Cyber insurance is a specialised insurance product that covers financial losses from cyber incidents — including data breaches, ransomware attacks, business interruption, and third-party liability — with underwriting requirements that now mandate specific security controls such as MFA, EDR, and incident response plans.
Cyber insurance has evolved from a niche product into a critical component of enterprise risk management. With the average cost of a data breach reaching $4.88 million (IBM 2025) and ransomware attacks demanding payments in the millions, even well-defended organisations face financial exposure that can threaten their survival. Meanwhile, insurers have responded to escalating claims by tightening underwriting requirements — the days of buying cyber insurance with minimal security controls are over.
Today's cyber insurance requirements read like a security audit checklist: multi-factor authentication, endpoint detection and response, privileged access management, incident response plans, backup strategies, and employee security awareness training are all standard prerequisites. Organisations that can't demonstrate these controls face premium increases of 50–100%, exclusions on key coverages, or outright denial.
This guide explains what cyber insurance covers, what security controls insurers require, how to navigate the application process, and how your compliance programmes (GDPR, NIS2, ISO 27001, SOC 2) align with insurance requirements. Putting those controls in place is where cybersecurity services come in.
| Quick Reference | Details |
|---|---|
| What is cyber insurance? | Insurance coverage for financial losses resulting from cyber incidents (breaches, ransomware, business interruption, liability) |
| Other names | Cyber liability insurance, cyber risk insurance, data breach insurance |
| Typical premium | $1,500–$5,000/year (small business); $10,000–$100,000+/year (mid-market); $100,000–$1M+/year (enterprise) |
| Typical coverage | $1M–$10M (SMB); $5M–$50M (mid-market); $25M–$500M+ (enterprise) |
| Key coverage types | First-party (your losses) and third-party (liability to others) |
| Must-have controls | MFA, EDR, backup, incident response plan, security awareness training, privileged access management |
| Application process | Detailed questionnaire + potential technical assessment |
| Claims trend | Ransomware is #1 claim type; business email compromise is #2 |
Key Takeaways
- Cyber insurance covers financial losses from cyber incidents — including breach costs, ransomware payments, business interruption, legal defence, and regulatory fines
- Insurers have dramatically tightened underwriting requirements since 2020 — MFA, EDR, and tested backup are now minimum thresholds for most carriers
- Cyber insurance is not a substitute for security — it's a risk transfer mechanism for residual risk after you've implemented reasonable controls
- The application questionnaire is essentially a security audit — answer honestly, because inaccurate answers can void your policy
- ISO 27001, SOC 2, and NIS2 compliance directly support your cyber insurance application by demonstrating mature security controls
- First-party coverage protects you; third-party coverage protects against liability claims from others (customers, regulators)
- War exclusions and systemic risk exclusions are expanding — understand your policy's exclusions before a claim
- Organisations with mature security programmes can negotiate premium reductions of 15–30%
Table of Contents
- What Is Cyber Insurance?
- What Cyber Insurance Covers (and Doesn't)
- First-Party vs. Third-Party Coverage
- Cyber Insurance Requirements: What Insurers Demand
- The 12 Controls Insurers Require
- How Insurers Evaluate Your Application
- Cyber Insurance Costs: Premium Factors
- The Application Process Step by Step
- Common Policy Exclusions
- Cyber Insurance and Compliance Alignment
- Filing a Cyber Insurance Claim
- Common Mistakes with Cyber Insurance
- Frequently Asked Questions
- Related Resources
What Is Cyber Insurance?
Cyber insurance (also called cyber liability insurance or cyber risk insurance) is a specialised insurance product that covers financial losses arising from cyber incidents. It's designed to fill the gap that traditional insurance policies (general liability, property, professional indemnity) don't cover.
