What Is Cyber Insurance and Why Do You Need It?

Cyberattacks hit every day, and they’re becoming more frequent. Cybersecurity Ventures estimates that cybercrime will cost global companies $12.2 trillion per year by 2031.

The global explosion in remote workers post-pandemic only created more opportunities for threats like phishing and ransomware. And the rapid increase in AI tools opens the door to new risks. Accenture’s “State of Cybersecurity 2025” report found 90% of companies lack the maturity to encounter the AI-enabled threats of today.

Cyber insurance offers businesses additional protection against cyber attacks, covering elements such as data recovery, legal fees, and losses resulting from operational interruptions. It can help businesses of all sizes, with 72% reporting an increase in organizational cyber risk. 

What is Cyber Insurance and Why Do You Need It?

Most businesses store sensitive customer data in the cloud, such as credit card information, Social Security numbers, passwords, birthdays, or healthcare records. Malicious actors find that information attractive and use ransomware attacks to obtain it. Those attacks are the most common reason for a cyber insurance claim, though policyholders may also file claims related to phishing email scams, distributed denial-of-service (DDoS) attacks, and wire transfer fraud.

The reason companies need dedicated insurance for cyberattacks is simple: Most insurers won’t cover cyber incidents as part of a general liability policy, which covers bodily injuries and property damage. Meanwhile, many cloud service providers structure contracts to limit their own liability, putting the burden of attack mostly or entirely on partners and users. Special and dedicated protection is needed.

Naturally, more risk demands more protection. During his term, President Joe Biden signed an executive order requiring government contractors to report cyber incidents, mandating that government software meet certain security standards, and creating a government board to review major cyber incidents.

But cybersecurity isn’t the responsibility of the government alone. It’s also the responsibility of large corporations, small businesses, and individual consumers, who are all vulnerable to malicious attacks by internet criminals.

Sebastian Goodwin, Chief Security Officer at the hybrid multicloud software company Nutanix, noted that the complexity of the technologies used by businesses and organizations has increased exponentially in recent years. 

“Security teams have to not only understand a multitude of technologies that operate across disparate substrates and platforms but also understand how those technologies can be exploited and how to protect them,” he said. “With unique vulnerabilities in each platform, it’s a constant challenge to prioritize and mitigate risk.”

What Does Cyber Insurance Cover?

The short answer: It depends. However, coverage generally is divided into first-party (i.e., yourself and your business) and third-party (i.e., your customers or others who might be affected) coverage.

Among other things, policies might pay the cost of:

• Cybersecurity professionals who can investigate the crime
• Losses from business interruptions
• Customer communications
• Data recovery
• Media liability
• Infringement of intellectual property
• Legal fees
• Government fines
• Customer settlements

Insurance companies may offer various cyber insurance packages catering to companies of different sizes and risk exposures. These can be standalone options or added to existing policies. For example, a data breach is the most concerning cyberattack for an individual or small business, so small businesses might invest only in data breach coverage. Meanwhile, a larger enterprise may opt for an extensive cyber liability insurance policy that’s more comprehensive. Or, they may explore captive insurance options, where a business creates its own insurance subsidiary to provide insurance to the parent company.

However, cyber coverage is not cut and dried. Cybersecurity expert Johnny Young, a.k.a. JohnE Upgrade, suggests that businesses chat with an unbiased third party before investing in cyber insurance coverage.

“Have an assessment of your defensive abilities done by a cybersecurity company that doesn’t provide insurance,” he said. “This way, you can examine the policy and see exactly what isn’t going to be covered.”

Is Cyber Insurance Enough to Protect Your Business?

Cybersecurity insurance can help a company recover from a cyberattack, but it won’t prevent one from occurring in the first place. If the worst does happen, it can’t protect a company’s reputation. Trust in the brand will almost certainly erode.

Cyber insurance should serve as a complement to good cyber hygiene. At its best, that’s how all insurance functions. For example, consider the origin of fire insurance.

“Ben Franklin started a civic proposition about controlling fires because the creation of electricity led to more fires,” said Tim Andrews, former vice president at cybersecurity solutions provider Booz Allen Hamilton and a current AI analyst at GAI Insights.

