Cyber Insurance For Small Business

In today’s world, where so many different aspects of business are dependent on computer and internet operations, there is an essential requirement for companies and owners to protect the information that all of these systems rely on.

Need Business Insurance ?
Get Your Free Quote

This protection is needed against accidents and against attacks.

Since it is impossible to build complete security and complete protection into any system, there is the need to take out insurance against the risks associated with dependence on data.

This is a specialized kind called cyber insurance.

Cyber insurance for small business

To clarify why data is so important, we make the point that data is information.

It is information about your customers, sales, accounts, workers, and money.

When you are protecting your data, you ensure that all of these vital aspects of your business are secure, accessible, and reliable.

Small Business General Liability Protection:
Get Your Free Quote

In what ways can information become vulnerable?

To put it in the simplest terms, computer systems cannot be 100% secure unless they are switched off or are physically inaccessible, not connected to any external wiring, and generates their own electricity.

If anyone is using the computer system, it is vulnerable in many ways.

As well, the data that computers are storing and manipulating can be vulnerable to all sorts of different risks.

Data loss

Firstly, data can simply get lost.

This may not mean just that it can’t be found, in which case essential information on which your business depends has gone missing.

The standard defense against data loss is to backup as much as you can as often as you can.

This has fundamental weaknesses because there are always gaps between the current state of your data and the most recent backup.

Storage loss

Data can also become unusable.

The storage media such as disks, tapes, and, more recently, shared space on the cloud are physical devices that can suddenly lose functionality.

The data may become totally inaccessible, or only partly readable, or in some cases suspect because of partial corruption.

Data corruption

Even with proper backup routines, there is a substantial risk of data becoming corrupted somewhere in the chain between storage and backup.

Backups are not wholly reliable.

Backups are part of everyday computer data management. However, there have always been fundamental weaknesses even in the best managed backup routines.

Data moving onto backup media has to be stored somewhere and is only as relevant as it was at the exact time of the backup.

If you have the backup stored in the same location as the main data storage, there is no protection against local incidents like fire or flood.

This means that backups must be stored off-site in a location that is secure from fire as well as theft since now your company’s private information is being taken to a location outside your own control.

In practice, this means that off-site backups are only done periodically, like once a week or once a fortnight.

The risk then is that in the event of some significant event onsite, there could be a substantial gap between the information that can be recovered from the backup and the accurate picture of business operations at the time of the incident.

Cybertheft and criminal attack

There has been a growing threat of criminal attacks involving corporate data. Cyber attacks come in various forms, such as theft, malware, ransomware, phishing, denial of service and other methods.


Without a doubt, corporate data is one of the most critical assets of any business.

As well as information about the many aspects of what the business is doing, external operatives can gain access to banking information, customer databases, corporate plans and strategies and many other pieces of information. All of this can either be used to harm your company’s operations or become tools used against you.

For many companies, their information is highly sensitive, especially about their customers and clients, levels of business, banking details and much more.

There is a growing wave of criminal activity where sophisticated cyber-attacks are made on central databases, and information is gathered about all of these sensitive areas.

The criminals then threaten to publish this information unless they are paid substantial amounts. There is little protection available from police or the law.

There is no trail either of the attack or of the payment.

The criminals are making use of black-web technology, and are exploiting the mechanism of cryptocurrencies so that the payments they are demanding can’t be linked to any bank account.

If your company stores personal data about employees, customers or clients, you may be subject to state-specific data breach laws.

Theft of this information may lead to legal action either by the state regulators or individuals.

Malware and Ransomware

Most companies are wholly dependent on the constant availability of their computer systems.

If the systems are either not available, or not functioning correctly, it can bring all regular activity to a halt.

Malware attacks are designed to inject some parcel of malicious software into the company’s system, forcing it to stop functioning correctly, corrupt or encrypt the data, or start sending sensitive data over the internet to the malware’s authors.

In some cases, malware attacks are designed simply for the damage they can do to a company, either for a gain of market advantage by a competitor, or for pure malice.

Recently, numerous attacks combine malware with the demand of a ransom for removal of the bug or virus or instructions on how to treat the malware.

In some cases, demands amounting to tens of millions of dollars have been made and paid.

As well, refusing to pay the ransomware demand can turn out to be even more costly.

