Cyber insurance for small businesses: What you need to know
Cyber insurance for small businesses is probably the furthest thing from your mind.
As a small business owner, there’s a lot you have to do to ensure your operation runs smoothly. There’s marketing, ordering products or supplies, customer acquisition, and generally getting work done. But what about cybersecurity?
Are you prepared for cyber risks?
Read our 2023 Cyber Risk Index Report to find out what businesses are worried about, how they’re protecting themselves, and what the future holds.
Download the Report
Many small businesses think that cyberattacks aren’t something they need to worry about. However, in reality, cybercriminals are three times more likely to target small businesses than larger companies.
Any business can be the victim of cybercrimes, which is why every business needs to have cyber insurance to protect themselves from the costly aftermath of a cyber incident. How expensive can recovering from cyberattacks get? The latest IBM Cost of a Data Breach report revealed that the global average data breach cost reached $4.88 million in 2024, a 10% increase from the previous year.
Not having cyber insurance means leaving your business financially vulnerable when — not if — a cyber incident occurs.
Curious about how cyber insurance can benefit your small business? This guide has everything small business owners need to know about cyber insurance.
What is Cyber Insurance?
Cyber insurance, also known as “cyber liability insurance,” is an insurance policy that covers the losses a business may encounter following a cyber-related security breach. Cyber insurance enables your small business to transfer the costs of a cyber incident, which can rack up quickly, to your insurance provider to lessen the financial burden.
In addition to covering costs for events such as data breaches and cyberattacks, cyber insurance also provides protection for liability claims and ancillary expenses associated with a cybersecurity incident.
Cyber insurance policies often include both first-party and third-party coverages.
First-party cyber insurance safeguards small businesses from losses that are the direct result of a cyber incident. It mitigates the financial impact on a business’s operations, assets, and reputation. For example, this coverage would apply if client information was stolen during a data breach and would cover expenses such as:
Data recovery or replacement
Notification costs for informing customers and stakeholders
Forensic investigation to determine the cause and extent of the cyberattack
Lost income due to business interruption
Crisis management and public relations
Credit monitoring
Meanwhile, third-party cyber coverage will protect your business from claims made against it by third parties, such as clients, customers, and partners. This coverage addresses costs related to:
Settlements
Legal fees
Regulatory fines
While cyber insurance is an essential component of any cyber risk management strategy, it’s important to note that it should never be considered a replacement for cybersecurity best practices. Instead, think of cyber insurance as your crucial last line of defense against cyberattacks.
How Does Cyber Insurance Benefit Small Businesses?
Though we often hear news reports about cyber incidents affecting large corporations, the truth is that small businesses are prime targets for cybercriminals because of the perception that these businesses have less-than-stellar cybersecurity measures.
Consider this: While 43% of cyberattacks affect small businesses, only 14% are adequately prepared to defend themselves. And in 2023, the FBI’s Internet Crime Complaint Center received a record 880,418 complaints from the American public regarding cyberattacks, with potential losses exceeding $12.5 billion.
Though forgoing cyber insurance may seem like an initial cost saving, that decision can cost small businesses substantially in the long run.
Just look at the situation involving Efficient Services Escrow Group in California, which had to lay off its entire staff and close up for good after cybercriminals stole $1.5 million. Cybercriminals used malware to access the business’s bank information and wired funds overseas from the company’s account. The owners learned a hard lesson when they discovered their bank was not obligated to cover commercial losses from a cyber incident. That meant the business faced a loss of $1.1 million (the owners were able to recover some initial losses) in a year when it was expected to clear less than half of that. The business was shut down by state regulators a few days after reporting the loss.
Then there’s a case outlined by the National Cybersecurity Alliance involving a small government contracting firm, which found out that an auction on the dark web was selling access to the business’s data. That included access to their military client’s database. The company eventually discovered that an employee had downloaded a malicious email attachment thinking it came from a reputable source. The phishing attack had a significant impact from operational and financial perspectives, with the U.S. Secret Service even getting involved. The incident cost the firm more than $1 million, and the company’s operations were disrupted for several days because it had to go offline.
Both situations could have played out differently with cyber insurance.
Cybercrimes cost small businesses exorbitant amounts of time and money, not to mention stress. Those damages can be hard to overcome if proactive cybersecurity risk mitigation steps aren’t taken, including having a cyber insurance for small businesses policy.
What Cyber Risks Do Small Businesses Face?
Numerous cybersecurity risks can affect small businesses, and new threats emerge all the time. To be adequately prepared and avoid being caught off guard, small business owners need to be aware of the common cybercrimes their business could encounter.
1. Malware
Short for malicious software, malware is an umbrella term that refers to any program or file intentionally designed to damage, disrupt, or gain access to a computer, network, or server. Types of malware include spyware, adware, worms, viruses, Trojan horses, and ransomware (more on that last one in just a bit).