Cyber incidents covered typically include:
- Data breaches (unauthorised access to personal or confidential data)
- Ransomware attacks
- Business email compromise and social engineering fraud
- Network security failures
- System outages caused by cyberattacks
- Cyber extortion
- Regulatory investigations and fines
What Cyber Insurance Covers (and Doesn't)
What's Typically Covered
| Coverage Area | What It Pays For |
|---|---|
| Breach response costs | Forensic investigation, notification to individuals, credit monitoring, call centre |
| Ransomware/extortion | Ransom payments (where legal), negotiation services, recovery costs |
| Business interruption | Lost income during system outage; extra expenses to maintain operations |
| Data recovery | Costs to restore or recreate lost or damaged data |
| Legal defence | Attorney fees for lawsuits, regulatory proceedings |
| Regulatory fines and penalties | GDPR fines, state attorney general penalties (where insurable) |
| Media liability | Defamation, copyright infringement through digital channels |
| Crisis management | PR/communications costs to manage reputational damage |
| Third-party liability | Claims from customers, partners, or other parties harmed by your breach |
| PCI DSS assessments | Card brand fines and assessments following a payment card breach |
What's Typically NOT Covered
| Exclusion | Why |
|---|---|
| Prior known incidents | Incidents you were aware of before the policy period |
| Unencrypted portable devices | Many policies exclude losses from unencrypted laptops/USB drives |
| War and nation-state attacks | The "war exclusion" is expanding and increasingly contested |
| Systemic/catastrophic events | Some policies exclude infrastructure-wide events (major cloud outage, internet disruption) |
| Failure to maintain minimum security | If you misrepresented your controls on the application |
| Intentional acts | Deliberate misconduct by the insured |
| Betterment | Upgrading systems beyond their pre-incident state |
| Contractual liability | Penalties under your contracts (unless specifically covered) |
| Infrastructure improvements | Costs to improve security after an incident (beyond restoration) |
First-Party vs. Third-Party Coverage
| Aspect | First-Party Coverage | Third-Party Coverage |
|---|---|---|
| Who it protects | Your organisation (direct losses) | Against claims from others |
| Triggered by | Your incident; your losses | Claims or lawsuits from affected parties |
| Example: data breach | Forensic investigation, notification costs, data recovery | Customer lawsuits, regulatory fines, PCI assessments |
| Example: ransomware | Ransom payment, business interruption, recovery | Customer claims for service disruption |
| Example: BEC fraud | Financial loss from fraudulent transfer | Claims from business partner whose data was used |
Most policies include both first-party and third-party coverage. Review your policy to understand the limits for each.
Cyber Insurance Requirements: What Insurers Demand
Insurers have evolved from asking a few questions on a one-page form to conducting detailed technical assessments. Here's what they evaluate:
Underwriting Tiers
| Tier | Controls Required | Premium Impact |
|---|---|---|
| Minimum threshold | MFA, EDR, backup, incident response plan | Required to obtain coverage at all |
| Standard controls | Above + PAM, email security, vulnerability management, security training | Standard premiums |
| Advanced controls | Above + SIEM/SOC, zero trust, ISO 27001/SOC 2, tested BCP | Premium discounts (15–30%) |
The 12 Controls Insurers Require
Based on requirements from major cyber insurers (2025–2026 underwriting standards):
| # | Control | Why Insurers Require It | Impact on Application |
|---|---|---|---|
| 1 | Multi-Factor Authentication (MFA) | Prevents 99% of credential-based attacks | Mandatory — no MFA on email and remote access = likely denial |
| 2 | Endpoint Detection and Response (EDR) | Detects and contains endpoint compromise automatically | Mandatory for mid-market and above |
| 3 | Backup and Recovery | Enables ransomware recovery without paying ransom | Mandatory — must be tested, offsite/air-gapped |
| 4 | Incident Response Plan | Ensures organised response; reduces breach cost | Mandatory — tested plan; many insurers want to see it |
| 5 | Privileged Access Management (PAM) | Limits damage from compromised admin accounts | Strongly expected — especially for admin/root access |
| 6 | Email Security | Blocks phishing, BEC, malware delivery | Expected — SPF/DKIM/DMARC + advanced filtering |
| 7 | Security Awareness Training | Reduces human error (phishing clicks, social engineering) | Expected — regular training with phishing simulations |
| 8 | Vulnerability Management and Patching | Closes known vulnerabilities before exploitation | Expected — critical patches within 14–30 days |
| 9 | Network Segmentation | Limits lateral movement after initial compromise | Expected for mid-market and above |
| 10 | Encryption | Protects data at rest and in transit | Expected — especially for sensitive data |
