Skip to main content

Cyber Insurance: What It Covers, Costs, and Who Needs It

By October 1, 2020May 16th, 2022Business Insurance

Cybercrime is on the rise. Cyber theft is the fastest growing crime in the United States. It is estimated that by next year, 2021, cybercrime will likely cost $6 trillion annually! 

“Not my company!” you might be thinking. “I run a small business. I’m sure we’ll be fine.” 

You may want to consider these facts:

It only takes one click!!

Whether you are a large business or a small business, you are at risk for a cyber-attack. 

Now the question is: Is your business protected?

Cyber liability insurance is one of the fastest-growing and most rapidly changing areas within insurance. Part of my job as a commercial insurance agent is to help my clients understand what their cyber risks are and how they can be protected in the case of a cyber-attack.

In this article, I explain: 

  • Cyber risks – Types of cybercrimes that impact businesses
  • Cyber-attack costs – The costs a business might have to pay in damages because of a cyber attack
  • Cyber-security insurance – What businesses need this coverage
  • Cyber coverages – The coverages and costs associated with cyber insurance

#1 Cyber risks – 7 most common types of cybercrime

Cyber liability insurance is coverage sold by insurance companies to protect you from the financial impacts of criminal cyber activity if your company is the victim of cybercrime.

The number and types of cybercrimes continue to grow with the increased use of the internet by the public. While the following list is not exhaustive, it covers the most common attacks the cybercriminals make against businesses.

1. Malware 

Cybercriminals use this type of cyber-attack to access financial data, medical records, personal emails, passwords, etc. They use this information for their financial gain.

2. Viruses and worms

Viruses and worms can require extra IT help in finding the source of the virus or worm and also in recovering any lost information. Viruses and worms can also ruin hardware and software forcing you to replace damaged equipment.

3. Trojan horses

As a business, you may have to recover data, replace hardware and software, or hire a cyber forensic team after a Trojan horse attack.

4. Spyware 

In terms of your business, spyware can help cyber criminals access your employees’ login information and then access any data you hold on your server.

5. Ransomware

This type of program encrypts your files and then demands a ransom to return the encrypted data to you. 

6. Phishing 

A phishing attack sends out a fake email on your behalf asking the recipient to give sensitive information or even money. You can be held responsible for your customers’ losses when this happens.

7. Hacking 

If your company gets hacked, you are responsible for any sensitive personal data you maintain on your customers. This is an enormous liability for businesses!

#2 Cyber-attack costs – What businesses pay after a cybercrime

If your company does not have a cyber insurance policy, you are self-insuring your business against any cyber-attacks. What I mean by this is that if you do not have a policy in place, your business will have to pay all the costs of a cyber-attack out of your business’s revenue.


If your business is attacked by a cybercriminal, you are responsible for the damages to others that are harmed because of the cyber-attack. 

For instance, if your client loses a computer due to a cyber-attack that occurs through your business, you are responsible for the replacement of their loss.

If your company is hacked and a cyber thief impersonates your company, you may be responsible for any damages this causes. If a hacker accesses your customers’ email information and impersonates your company by sending out emails or fake invoices, you can be held responsible for any damage done to your client. 

If a hacker sends your customer a fake invoice and your customer pays the invoice to what turns out to be some criminal in his mother’s basement halfway around the globe, you can be held responsible for repaying your client.

Bottom line: If a cyber-attack on your business causes damage to others, you are on the hook to pay those damages.

Fees and fines

The federal government has legislated laws requiring that companies have baseline levels of cybersecurity. These laws deal with how a company manages medical, personal, and financial information. This includes information as innocuous as Name, Phone Number, Date of Birth or Address. 

If your company has a breach with these types of information, your company will be subject to government fines and fees.

Health Insurance Portability and Accountability Act (HIPAA) of 1996 

When HIPAA was enacted, standards for how medical information is to be stored, accessed, and shared were included in this act. 

If medical information is breached, your company may face additional fines ranging from $50-$50,000 per record. While there is a cap at $1.5 million per year, a medical information breach could have large financial consequences for your company. 

Beyond financial penalties, individuals can also be subjected to jail time when medical breaches occur.

Gramm-Leach-Bliley Act (GLBA) of 1999

GLBA impacts businesses that deal with personal and financial information. This law states how personal and financial information is to be stored and who may have access to that information.

If this law is violated, your business may face a $100,000 fine for each violation of this law. Also, any officers or directors of your organization could face a $10,000 fine each for every violation with the possibility of a prison sentence of up to 5 years.

Homeland Security Act of 2002

As part of the Homeland Security Act of 2002, standards similar to both HIPAA and GLBA were enacted for companies that deal with government information. At first glance, this may seem like it would only apply to government institutions. 

If, however, your company is a contractor or supplier for government agencies, your company is impacted by the Homeland Security Act. Most often, companies who have a breach of government information are subjected to a loss of government funding.

Forensic costs

If your company is hacked and information is breached, you will need to hire a cyber forensics company to determine what happened, how it happened, who was involved, and when it occurred. 

Depending on the size and type of your business, paying for a cyber forensics investigation could cost your company anywhere from $10,000 to $100,000 or more. 

Legal fees

In the event of a cyber breach, your company could face litigation. When this happens, your company will need to pay for legal fees and any court fees. Often court settlements need to be paid as well. All of these legal fees add up and can cost a business tens of thousands of dollars. 