“Insurance companies have an obvious interest. They have to pay if things go poorly, so they instituted building codes to ensure businesses and homeowners are taking proper precautions. Cybersecurity insurance is similar – you’ve got to show you have reasonable processes in place.”

In fact, an insurance company may refuse to honor or even offer a policy without evidence of good cyber hygiene.

To prove you’re up to snuff, consider investing in ongoing cybersecurity training. Heather Stratford, founder and CEO of cybersecurity training firm Drip7, suggests delivering short and frequent bursts of content that employees can absorb at their convenience.

“Microlearning has been demonstrated to produce much better results than the traditional lecture-followed-by-a-test approach,” Stratford said.

Training is critical because human error remains the biggest cause of cyber vulnerability.

“The No. 1 issue is not upgrading software on your phones and computers,” Andrews says. “Even if you have an automatic update, it could fail because it’s not plugged in or another setting skips it. So many people are willfully out of sync with their updates.”

How Do Cloud Computing and Cyber Insurance Work Together?

To better protect themselves, consumers and companies are turning to two distinct yet complementary instruments: cloud computing and cyber insurance coverage.

The former is both a source of cybercrime and a solution to it. Cloud computing increases attack surfaces by exposing more information to networks that could be breached and hacked. On the other hand, cloud computing is inherently secure due to encryption and protected access, making it harder for bad actors to breach. Plus, cloud service providers are making deep investments in security updates and enhancements, including built-in firewalls, AI protection, and auto-patching.

Still, technology will never be completely impenetrable. Companies are familiar with the cloud, but cyber insurance is uncharted territory for many. The amount of information stored in the cloud will keep growing, and hackers will continue to find ways to obtain it. Consumers and businesses, therefore, need multiple tools in their toolbelt in order to protect themselves.

Cyber insurance is one tool, though its effectiveness is unclear. For example, Young notes that it could take years to get payouts from claims. And some smaller insurance companies may never be able to complete a payment.

“What happens to a company that offers cybersecurity insurance, and malware comes out that affects multiple clients at once?” Young asks. “Who do they pay first? How do they determine which companies were negligent in their defensive policies and implementation?”

Along with insurance that can help after an attack, it’s important to invest in strong security measures that can help prevent an attack in the first place. That’s where cloud computing comes in: storing data in the cloud and partnering with cloud vendors that invest in the latest cybersecurity technologies and practices.

Some companies even offer a bundle of Insurance-as-a-Service and security platforms. These offerings monitor threats like AI-powered fraud alerts and the dark web while providing training for employees. Since the providing company has insights into other insureds, it can present more accurate policies.

Nothing is ironclad. Paired with good cyber hygiene, however – keeping servers and systems up-to-date, using multi-factor authentication, and avoiding suspicious emails and texts – cloud computing on the front end and cyber insurance on the back end can help protect organizations against consequential cyberattacks.

How AI is Changing Cyber Insurance

AI-powered phishing and social engineering attacks are enhanced versions of common risks. Insurers can at least somewhat anticipate these attacks, so they’re working AI clauses into coverage policies.

There’s still room to grow, however. Carriers must consider coverage for adversarial attack insurance or protection against data poisoning if a bad actor gains access to the training data for an AI model. AI-as-a-Service platforms and an increased reliance on third-party vendors also open up new avenues of risk that carriers must be aware of. Large language models can automate attacks at scale by building agents, writing emails, finding targets, and gathering relevant data. As a result, bad actors can reduce the costs of their scams by up to 95%.

Impersonation fraud and chatbot abuse are other concerns. The rise of deepfakes presents a challenging subject for insurers. Many will avoid policies that use comprehensive language to encompass all potential attacks. For now, deepfakes are typically among those exclusions. With chatbots, bad actors can inject specific prompts to gather company data that otherwise wouldn’t be accessible. Businesses need both first-party and third-party coverage to investigate and see who’s at fault. It’s often the creator and deployer of the AI technology. 