In 2023, there were 6.06 billion malware attacks worldwide, a 10% increase over the previous year.
Did you know that social engineering is one of the most dangerous tactics cybercriminals use? Why? Because it exploits human error rather than network vulnerabilities.
Social engineering scams manipulate people into sharing sensitive information or making cybersecurity errors such as downloading harmful software. Those Nigerian prince emails we’ve all received at some point — which are going strong — are a prime example of a social engineering scheme.
While phishing (emails, texts, or social media messages sent by cybercriminals pretending to be a reputable source to get individuals to disclose sensitive information) is the most well-known type of social engineering attack, other examples include baiting (requesting info to collect a prize or offer), whaling (a highly strategized phishing attack that personally targets high-level executives), and pretexting (impersonating positions of authority who require personal information).
According to Verizon’s 2024 Data Breach Investigations Report, the median time for people to fall for phishing emails is less than 60 seconds.
3. Ransomware
While ransomware is a form of malware, it warrants being singled out because of its potential for highly damaging consequences.
Ransomware attacks restrict access to files until a ransom is paid. Malicious emails are often the root cause of ransomware attacks.
While ransomware attacks aren’t new, they are becoming more expensive and more common. Sophos’s “The State of Ransomware 2024” report states that the median ransom payment is now $2 million.
What Does Cyber Insurance for Small Businesses Cover?
Every small business has its own unique risks and insurance needs. That’s why cyber insurance is as dynamic as the businesses it protects, making it far from a standardized policy. However, cyber insurance for small businesses often includes coverage for:
Notification expenses: Any business that encounters a cybersecurity incident is responsible for identifying and notifying potential victims, which requires an investigation.
Credit monitoring services: Cyber insurance covers the costs associated with credit monitoring for victims of a cyber incident at your business.
Computer forensics: Once a cyber incident is identified, determining what happened, how, and the scope is crucial.
Reputational damage: Reputational fallout after a cyber incident can have a drastic impact. You’ll want to ensure a cyber insurance policy covers public relations and crisis management expenses.
Digital asset loss: This refers to the loss of digital assets, such as cryptocurrencies, intellectual property, or digital media.
Ransom demands: With cyber extortion, cybercriminals often demand payment from victims to have data restored. Cyber insurance coverage can help businesses cover the costs of ransom demands.
Business interruption: This coverage is for if your business needs to close temporarily due to a cyber incident.
Recovery, remediation, and restoration: Cyber insurance policies can help cover the expenses of recovering from a cyber incident and getting things back up and running.
Network security liability: This involves coverage for potential financial consequences a business may encounter due to inadequate network security measures.
Multimedia liability: Most cyber insurance policies will address claims and financial losses related to unauthorized use of multimedia content, infringement of intellectual property rights, defamation, or invasion of privacy through digital media due to a cyber incident.
For businesses with errors and omissions insurance, also known as professional liability insurance, it’s important to note that this policy type is not the same as cyber insurance and does not substitute for proper cyber coverage.
What Factors Affect the Cost of Cyber Insurance for Small Businesses?
Though cost shouldn’t be the only thing you look at when choosing cyber insurance for your small business, it’s understandable that it will be a consideration. How much a business pays for cyber insurance will depend on various factors, including:
Company size and industry
Amount and sensitivity of data
Annual revenue
Existing cybersecurity measures
Policy terms (coverage limits and deductible)
You can also work to keep cyber insurance costs down by practicing good “cyber hygiene” and developing routines and strategies, such as training employees, that help keep cybersecurity best practices on everyone’s radar.
As with any business insurance, the fewer claims filed, the better your premiums will be over time.
How Can Small Businesses Choose the Right Cyber Insurance Coverage?
When choosing a cyber insurance policy, it’s crucial to look carefully at what’s included under the policy in the event of a cyberattack and whether any specific situations are excluded from coverage.
Get Your Cyber Liability Insurance Quote
After all, the last thing you want to encounter when you’re the victim of a cybercrime is unexpected expenses you thought were covered by your insurance policy.
For example, a study by Sophos found that while 84% of respondents had cyber insurance, only 64% said their policy covered ransomware attacks. Meanwhile, more than 72% of businesses worldwide have been affected by ransomware attacks as of 2023.
Choosing the right cyber insurance coverage also means finding the right insurance provider. So, take the time to find an insurer that offers cyber insurance options tailored to your business needs and will also work with you to help strengthen your cybersecurity strategies.
With Embroker, you can get comprehensive cyber insurance coverage tailored to your business’s individual needs that doesn’t break the bank. Want to learn more? Reach out to our team of experts to get more information on how cyber insurance can protect your businesses from the devastating repercussions of cyberattacks.