| 11 | Logging and Monitoring | Enables detection and forensic investigation | Expected — centralised logging with 12+ months retention |
| 12 | Vendor Risk Management | Reduces supply chain attack surface | Increasingly expected — vendor assessments, DPAs |
Control Maturity Assessment
Insurers increasingly assess not just whether you have a control, but how mature it is:
| Control | Basic (Minimum) | Good | Best Practice |
|---|---|---|---|
| MFA | On email and VPN | On all cloud services and critical systems | On all systems; phishing-resistant MFA (FIDO2) |
| Backup | Daily backup; stored offsite | Daily backup; tested quarterly; offsite + immutable | Real-time replication; tested monthly; air-gapped; immutable |
| EDR | Deployed on servers and workstations | EDR with 24/7 monitoring | XDR with MDR service; automated response |
| Patching | Critical patches within 30 days | Critical patches within 14 days; regular scanning | Critical patches within 72 hours; continuous scanning |
How Insurers Evaluate Your Application
Information Sources
| Source | What Insurers Learn |
|---|---|
| Application questionnaire | Your self-reported security controls, incidents, revenue, data types |
| External security scans | Your external attack surface — open ports, vulnerable services, email authentication, certificate issues |
| Security ratings | Your BitSight, SecurityScorecard, or UpGuard rating |
| Claims history | Previous cyber incidents and insurance claims |
| Industry and size | Sector-specific risk factors; revenue as a proxy for target attractiveness |
| Certifications | ISO 27001, SOC 2 — demonstrate mature controls |
| Supplemental questions | Deep-dive questions on specific controls (MFA, backup, IR) |
Red Flags That Increase Premiums or Cause Denial
| Red Flag | Insurer Concern |
|---|---|
| No MFA on email or remote access | #1 attack vector unprotected |
| No EDR deployed | Unable to detect or contain endpoint compromise |
| Backups not tested or not offsite | Ransomware recovery not viable |
| No incident response plan | Disorganised response will increase claim cost |
| Previous breach within 2 years | Elevated risk; potentially systemic issues |
| End-of-life software in production | Known unpatched vulnerabilities |
| No security awareness training | Employees vulnerable to phishing/social engineering |
Cyber Insurance Costs: Premium Factors
What Drives Premium Up
| Factor | Impact |
|---|---|
| Revenue | Higher revenue = higher target attractiveness = higher premium |
| Industry | Healthcare, financial services, retail (PCI) = higher premiums |
| Data volume | More records = higher breach costs |
| Sensitive data types | Health data, financial data, PII = higher risk |
| Claims history | Previous claims increase premiums 25–100%+ |
| Weak controls | Missing MFA, EDR, backup = significant premium increase |
| International operations | Multi-country exposure (GDPR, multiple regulators) |
| Coverage limits | Higher limits = higher premiums |
| Lower deductible | Lower retention = higher premium |
What Drives Premium Down
| Factor | Typical Discount |
|---|---|
| ISO 27001 certification | 10–20% |
| SOC 2 Type II report | 10–15% |
| Mature security programme (documented, tested) | 15–25% |
| No claims history (3+ years) | 10–15% |
| Advanced controls (SIEM/SOC, zero trust, PAM) | 10–20% |
| Tested incident response plan (with tabletop exercises) | 5–10% |
| Security awareness training (with phishing simulations) | 5–10% |
| Higher deductible | 10–25% (you absorb more risk) |
The Application Process Step by Step
| Step | Activity | Tips |
|---|---|---|
| 1 | Engage a broker | Use a broker specialising in cyber insurance; they know the market and can negotiate |
| 2 | Prepare documentation | Gather: security policies, IR plan, training records, certifications (ISO 27001, SOC 2), asset inventory |
| 3 | Complete the application | Answer every question honestly and completely; inaccurate answers can void coverage |
| 4 | Provide supplementary information | Some insurers request additional documentation: IR plan, network diagram, vendor list |
| 5 | External scan results | Insurer will likely scan your external attack surface; remediate issues before applying |
| 6 | Underwriting review | Insurer evaluates your risk profile; may ask follow-up questions |
| 7 | Quote and negotiation | Broker obtains quotes from multiple carriers; negotiate terms, limits, exclusions |
| 8 | Bind coverage | Accept terms and bind the policy |
| 9 | Onboarding | Review policy documents carefully; understand notification requirements, panel vendors |
| 10 | Annual renewal | Update information annually; demonstrate control improvements to negotiate better terms |
Application Accuracy Warning
Critical: Your application is a representation of your security posture. If you claim to have MFA on all remote access but you don't, and a breach occurs through an unprotected remote access point, the insurer may deny the claim or rescind the policy. Be honest. If a control is partially implemented, say so. Insurers prefer honest partial implementation over dishonest claims of full coverage.