AI is also impacting how insurance carriers respond to claims. In the past, they could look at government regulations or case law. Since AI is growing so rapidly, carriers are seeing declining rates and fewer policies in force. After a 160% growth of U.S. direct written premiums from 2020 to 2022, Fitch Ratings reported a 6% decline in 2024. Carriers are continuing to navigate the risk landscape with a more cautious approach. 

Despite opening up new risks, AI can protect companies from harm. Anthropic published a report detailing how a threat actor used Claude Code to infiltrate about 30 global targets. The company estimated that 80-90% of the campaign was done through AI. Anthropic responded by using Claude to analyze massive amounts of data during its investigation. AI platforms can also assist with threat detection, vulnerability assessment, incident response, and other security measures. 

“If AI models can be misused for cyberattacks at this scale, why continue to develop and release them?” the report wrote. “The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense.”

Some companies are also exploring cybersecurity representation and warranties. These are provisions that can safeguard against potential threats, such as regulation compliance, adherence to privacy policies, and absence of data breaches. Cyber representation and warranties are especially beneficial for mergers and acquisitions deals. Businesses want to ensure the newcomers aren’t bringing any hidden security baggage along with them.

Why Most Cyber Losses Remain Uninsured

According to CyberScoop, approximately 90% of cyber damages are not insured. A general lack of awareness about cyber insurance is a key reason for this coverage gap. It’s tough to protect yourself if you don’t know protection exists.

Cost can also be a limiting factor. Munich Re’s Cyber Risk and Insurance Survey found that about one in three organizations believe the price of cyber insurance coverage is too high.

Another challenging aspect of cyber insurance is the uncertainty surrounding large-scale cyber events. They’re nearly impossible to predict due to the complexity of software systems and the emergence of new tools. Unlike with auto insurance claims after an accident, there isn’t as much historical data insurers can pull from.

The result is increased premiums or spotty coverage. Insurers want to ensure that risk is spread out sufficiently so multiple organizations aren’t filing claims simultaneously. But IT systems and tools are so commonplace that a massive breach could potentially impact dozens or even hundreds of organizations, all seeking assistance at once. 

Cybersecurity Insurance As Part of Cyber Education

Davis Hake, a defense expert and Adjunct Professor of Cyber Risk Management at the University of California, Berkeley, battles cybercrime across the private, education, and government sectors. As co-founder of Resilience Insurance in San Francisco, he helps modernize the insurance industry to avoid or minimize digital losses. In addition to insuring companies against ransomware and other breaches, his company offers cyber education, protection, and recovery solutions to help fend off attacks and reduce the business impact of a breach.

Hake told The Forecast that interest in new insurance models skyrocketed as companies explored post-pandemic remote work capabilities. These organizations faced security challenges “not because of cloud technology, per se, but because they’ve quickly disrupted old ways of doing things.” He said their companies’ cloud projects were accelerated by as much as five years due to the pandemic. 

Those companies are “finding themselves in a hybrid IT environment” that they haven’t spent years learning to protect yet, he explained. However, operating on modern IT platforms allows organizations to leverage new security technologies and services more easily.

Hake said Resilience clients make their own decisions about whether they pay ransom demands in cases of ransomware attacks. Whether or not to acquiesce to cyber-blackmailers is a controversial issue. Some private sector organizations have adopted no-pay policies, and some U.S. states are pushing for legislation to ban payments at local and state levels. The thinking is that making the payments provides criminals with an incentive to hold data hostage for monetary payoffs. 

Hake pointed out that organizations like hospitals and energy companies provide essential services and can’t endure prolonged data outages without risking the loss of life and public safety.

“We work with every one of our clients to ensure that they have secure backups, that they're running endpoint protection, that they've deployed multifactor authentication, and that they've secured their administrative accounts,” said Hake. “This is all basic cyber hygiene that can be very effective at providing options for recovery, even if the attackers do get in.”

Hake emphasizes the importance of enhancing incident recovery best practices to build a bright future. 

“A lot of research we’re seeing is going into determining best practices for being able to take a punch but come back quickly with minimal disruption.”