Serious young businesswoman with a worried expression sitting reading information on her laptop with clasped hands.
Data breaches can be costly and detrimental to your business. With all the options of cyber insurance policies available, learn what to look for so you make the right choice. — Getty Images/FlamingoImages

Data breaches and cyberattacks can happen to businesses of all sorts and sizes. To protect your business, its technology and all sensitive information (such as customers’ personal information or credit card numbers), it’s important to have cyber insurance in place. Here's how to choose the right plan for your business.

What does cyber insurance cover?

Each insurance provider won’t offer the same coverage, so it’s important to know what types of coverage are available and what elements you should look for in an insurance policy.

First-party coverage

First-party insurance will cover any damages or losses due to a cyberattack or data breach. It includes recovery of lost data, investigation services and business interruption coverage.

Third-party coverage

This type of coverage protects customers or partners who might be affected by an attack or breach. Any damages, such as legal fees, settlement costs, or liabilities, will be covered for any third party involved.

Why is cyber insurance important for small businesses?

Even small businesses are vulnerable to cyberattacks and data breaches, and they can be extremely costly. Cyber insurance can help businesses prepare for and deal with any attacks that may come, while also helping them recover from any damage that is done.

[Read: Top Cybersecurity Threats for Business Owners]

Any business that deals with sensitive information such as credit card numbers, medical information, social security numbers or customers’ personal information should obtain cyber insurance in order to protect customer information and relations, and also the reputation of the business.

Cyber insurance can also be a key component in dealing with and recovering from security threats in the event of a breach.

“What [cyber insurance] does is allow small businesses to gain access in the community of pre-breach and post-breach response services,” said Meghan Hannes, cyber, technology and E&O product head at Hiscox. “It gives [business owners] access to vendors which they have to find on their own … at a time that they don’t want to be searching around for an appropriate vendor.”

Small and medium-sized businesses need to be aware that there are many types of cybersecurity coverage and that insurance carriers don't necessarily share the same definitions for what is and is not included.

Robert Fitzgerald, CEO of Arcas Risk Management

Common misconceptions about cyber insurance

Cyber insurance only protects businesses in a hacking event

While cyber insurance often helps businesses maintain operations in the event of a security breach, policies may also cover non-hacking events.

“Cyber insurance typically contains ‘business interruption’ coverage,” said Andrew Lipton, vice president and head of cyber claims at AmTrust Financial Services. “Depending on the wording of the policy, a small business could expect to be covered for lost business income during a given time period when that lost business income is directly attributable to an unintentional computer system interruption.”

Getting insurance is too expensive and not worth the protection

After assessing your business’s risks, find an experienced broker who can help you choose insurance that best suits your needs. Some carriers offer insurance policies with only basic coverages, while others offer premiums that will increase the cost.

Small businesses are not targeted by cyberattacks

Any size business can experience a cyberattack or data breach, and recovery can require a lot of money and effort. Some businesses may fail if there are no plans in place. Cyber insurance can help small businesses protect themselves from going under if they fall victim to a cybercrime.

[Read: Ransomware: What Small Businesses Need to Know]

Coverage will only protect technology

Thankfully, cyber insurance covers more than just a business’s technology. It covers hard copies of customer information, files that may have gotten lost, credit card transactions, records and even applications.

What to look for in a cyber insurance policy and provider

Before choosing the insurance policy that’s right for your business, you’ll want to consider a few variables:

Your risk tolerance

Before you start looking for a cyber insurance provider, it’s important to evaluate your business and carefully consider what systems you have to protect at all costs.

“[Consider] your risk tolerance in very, very practical terms versus how you make your money,” Hannes said. “What systems do you really need? Can you not operate without your customer lists? Can you not operate with your website?”

Hannes added you must separate the nice-to-have elements from the critical elements to gain a better understanding of your true risk tolerance. From there, you can make an informed decision and know that your revenue-tied systems are covered with your policy.

Cost of insurance and deductible

Just like health insurance, cyber insurance has a monthly payment and deductible that must be met. It’s important to look at how much it costs each year for coverage compared to how much you might pay for damage if there was a breach. Will this policy cover enough of the costs so you won’t have to pay much out of pocket if there is an attack?

[Read: Getting Serious About Cybersecurity]

What’s included in the policy

Before deciding on a policy, be sure to read through all the terms and conditions thoroughly. Not all policies provide the same coverage, and some may only focus on one specific cyberattack, which leaves you vulnerable to others.

“Small and medium-sized businesses need to be aware that there are many types of cybersecurity coverage and that insurance carriers don't necessarily share the same definitions for what is and is not included,” said Robert Fitzgerald, CEO of Arcas Risk Management. “Most falsely believe the basic coverage provided by their carrier in the GL or E&O policy is enough, and it is not.”

Ask questions if anything is unclear, and consider your business’s risks and what it needs in order to be protected.

Your business’s needs

There are many different types of coverages available, such as Payment Fraud, Customer and Employee Data Loss, Third-Party Lawsuits, and Business Interruption and Extortion. Your business may not need all of these, so it’s important to consider what each offers and what elements are needed to protect you in case of a cyberattack.

“Look for a provider that understands the SMB space,” Fitzgerald advised. “Large organizations will have different needs and exclusions, so don't be afraid to ask about the differences in coverage between policies and carriers.”

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

Follow us on Instagram for more expert tips & business owners’ stories.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

A message from
You’re invited to join a private network of CEOs.
Discover how 45,000 CEOs are growing their businesses. Connect with verified companies on a secure private network to find new clients, raise money and find reliable solutions for any business priority.
Learn More
Published August 12, 2021