Common Policy Exclusions
Exclusions to Watch
| Exclusion | What It Means | Negotiation Tip |
|---|---|---|
| War/hostile acts | Attacks attributed to nation-states may be excluded | Ask for specific wording; "cyber war" definitions vary; some policies now have "cyber operation" sub-limits |
| Infrastructure failure | Widespread outage (major cloud provider, internet backbone) | Ask whether the exclusion applies only to non-cyber infrastructure or also to cyberattacks on infrastructure |
| Unencrypted data | Losses from breach of unencrypted portable devices | Ensure your encryption policy covers all portable devices and media |
| Failure to patch | Losses from exploitation of known vulnerabilities not patched within a defined timeframe | Understand the expected patching timeline; align with your vulnerability management policy |
| Prior acts | Incidents or circumstances known before the policy inception | Ensure your retroactive date provides adequate coverage for past acts |
| Regulatory fines | Some policies exclude regulatory fines in certain jurisdictions where they're considered non-insurable | Ask specifically about GDPR fine coverage; varies by insurer and jurisdiction |
| Betterment | Costs to improve beyond pre-incident state | Understand that insurance restores, not upgrades |
| Social engineering sub-limit | BEC/wire fraud may have a lower sub-limit than the main policy | Negotiate adequate social engineering limits if BEC is a concern |
Cyber Insurance and Compliance Alignment
Your compliance programmes directly support your cyber insurance posture:
| Compliance Framework | Insurance Alignment |
|---|---|
| ISO 27001 | Demonstrates comprehensive ISMS; addresses virtually all insurer-required controls; 10–20% premium discount |
| SOC 2 Type II | Independent auditor assurance over security controls; 10–15% premium discount |
| NIS2 | Risk management, incident response, supply chain security — all align with insurer requirements |
| DORA | ICT risk management, incident reporting, resilience testing — strong alignment with insurer expectations |
| GDPR | Data protection measures, breach notification procedures, vendor management — all reduce insurance risk |
| NIST CSF | Industry-standard framework that maps directly to insurer control questionnaires |
Leveraging Compliance for Better Insurance Terms
- Share your ISO 27001 certificate with the insurer — it's the strongest single signal of security maturity
- Provide your SOC 2 Type II report (under NDA) — auditor-verified controls
- Share your incident response plan and tabletop exercise reports — demonstrates readiness
- Reference your security awareness training metrics — phishing simulation click rates below 5% are impressive
- Highlight your vendor risk management programme — demonstrates supply chain security
Filing a Cyber Insurance Claim
Claim Process
| Step | Activity | Timeline |
|---|---|---|
| 1 | Discover the incident | As soon as possible |
| 2 | Notify your insurer | Within 24–72 hours (check your policy for the exact requirement) |
| 3 | Engage panel vendors | Insurers have pre-approved forensics firms, legal counsel, PR firms |
| 4 | Investigation | Forensic investigation determines scope, cause, and impact |
| 5 | Containment and remediation | Guided by forensic findings; expenses covered under policy |
| 6 | Notification | Regulatory and individual notifications (costs covered) |
| 7 | Claim documentation | Compile all expenses, losses, and supporting evidence |
| 8 | Claim settlement | Insurer reviews and pays the claim per policy terms |
Critical Claims Tips
- Notify early — delayed notification can jeopardise coverage
- Use panel vendors — using non-panel vendors without insurer approval may not be covered
- Document everything — keep detailed records of all incident-related expenses and decisions
- Don't admit liability — let your legal counsel handle communications
- Don't pay ransom without insurer coordination — many policies require insurer approval before ransom payment
Common Mistakes with Cyber Insurance
| # | Mistake | Consequence | Prevention |
|---|---|---|---|
| 1 | Inaccurate application answers | Claim denied; policy rescinded | Answer honestly; disclose partial implementations |
| 2 | Not reading the policy | Surprised by exclusions during a claim | Read the full policy; understand exclusions, sub-limits, waiting periods |
| 3 | Treating insurance as a security substitute | Weak controls lead to incidents and premium increases | Invest in security controls first; insurance is for residual risk |
| 4 | Late incident notification | Insurer may deny coverage | Understand notification requirements; notify within 24 hours |
| 5 | Using non-panel vendors | Costs may not be covered | Use the insurer's pre-approved panel (forensics, legal, PR) |
| 6 | Inadequate coverage limits | Claim exceeds policy limits; organisation absorbs excess | Model potential breach costs; buy adequate limits |
| 7 | Ignoring sub-limits | Social engineering or ransomware claims hit a low sub-limit | Review and negotiate sub-limits for specific claim types |
| 8 | Not reviewing at renewal | Policy doesn't reflect your current risk profile | Annual review of coverage, limits, and exclusions |
| 9 | No broker | Miss better terms; overpay; don't understand options | Use a cyber-specialist broker |
| 10 | Failing to improve controls | Premiums increase annually; coverage restricted | Demonstrate security improvements at each renewal |
Frequently Asked Questions
How much cyber insurance do I need?
