Guide to cyber liability insurance for small businesses

As we’ve heard time and again in various forms, there are two types of companies: those that have been hacked and those that don’t yet know they’ve been hacked. Aside from hacking attempts, there are a number of other cybercrimes being carried out against businesses of all sizes every day. Losses as a result of cybercrime stem from downtime, data loss, damaged reputations, lawsuits, and more.

The best course of action is to prevent these losses in the first place by having a solid cybersecurity strategy in place. However, even the most proactive companies can’t prevent all attacks. Another way to mitigate the risks of these losses is to arm yourself with cyber insurance (also known as cyber liability insurance). Plans vary depending on the provider, but as defined by CIO, cyber insurance will “ help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.”

In this guide, we discuss why cyber liability insurance is important for businesses and what to look for in a plan.

How cyber insurance has developed

As technology has evolved, in particular, the introduction and widespread use of the internet, many risks have arisen that simply didn’t exist in the past. Whether it’s the result of a malicious attack or human error, there are many ways in which the mishandling of digital property can be damaging to a business. Here are some examples:

  • Viruses
  • Data loss
  • Network damage
  • Information theft
  • Ransomware

Cyber insurance policies first came about during the late 1990s. Back then, there were two main types: online media policies and EDM policies, the latter of which covered errors in data processing. These policies were an extension of professional liability policies that covered media and software risks.

By the early 2000s, policies evolved to reflect risks threatening companies at the time, including network security, unauthorized access, and virus-related issues. They didn’t (and still generally don’t) cover things like rogue employees, fines or penalties, or regulatory claims.

In the 2010s, large data breaches and attacks (and their accompanying large claims) became more commonplace. That gave way to the cyber insurance landscape we see today where the number of standalone products is ever-growing.

Why cyber insurance is important (cybercrime statistics)

It’s tempting to think that only large organizations need to protect themselves against cybersecurity risks. However, statistics regarding businesses large and small and the damages that cyberattacks can cause paint a different picture. Here are some that might be alarming:

Deciding if you need cyber insurance

As the stats show, whether you run a business with 10 customers or 10,000, company finances are always at risk from various online threats. For example, your clients’ information could be stolen, your social networks hijacked, or your financial accounts hacked. Criminals can fraudulently use company funds or even drain accounts, while data breaches can be extremely costly to recover from.

Yahoo data breach.
Yahoo is still dealing with breaches that occurred between three and six years ago.

Any size company can be sued in the case that a client’s privacy has not been adequately protected, and some policies will cover costs associated with lawsuits.

Have a rock-solid security framework in place? Even if you’re following recommended guidelines to a tee, there’s still the human factor to consider. Security protocols are only as reliable as the people that follow them (or don’t as is often the case), and on any given day, it’s possible that you or an employee is going to slip up somewhere.

Cybercriminals are waiting to take advantage of every vulnerability. With advanced tools at their disposal and the increase in digitization of information, the opportunities for cybercriminals continue to grow.

Note that like all insurance, the hope is that you’ll never have to use it. A 2017 study found that seven percent of US companies had made a cyber insurance claim within the last 18 months. When you think about how often you make a car insurance claim, seven percent in 18 months seems quite high. Going by this statistic, you could predict that at least two-thirds of companies would need to make a claim in 15-year period.

Shopping for cyber insurance

If you already have business insurance, one of the first things you might do is check with your existing provider to see if they have a cyber insurance policy available. Adding it on to an existing plan will likely be less expensive than taking out a whole new policy. That being said, price is far less important than making sure the plan itself is suitable. While they may be more expensive, standalone policies tend to be more comprehensive.

Deciding on the right plan can be tricky. As ProWriters points out “The industry is constantly shifting and the range of pricing is wide. One carrier may offer a broad quote while another offers a more limited one at three to four times the premium.” Plus, suitable policies will depend on your business size and type.

While seeking advice from an insurance provider or broker at some stage will be necessary, it’s a good idea to start by deciding what you think you need based on your unique business. Otherwise, you could end up being sold a policy that doesn’t quite fit, simply because it’s what the provider offers and they want to make a sale.

Create a cyber risk profile

To prepare, you can create a cyber risk profile that takes into account the major risks your company faces, the potential damage as a result of those risks, and estimated expenses you would need covered in various scenarios.