Notifying individuals affected by a breach

After a cyber-attack, a company is responsible to notify any individual whose information has been impacted by the cyber-attack. This means that your business would need to inform your clients of the incident through the mail or email. 

To accomplish this, your company would need to pay someone to prepare the information and mail it out. You may even need to hire an outside firm to help you communicate effectively with customers who have been affected. 

You are also responsible for additional costs for mailing out information to your customers about the breach. 

Hardware and software replacement

Besides information being stolen in a cyber-attack, often hardware is affected by a cyber-attack. Your computer or computer system may need to be replaced which can cost thousands of dollars.

Reputation rebuilding

Beyond the costs listed above, one other factor you should keep in mind is the cost a cyber-attack can have on the reputation of your business. Having customers’ information stolen from your business creates a lack of trust with your customers and often with the general public. 

A cyber-attack can cause you to lose clients. It can also damage others’ opinions of your company and prevent them from doing business with you. The public relations effort to regain the public’s trust will add to the costs of recovering from a cyber-attack.

Loss of productivity

Another cost to your business is the loss of productivity your company might suffer because of a cyber-attack. The loss of data or the inability to access information necessary to your business can keep your employees from being productive until the cyber-attack has been completely dealt with.

#3 Cybersecurity insurance – Does my business need this coverage?

A cyber-attack can be devastating for a business that does not have cybersecurity insurance. With the average cyber-attack costing a business $200,000, many businesses cannot sustain that kind of financial loss.

Also, keep in mind that nearly half of all small businesses will face a cyber breach over the next year. Those are not good odds!

If you are a business that has an email address or a computer connected to the internet, you need cybersecurity insurance. You need cyber insurance if you don’t want to pay out of pocket for an attack. 

You can be better prepared and protected by having this coverage in place.

#4 Cyber insurance – The coverages and costs

Many insurance companies write cyber insurance, but the coverages vary greatly depending on the company and type of cyber policy. You need to discuss with your insurance agent what your policy covers and what type of policy you need.

Third-party liability

This covers the cost of notifying anyone affected by a data breach at your company. It also covers any costs associated with damages or settlements that have to be paid to those affected by the data breach. Most policies will have this coverage.

First-party defense

This covers the legal costs associated with a cyber-attack including legal fees, court settlements, and government fines and fees. Most policies will have this coverage.


This covers the cost to hire a computer forensics team to determine whether a cyber-attack has occurred as well as the scope of the attack. This team will also help to contain the attack in addition to investigating the cause and magnitude of the attack.  Not all policies cover forensics, and the limits will vary by company.

Theft and fraud

This covers the cost to replace or restore any lost or stolen data from your company. It also covers any programs that are stolen, damaged, or lost from a cyber-attack. Again, not all policies cover data and the limits will vary by company.

Business interruption

This covers your business’s lost revenues while your business is shut down due to a covered cyber-attack. Not all cyber insurance includes this coverage. 


If your company has a ransomware attack, this coverage will respond to any payments you may have made in trying to keep your technology from being damaged or in trying to recover stolen data. Again, not all cyber insurance includes this coverage.

Reputation loss

Sometimes called Crisis Management coverage, this covers the cost of repairing the damage done to your company’s reputation. This will cover public relations costs and marketing costs associated with recovering from a cyber-attack. This coverage is not included in all cyber insurance packages. 

Cyber insurance premium costs

The cost for cyber insurance depends primarily on the size of your business, your business’s industry, the limits you purchase and the type of data your business collects, stores, or processes.

For many small businesses, a policy with a $250,000 limit is a perfect start to protect your business and certainly won’t break the bank. For small businesses, this type of policy can cost as little as $350/year and can often be purchased online with a credit card and very minimal info  Just include:

  • Name
  • Email
  • Company
  • Phone
  • Website
  • Address


For many businesses though, you may need a policy with at least $1,000,000 in cyber liability coverage. And for some large businesses, depending on the type of data they collect and store, a policy with $25,000,000 in coverage may be necessary. 

The types of businesses that need more coverage are those that collect or store medical information, financial information, or personal data like social security numbers.

When you purchase cyber liability insurance, your deductible amounts and coverage limits often affect your policy rates. An independent insurance agent can prepare multiple quotes to help you arrive at the best rates for your cyber insurance needs.

I’m done self-insuring cyber risks! 

If you don’t currently have cyber insurance, I’d encourage you not to wait another minute. Like I said earlier, you’re only 1 click away from a cyber-attack that could be disastrous for your business!

If you’re not sure how much cyber insurance your business needs, our team would be happy to take a look at your business and direct you to a product that will cover your needs and protect your business. 

At Baily Insurance, we offer a baseline cyber insurance product with insurance coverage up to $250,000 for only $350 annually. This incredible coverage is unbeatably cost-effective for small to mid-sized businesses and will protect you when you are the victim of a cybercrime.

For larger businesses, our $1,000,000 cyber-insurance policy will cost as little as $1,300 each year. 

Also, this policy we offer has no deductible, so you will only pay your yearly premiums. You won’t need to cover anything out-of-pocket before your insurance coverage kicks in.

Is it worth it? 

Keep in mind that over 50% of small businesses will face a cyber-attack this year that could cost $200,000 or more! For most businesses, paying only $250 yearly can ensure you’re covered!

Take a minute to learn more about our cyber insurance program right away!