There's no universal formula, but consider these factors: (1) Number of records you hold (breach notification costs scale linearly), (2) Revenue at risk from business interruption, (3) Regulatory exposure (GDPR fines can reach 4% of global turnover), (4) Contractual requirements (customers may require minimum coverage), (5) Industry benchmarks (your broker can provide). General benchmarks: small businesses ($1M–$3M), mid-market ($5M–$20M), enterprise ($25M–$100M+).
Is cyber insurance required by law?
No EU or US law currently mandates cyber insurance specifically. However, several regulations effectively make it a strong recommendation: NIS2 requires "appropriate" risk management measures (insurance is one such measure); DORA requires financial entities to consider insurance in their risk management; many customer contracts require minimum cyber insurance coverage. Some industries (healthcare, financial services) have de facto requirements.
Does cyber insurance cover GDPR fines?
This varies by insurer and jurisdiction. In some EU countries, regulatory fines are considered non-insurable on public policy grounds. In others, they're insurable. Many cyber insurance policies include GDPR fine coverage but with specific conditions and sub-limits. Ask your insurer explicitly about GDPR fine coverage and in which jurisdictions it applies.
What's the difference between cyber insurance and professional indemnity (E&O)?
Professional indemnity (E&O) covers claims arising from professional negligence or errors in your services. Cyber insurance covers losses from cyber incidents. There's overlap when a cyber incident causes professional service failure, but they're distinct products. If you're a service provider (SaaS, consulting, managed services), you likely need both.
How does ransomware coverage work?
Most cyber policies cover ransom payments (where legally permissible) and ransom negotiation services. However: (1) the insurer typically must approve any payment before it's made, (2) sub-limits may apply (e.g., $1M ransom sub-limit on a $5M policy), (3) extortion by sanctioned entities may be excluded, (4) the insurer may recommend against payment if backup recovery is viable. The cost of recovery (forensics, restoration, business interruption) is typically more significant than the ransom itself and is separately covered.
Will my premiums go down if I get ISO 27001?
Yes — most insurers offer 10–20% premium discounts for ISO 27001-certified organisations. Similarly, SOC 2 Type II reports can yield 10–15% discounts. The key is providing the certificate/report during your renewal. Beyond the discount, certified organisations tend to have fewer claims, which compounds the premium benefit over time.
How do I handle cyber insurance in vendor contracts?
Many enterprise customers require their vendors to maintain minimum cyber insurance coverage (e.g., $5M per occurrence). Include cyber insurance requirements in your vendor risk management programme. When onboarding critical vendors, request their certificate of insurance and verify coverage types and limits.
What happens if my security controls change after I get the policy?
Most policies require you to maintain the security controls you represented in your application. If your security posture materially degrades (e.g., you disable MFA), you should notify your insurer. Failure to maintain represented controls can result in claim denial. Conversely, improving controls can support better terms at renewal.
Related Resources
- Incident Response Plan Guide — Building the incident response plan that insurers require
- ISO 27001 Implementation Guide — ISO 27001 certification supports premium discounts
- SOC 2 vs ISO 27001 Guide — How certifications strengthen your insurance application
- Virtual CISO Guide — How a virtual CISO manages your cyber insurance programme
- Vendor Risk Assessment Guide — Vendor risk management as an insurance requirement
Related Articles
- Incident Response Plan Template & Guide — Building a cyber incident response plan with templates
- Information Security Policy Templates Guide — Building your security policy library for compliance
- Virtual CISO Services Guide — Fractional CISO engagements and CISOaaS explained
Conclusion
Cyber insurance is a critical layer in your risk management strategy — but it works best when built on a foundation of strong security controls. The organisations that get the best coverage at the best price are the ones that invest in security first and use insurance to transfer residual risk. The bonus: the controls that insurers demand (MFA, EDR, backup, incident response, security training) are the same controls that make breaches less likely and less costly in the first place.
Invest in security. Get insured. Sleep better.
Need help aligning security controls with insurance requirements? Vision Compliance builds security programmes that satisfy both regulatory requirements and cyber insurance underwriting standards. From ISO 27001 certification to incident response readiness, we help you demonstrate the controls insurers want to see. Schedule a free consultation →
Sources: IBM Cost of a Data Breach Report 2025, Munich Re Cyber Insurance Market Report 2025, Coalition Cyber Claims Report 2025, NIS2 Directive (EU 2022/2555), DORA (EU 2022/2554), Marsh McLennan Cyber Insurance Insights
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.