hence, you must consider safeguarding your venture with good cyber insurance. However, Hendler suggests starting with an unbiased security assessment from a third party not affiliated with an insurer. "You get a clear picture of your security status. It’s not always about insurance; sometimes, system upgrades are more cost-effective and efficient."

Hendler adds that improving your systems, training your staff, and maintaining cyber hygiene ([encryption](https://www.capterra.com/encryption-software/), [backups](https://www.capterra.com/backup-software/), and dual [authentication](https://www.capterra.com/multi-factor-authentication-software/)) can sometimes outweigh insurance. Seek a trusted source to make this assessment.

If you still want to invest in cyber insurance, he suggests these tips:

Additional resources to enhance your small business’s cybersecurity

-   [Zero Trust Improves Cybersecurity: According to 99% of Companies That Adopt It](https://www.capterra.com/resources/zero-trust/)
    
-   [5 Ways To Improve Your Small-Business Cybersecurity](https://www.capterra.com/resources/experts-tips-for-improving-your-small-business-cybersecurity/)
    
-   [3 Steps To Follow After a Data Breach](https://www.capterra.com/resources/what-should-a-company-do-after-a-data-breach/)
    
-   [Why To Use Artificial Intelligence in Your Cybersecurity Strategy](https://www.capterra.com/resources/artificial-intelligence-in-cybersecurity/)
    

* * *

**Survey methodologies**

\*Capterra’s 2022 Ransomware Impacts Survey was conducted in May 2022 among 300 U.S. business leaders that have experienced a ransomware attack to determine the wider impacts of ransomware attacks (i.e., repercussions beyond the ransom payment.). All respondents were part of the response team or were made fully aware of the company's response.

Capterra’s 2022 Data Security Survey was conducted in August 2022 among 1,006 respondents who reported full-time employment to gauge cybersecurity at U.S. businesses and understand the use of various data protection controls. 289 respondents identified as their company's IT security manager.

Sources

1.  [James Hendler](https://www.linkedin.com/in/jameshendler/), LinkedIn
    
2.  [Why Media Liability Insurance Is Crucial](https://inn.org/news/why-media-liability-insurance-is-crucial-new-inn-case-study/), Institute for Nonprofit News
    
3.  [How the NotPetya Attack Is Reshaping Cyber Insurance](https://www.brookings.edu/articles/how-the-notpetya-attack-is-reshaping-cyber-insurance/), Brookings
    

* * *

### Was this article helpful?

* * *

## About the Author

[### Bhavya Aggarwal](https://www.capterra.com/resources/author/bhavya-aggarwal/)

Bhavya Aggarwal is a Technical Content Writer at Capterra, covering Information Technology, Cybersecurity, and Emerging Technologies, with a focus on improving IT for small to midsize businesses. He has more than five years of experience in persuasive and fact-based content creation, and his work has been featured in branded publications such as Gartner, Sprinklr, YourStory, etc. Bhavya has a bachelor’s degree in commerce with a strong background in mass communication and digital marketing. He...

### RELATED READING

-   [Choosing Project Management Software? Start With This Requirements Checklist](https://www.capterra.com/resources/project-management-software-requirements-checklist/)
    
-   [CRM cloud vs. on-premise: Which is better for your business?](https://www.capterra.com/resources/crm-cloud-vs-on-premise-which-is-better-for-your-business/)
    
-   [Key Indicators That Your Help Desk Needs a Knowledge Base](https://www.capterra.com/resources/help-desk-knowledge-base/)
    
-   [Research Agenda](https://www.capterra.com/resources/research-agenda/)
    
-   [Simple Accounting Software: What 'Easy to Use' Really Means According to 1,700+ Reviews](https://www.capterra.com/resources/simple-accounting-software-what-easy-to-use-really-means-according-to-1700/)
    
-   [Stop Overpaying: How SMBs Can Cut Inventory Software Costs](https://www.capterra.com/resources/reduce-inventory-management-software-cost/)
    
-   [AI in CRM: 5 Steps To Stay Competitive](https://www.capterra.com/resources/ai-in-crm-5-steps-to-stay-competitive/)
    
-   [Personalizing Recruiting and Onboarding With the Right HR Tools](https://www.capterra.com/resources/how-hr-software-personalizes-recruiting-onboarding/)
    
-   [CRM Compliance: Data Privacy and Security Concerns of AI](https://www.capterra.com/resources/crm-compliance-data-privacy-and-security-concerns-of-ai/)