A business owner has an obligation to keep employee and customer information confidential. If that information is revealed or stolen in a cyberattack, the business might be held liable for damages. Cyber liability insurance provides coverage if a business is the victim of a cyberattack. A cyberattack can include data breaches such as phishing scams, ransomware and botnets.

Who needs cyber insurance?

Business liability insurance typically covers injuries and property damage caused by its products, services or operations. But damage from a cyberattack could be excluded from a general liability policy. Check your policy.

If your small business has a computer network on which employees save data, consider cyber insurance. Below are examples of data that could be targeted by hackers:

  • Customer or patient records.
  • Credit card information.
  • Bank account information.
  • Social Security numbers.

About 60% of small businesses in the United States experienced a cyberattack in the last year, according to a 2017 report by the Ponemon Institute.

The average cost to a small business from a cyberattack, from damage and theft of IT assets, tops $1 million, according to the Ponemon Institute. And that doesn't include the cost of the disruption to business operations, at an average of $1.2 million.

What does cyber insurance cover?

Depending on your business needs, there are several cyber insurance coverage types you can purchase. Insurance can cover:

  • Legal counsel after a cyberattack, including fees and expenses.
  • A digital forensics team.
  • The cost to notify customers of a data breach.
  • The cost to customers of recovering from identity theft.
  • Credit monitoring for affected customers.
  • Recovering the business's data.
  • Repairing damaged computer systems.
  • Business interruption coverage for lost revenue as the result of a data breach.
  • Good faith advertising to let customers know you're working to resolve the breach.

Some cyber insurance companies can even help you to prevent a cyberattack before it happens. Risk management services can include:

  • Helping you set up a secure network.
  • Employee training to protect data.
  • Developing privacy policies and procedures to help prevent cyberattacks.
  • Planning a quick response for a cyberattack.

Where to buy cyber insurance

If you're buying cyber liability insurance, you may be able to save money by bundling it with your general liability policy. When you're getting quotes for cyber insurance, it's also a good idea to shop around. You may find that another insurer offers insurance products and services that better fit your business needs or a lower total price.

Top 10 sellers of cybersecurity insurance

Rank Company
1. AXIS
2. Chubb Ltd.
3. American International Group
4. XL Group Ltd.
5. Travelers Companies Inc.
6. Beazley Insurance Co.
7. CNA Financial Corp.
8. BCS Financial Corp.
9. Liberty Mutual
10. Zurich Insurance Group
Source: Insurance Information Institute, based on direct premiums written in 2017

Tips to reduce the chances of a cyberattack

You can take active steps to limit your business's exposure to a cyberattack, including:

  • Install and maintain security software and hardware.
  • Make passwords complex and don't use the same passwords for multiple services or accounts.
  • Keep a firewall turned on.
  • Keep the computer operating system up to date.
  • Be careful of what employees download and do not open attachments from people you don't know.
  • Turn off computers at the end of the day — if it's always online, it's more susceptible to a cyberattack.
  • Use an IT security-services vendor.
  • Back up data at a secure off-site facility on a regular basis.
  • Train employees to recognize cyberattacks such as phishing.
  • Limit employee access to sensitive information. The fewer people who have access the better.

Glossary: Cyber terms and definitions

Here are terms you may see used in reports of cyberattacks.

  • Botnet: A group of hacked computers controlled by a single entity. They could number in the thousands or millions. Botnets are often used to steal data such as financial information.
  • Dark web: A marketplace where hackers purchase viruses and other malware to access others' private and confidential information.
  • Distributed Denial-of-Service Attacks (DDoS): In this attack, a computer network is purposely flooded with fake traffic in order to prevent legitimate users from accessing the network.
  • Malware: This might be a virus or spyware that is installed on a computer or mobile device without your permission. The programs can cause a computer or device to crash, or might be used to steal business information.
  • Phishing: This scheme often uses emails, texts and websites to get you to share data. Scammers make it seem like they need information or something bad will happen, such as your bank account being frozen. The scammers might ask you to click on a link or download an attachment, which contains malware.
  • Ransomware: This is malicious software that will not allow you to access your computer systems or information until you pay a ransom to the hackers.