In one such case, one US city refused to pay a relatively small ($76,000) ransom but in the end, the cost of restoring their systems amounted to over $18 million.

Denial of service

Many companies are highly reliant on the open internet either for communications between offices, for access to SaaS and cloud-stored data, or as the marketing channel for their customers to find and buy their goods and services.

A denial-of-service attack is designed to swamp the company’s internet portal with thousands of messages, causing it to collapse.

In the period before normal internet traffic can be restored, all computer-related activity stops, and customers who cannot reach the web pages may turn to opposition pages, which means loss of business as well as market standing.

In general, denial of service attacks are malicious, designed to hurt a company’s operations with benefits coming from the harm caused.


The term is used to describe fake identity pseudo emails (phishing emails).

These are designed to cause incorrect payments if your employees make a mistake by responding to a faked invoice and transfer money out of the corporate accounts in the belief that they are making a legitimate payment.

What does cyber insurance protect you from?

Cyber insurance covers data destruction, data recovery, extortion and theft.

In cases involving ransomware, it should pay any ransom demand, plus offer reward money to track and prosecute the criminals.

A good cyber insurance policy should also provide for audits by cyber-trained experts to locate vulnerabilities, post-incident checks, legal and forensic expenses.

Each of these protections have specific levels of coverage limits.

There are some special covers you can take in addition to the standard policies.

  • Social engineering coverage can protect you in the case of funds transfer fraud arising from phishing
  • If you are highly dependent on technology to operate, network business interruption coverage provides cover if your internet access goes down. You can claim for loss of profits and any extra associated expenses while business was impacted. The sorts of incidents covered are third-party hacks, system failure, or programmer or operator error
  • In cases of a cyber event resulting in reputation damage, where the damage arises from brand aversion following publicity of a security breach, you can add cover for reputational harm.

Do you need cyber insurance?

The answer is quite simple.

If your business has active and important information systems and loss of that information could cause financial damage to your operations, you should be seriously considering the benefits of this kind of cover, relative to the low costs.

Most definitely, if the kind of business you are running makes extensive use of external resources like cloud storage and third-party systems like SaaS, then you almost certainly need cover against the kind of damage you can suffer if your access to the internet is halted.

Suppose you are working in a highly competitive field, where your opposition could gain a significant advantage or reward due to any sort of cyber attack.

In that case, you should think seriously about how to prevent this damage through having proper and adequate insurance.

It may turn out that having the insurance and not being shy to say it could prevent any such attacks since the other side would then know that their actions won’t hurt you in the way they hope.

What level of cyber insurance should you take?

The answer to this question depends entirely on the level of cover that you need.

It is dependent on your size of business, the kind of operations, the degree of vulnerability, the degree to which your day-to-day operations depend on sophisticated computer systems, and many other specifics that only you know.

Talk to trained cybersecurity professional consultants, and to experienced insurance representatives to get advice.

We suggest spending a few hours researching the internet for what policies are on offer in your state, and also to lark to associations and business groups that work in the same industry as you to get a good idea of what the rest of your sector is doing.

What is not covered by cyber insurance?

In some policies, an exclusions clause like “acts of war” could exempt the company in cases where a cyber attack was initiated in a country deemed to be an enemy of the US, like North Korea or Iran. Therefore, it’s advisable to discuss the terms and conditions of your policy with a competent insurance agent, broker or company representative before signing anything.

Other typical exclusions are:

  • Loss of future profits
  • Theft of intellectual property
  • Costs incurred for improvement of the restored systems and data to upgraded technology.

How much does cybersecurity insurance cost?

It is dependent on the levels of the different covers you decide on.

Without taking an exaggerated viewpoint, we suggest doing a “worst-case scenario” assessment of your risks and getting many realistic quotes from competent agents and brokers.

Final Thoughts

Security can fail no matter how carefully you have designed your systems and operations.

Treat cyber insurance is your backstop to sleep better at night.

It’s also good for your business, because some vendors or clients require proof of insurance before giving you their business.

Many insurance companies sell their policies along with offers of advice from teams that specialize in security optimization, incident response and legal counseling, so you are getting expert help.

Some cyber insurance companies will give you a discount if you use these risk mitigation services.
Enable registration in settings - general