A few examples of risks you’ll consider are extortion (due to ransomware), data breaches, business network interruption (for example, due a DDoS attack), and physical asset theft or damage. While there are a great number of risks for any company, some will be more likely than others. A cybersecurity expert can help you determine the specific level of risk for a given item.

For each item, you’ll need to associate potential costs. For example, some of the costs related to a data breach that may be covered by an insurance policy are:

  • Finding out the cause of a data breach (investigation expenses)
  • Costs related to notifying persons affected
  • Protecting the privacy of those affected (e.g. identity theft protection or credit monitoring)
  • Lawsuits resulting from a breach
Willis Towers Watson.
If it’s in the budget, companies like Willis Towers Watson will come in and create a full cyber risk profile for you, and offer accompanying solutions.

Compare policies from different providers

Once you have a better idea of what you need, you can compare various policies to find one that’s a good fit. Once you’ve narrowed it down, you can do some more digging by talking to several providers. Here are some questions you might ask:

  • Are there multiple standalone policies to consider or just a one-size-fits-all?
  • What are the deductibles for each item?
  • Does the policy cover third-party providers too, for example, if a service provider you use suffers a breach that affects your business?
  • Are you covered against all attacks or just targeted ones?
  • Are non-malicious employee actions covered?
  • What types of attacks are covered? For example, is it only network attacks, or all kinds of attacks, including phishing attacks?
  • Does the policy include data compromise insurance (which helps cover costs of securing customer’s personal information)?

Top providers of cyber insurance by country

Cyber insurance policies vary by country. Here’s a brief overview of the landscape in the US, the UK, Canada, and Australia.


In the US, the cyber insurance market is growing and the number of companies providing policies is steadily increasing. Although, according to a 2017 report, out of 170 providers, the top five insurers wrote more than half of all direct written premiums in 2017.


The current top eight providers based on the value of direct premiums written are:

  • Chubb INA Group
  • American International Group (AIG)
  • XL Catlin America Group
  • Travelers Group
  • AXIS Capital
  • Beazley Insurance Company, Inc.
  • CNA Financial Corp.
  • BCS Financial Corp.


Cyber insurance is considered by UK brokers to be an “important and growing market.” However, based on the DAS Market Barometer: Cyber, almost one-third of brokers consider their understanding of cyber insurance to be poor.

What’s more, 2018 research by Ovum discovered that while nine in ten UK businesses have cyber insurance (up from two in three the year before), only 38 percent of companies have coverage that covers all cyber threats.


With a surge in the number of Canadian businesses affected by cyberattacks in 2018, it’s more important than ever that business owners seek proper coverage. Insurance Business Canada helps you decide by comparing cyber insurance policies from more than 60 providers, including AXIS Canada, Beazley Canada, AIG Insurance Company of Canada, and Zurich Canada.


Insurance Business Australia lets you compare various policies from more than 25 companies. Even handier is this cyber insurance comparison tool. It lets you fill out a quick form with a few company details and enables you to compare policies from some of the top providers, including CGU, Chubb, Allianz, AIG, Dual, and Emergence.

Tips for protecting against cyber attacks

While it’s a good idea to be covered by cyber insurance, it’s far better to avoid issues in the first place. We’ve put together a guide to small data business protection as well as a post for helping small businesses improve cybersecurity without breaking the bank. These two articles provide a wealth of information on the best practices and tools you can use to step up your cybersecurity strategy.

In case you don’t have time to read those right now, below are some of our top tips to keep your business secure against cybercrime.

Here’s how to protect your small business from cybercrime:

  1. Use common sense in everyday activities, such as using strong passwords and treating emails from unknown senders with suspicion.
  2. Always keep at least one backup of all data. Hard drive backups can be helpful but online backup tools like iDrive and Backblaze can be convenient and aren’t liable to physical damage like external hard drives are.
  3. Use an antivirus to help detect and remove viruses and other types of malware, such as ransomware and spyware.
  4. Secure internet connections with a Virtual Private Network (VPN). This will encrypt all internet traffic, making it unreadable to a third party. See our list of the best VPNs for small businesses.
  5. Limit the amount of data that is available in public domains and be cautious about what is shared by you and your employees online. Many companies have a social media policy in place both for security and PR reasons.
  6. Teach staff about cyber threats and how to avoid them, including avoiding suspicious emails and links and verifying the ID of callers over the phone.