Does My Business Need Cyber Insurance?

Is it really necessary?

Yes.  Cyber Insurance is a core coverage for every business.  The cost of cyber incidents often exceed several million dollars.  You must take into consideration the cost of lost data, the cost to restore your systems, the cost to notify and insure thousands of affected customers, damage to your reputation, etc.

Why does my MSP care if I have Cyber Insurance?

Believe it or not, our insurers are asking if we require it for our clients. It is starting to affect our rates for E&O and Cyber. The technology and tools we use in your systems affects our rates, as well as yours. We really do want to use the best tools, technology, practices, and policies. Not only is it to protect you, your employees, your data, and clients, but we are protecting our business, and your rates too.

Most insurers are requiring certain technologies. Many require security awareness training, MFA, and managed detection and response specifically. If you don’t have them, and have an incident, many insurers will not cover your costs or losses. You may also have trouble getting insured in the future.

Before renewing your policy, have a quick chat with us. We want to make sure you’re ready for the insurance audit they will perform, and tighten any security to help you lower your rates. When you’re ready, we recommend Datastream, but you can use your local agent too!

I already have good cyber security, why do I need cyber insurance on top of it?

Even with the best cyber security, falling victim to a cyber-attack or data breach is not a question of IF but WHEN. Cyber-attacks have increased by 574% in 2020, with 73% of attacks targeting small businesses. Good cybersecurity helps reduce the likelihood of an attack, but it doesn’t eliminate it. Cyber insurance acts as a last line of defense, assuring that your business will survive and recover if a cyber incident does happen.

What does Cyber Insurance cover when my business suffers a cyber-attack?

Insurance pays to get your technology and business back up and running.  It also covers costs suffered while your systems are down.  The insurance helps pay to harden your systems and covers liability from confidential data losses and damage to other businesses.  Lastly, it can help to repair your reputation after a cyber-attack.

What does cyber insurance actually do?

Think of cyber insurance like car insurance – even if you have the best technology on the market, or you drive the best car, sometimes in life something will suddenly appear that you can’t defend yourself against. In a car, it could be another driver pulling out unexpectedly at a crossroads and giving you (and your car’s technology) no time to react. The car’s technology will save your life, but without insurance how will you pay for the car to be replaced so you can continue your journey.

Cyber insurance is there to do the same. If, and it is an if, you get hacked or breached by cyber criminals, cyber insurance is there to help pick up the pieces and get your business back up and running again. It’s helps cover the costs of things like data loss, replacing technology, legal fees and all the other issues a cyber-attack causes. Read more about our coverage here.

How much cyber insurance coverage do I need?

There’s no one-size fits all approach.  Because every business is different, the costs involved to get back on your feet after an attack are individual to your business.

What types of coverage are there?

There are two kinds of coverage you need.  First, there is first-party coverage.  In other words, the damage done to your business.  Having broad first-party coverage ensures losses and damages done to your company’s computers, networks, IT systems, data, and business (things like reputational damage or the need for external services like legal) resulting from a cyber-attack are covered.  The second element is third-party coverage.  This is the damage done to others you work with or serve, like customers. You will want comprehensive third-party coverage that includes losses or damages like data loss or stolen information.

How can I reduce my insurance cost?

The key thing here is only to reduce your premium cost, rather than reducing your cover. Almost all cyber insurance companies will now assess your tech stack against known threats and other areas like staff training.  For example, helping colleagues understand the threat posed by phishing emails through security awareness training and phishing simulations. When your insurance company is able to accurately understand your risk, they are able to correctly price policies to accurately reflect your business – thus lowering your costs.

Cyber Insurance Readiness

Cyber insurance rejections for small-to-medium businesses (SMBs) is at an all-time high, putting thousands at risk of catastrophic cyber loss

A CIRT or Cyber Insurance Readiness Tool is a “soft credit check” for cyber insurance applicants

People and processes

  • Who is responsible for your security? 
  • Do you have an MSP you work with, or internal IT staff – both?  
  • How do you conduct regular security awareness training and testing for all employees? 
  • Do you have a written security policy?
  • Do you have a written disaster Recovery Plan?
  • What are the procedures to verify the authenticity of a payment or funds transfer request?


  • Do you have an anti malware product that is continually updated?
  • Are firewall systems installed, and updated on a regular basis?
  • Do you encrypt all external communications containing sensitive information?
  • Do you encrypt data in transit and at rest?
  • How often are updates and patches to critical IT applied to systems and applications?
  • Does your business use a filesharing service?
  • How often do back-ups of critical data and systems run?

Account management

  • Have you required your employees to use multi-factor authentication (MFA) when remotely logging into a computer system or online service?
  • How do you restrict access to sensitive information?
  • Are your password policies requiring strong passwords of at least 16 characters?
  • Do you allow shared accounts?