Cyber Insurance: How to Choose the Right Coverage for Your Business

Why Cyber Insurance Has Become Essential

Knowing which incidents would hurt you most

For an SME, the average direct cost of a cyber incident is between €50,000 and €60,000, before counting reputation damage or customer loss. For roughly one in eight companies hit by an attack, the bill exceeds €230,000. Industry data suggests that nearly 60% of small businesses that suffer a major cyber incident cease operations within six months.

Averages, however, will not tell you what to insure. The losses that matter are specific to your business. A ransomware attack that halts production for three weeks, a breach of customer data that triggers notification, regulatory scrutiny, and litigation, or an outage at the cloud provider your operations run on each carries its own likelihood and its own range of financial outcomes. They are not equally dangerous. For a manufacturer, downtime is usually the dominant loss. For a services firm holding sensitive client data, it is liability.

Choosing the right coverage starts with that analysis. Identify the scenarios that would cause the most damage to your business, estimate how often each could occur and what it would cost when it does, and then decide how much of that loss your business can absorb and how much you need to transfer to an insurer. That decision is your risk appetite, and it sits with leadership. Once you have worked through it, you know what your policy needs to cover and at what level.

When coverage becomes a business prerequisite

The pressure to carry cyber insurance increasingly comes from outside the company. Enterprise customers now write minimum coverage requirements into procurement contracts. Investors and boards treat cyber coverage as a governance requirement that protects invested capital. And with regulations such as NIS2 and DORA raising expectations on operational resilience, a financed risk transfer strategy is becoming part of doing business in Europe.

For most leadership teams, the question today is how to buy the right coverage at the right price.

Understanding What a Cyber Policy Actually Covers

The core coverage components

A cyber policy is a bundle of distinct protections, each responding to a different type of loss:

• Incident response costs — Forensics, legal counsel, crisis communications, and ransom negotiation support, usually delivered through the insurer's pre-approved panel of experts. For companies without an internal security team, this response capability is often as valuable as the indemnification itself. ‍
• Business interruption (BI) — Lost revenue and extra expenses while systems are down. For most companies, this is the largest loss category in a severe incident. ‍
• Cyber extortion — Ransom payments where legal, plus the cost of negotiation and recovery. ‍
• Data restoration — Rebuilding systems and recovering data after an attack. ‍
• Third-party liability — Claims from customers or partners whose data was compromised, including notification costs and litigation defense.
• ‍Regulatory coverage — Defense costs and, where insurable, fines arising from GDPR and other regulatory actions.

The policy terms that help determine what your policy guarantees

The aggregate limit is the total amount the insurer will pay out over the policy period. The way it pays out depends on the specific incident, loss type by loss type, under specific conditions. The terms below are where that becomes measurable against your risk appetite, and why thinking in quantified scenarios is valuable.

Sub-limits cap payouts for specific loss types within the aggregate limit. This is the first place the scenario logic appears: a €5 million policy with a €500,000 BI sub-limit will pay no more than €500,000 for downtime, whatever the aggregate says.

Waiting periods define how many hours of downtime you absorb before BI coverage applies. If your business cannot operate for more than four hours without its systems, an 8 to 12 hour waiting period should be a negotiation priority.

Exclusions remove entire categories of loss. Dependent business interruption, meaning losses caused by an outage at your cloud or SaaS provider, is frequently excluded or sub-limited. For companies that run entirely on third-party platforms, this is a serious gap.

Retentions (deductibles) define what you pay out of pocket per incident before the policy responds.

Under-insurance is as common as over-insurance, and many companies unfortunately only discover this in responding to an incident. Reviewing these terms against your own scenarios can make a big difference for your risk appetite.

How to Assess Your Cyber Insurance Coverage Needs

Four questions to understand your cyber risk in financial terms

There are four basic questions you can start with to assess your cyber insurance needs. And they are the basis of any cyber risk assessment:

1. What are the probable incidents? This could be ransomware, data breach, fraud, and an outage at a critical provider.

2. Which incidents are the most important? Rank them by how likely they are to happen and how much it could cost in financial terms.

3. What are the probable types of loss per incident? A single ransomware event can produce several at once: downtime, recovery costs, ransom, notification, and legal exposure.

4. What is the probable financial impact per loss type? Estimate, even roughly, what each loss would cost your business in financial terms. This will reduce your uncertainty when evaluating an insurance policy.

From financial impact to risk appetite and risk transfer

Your assessment allows you to compare your risk against your risk appetite: how much loss is the business willing to carry, and how much can it carry while staying operational? Losses within your appetite mean you can accept that amount of risk. Losses that exceed your appetite are when you transfer risk, and cyber insurance is the instrument for risk transfer.

Knowing how much risk you have in financial terms allows you to analyze a cyber policy against your own situation. For each of your top scenarios, check that coverage exists for the loss types as well, then check the sub-limits, waiting periods, and exclusions against what the scenario would cost. If your broker recommends a limit, ask for the loss scenario behind it.

Working With Your Underwriter for Cyber Insurance

Choosing a policy after a data-driven risk assessment

Underwriting a cyber policy starts with a questionnaire. The insurer asks about your controls: multi-factor authentication, backups and whether they are tested, endpoint protection, patch management, security awareness training, and how access is managed for remote workers and third parties. Some insurers complete the picture with an external scan of your systems.

The answers in the questionnaire will help the underwriter determine the coverage you need. An insurer that cannot verify your security posture prices the uncertainty, which means sector-average rates, conservative sub-limits, or in weaker cases declined coverage. Gaps in the basic protective controls are among the most common reasons the cost of a policy is higher.

A company that arrives at underwriting with a documented risk assessment gives the underwriter objective data to adapt the policy to your needs. Insurers increasingly treat formal risk management as a condition of coverage, and presenting your own assessment tends to translate into better pricing, broader terms, and an easier renewal.

Incident management and insurance claims

A cyber policy only pays if a claim is handled correctly. It is important to remember to have a business continuity plan that includes how to notify the insurer, who to contact for incident management, and what to document. Build the insurer notification step into your incident response plan and test it before you need it.

Insurance Is One Security Control of Your Cybersecurity Strategy

Cyber insurance absorbs the financial impact of a severe cyber incident. It does not prevent an attack, restore customer trust, or recover your data. It is only one layer of a broader cyber risk management strategy: foundational controls reduce the likelihood of an incident, response and continuity planning reduce its severity, and insurance transfers the financial impact from the company.