The costs stack up in ways that are easy to underestimate. There is the technical response with forensics teams, system restoration, replacing compromised hardware. There is the legal exposure — notifying regulators, defending lawsuits, paying fines if data protection laws were violated. AT&T settled its 2024 data breach for 7 million in 2025. And there is the operational disruption — UNFI, a large food distributor, disclosed that a cyber business interruption issue reduced its net sales by 0 million in fiscal year 2025.
Think of it like car insurance, but for your digital operations. When you insure a car, the policy covers certain types of damage such as accidents, theft, weather while explicitly excluding others, such as racing or deliberate damage. Cyber insurance works on the same principle.
So what does cybersecurity insurance actually cover?
Around 80% of large corporations with annual revenue above billion have adopted cyber insurance, while only around 10% of small and medium-sized businesses have done so despite SMEs being frequent targets precisely because their defences are typically weaker than those of larger organisations.
For businesses that have invested in basic security hygiene, that recalibration is mostly good news: premiums are lower than they were two years ago, and coverage is more comprehensive. For businesses that have not, the insurance application process has become an unscheduled security audit and failing it is increasingly expensive.
Because the cost of a cyberattack has grown well beyond what most organisations can absorb on their own. The average cost of a data breach reached a record .88 million in 2024, according to IBM’s Cost of a Data Breach Report. For a mid-sized business, that figure alone could be existential.
Why do businesses need it?
For most of the last decade, buying it was relatively straightforward. You filled out a questionnaire, paid a premium, and had a policy. That process has changed significantly. Insurers are asking harder questions, requiring proof of specific security tools, and in some cases turning applicants away entirely. If you are a business leader who has recently been handed a renewal form that looks nothing like last year’s, or a finance director trying to understand why the premium jumped, this piece is for you.
If your company had a fire tomorrow, your property insurance would cover the damage. If a delivery van hit someone, your liability insurance would step in. There is a version of insurance for almost every physical risk a business faces. Cybersecurity insurance which is sometimes called cyber liability insurance is the same idea applied to digital disasters: a data breach, a ransomware attack, a system shutdown that halts your operations for days.
A documented incident response plan — essentially a written procedure for what your team does in the first 24 hours of an attack has moved from a recommendation to a requirement for most mid-market and enterprise policies. Insurers are not looking for perfection; they are looking for evidence that your organisation has thought about this before it happens.
The logic is straightforward. An insurer covering a business without basic security protections is like a home insurer covering a house with no locks on the doors. The risk is simply too high to price at a reasonable premium.
Why is it getting harder to get?
Regular data backups stored separately from your main systems are the next. If ransomware encrypts your files, a recent offline backup means you can restore operations without paying. Insurers want to see that this backup exists, that it is tested regularly, and that it is not connected to the systems that could be encrypted.
There is some good news here for buyers. The global cyber insurance market reached .3 billion in 2024, according to Munich Re, with the market expected to reach .3 billion by the end of 2025. More insurers means more competition, which has brought premiums down from the peaks of 2021 and 2022. Despite lower costs, organisations now face stricter underwriting, broader exclusions, and rising compliance demands, making coverage harder to secure even as it becomes more affordable.
A standard policy typically covers three broad areas. First, the direct costs of responding to an attack: hiring a forensic investigation team to figure out what happened, notifying affected customers (which is legally required in most jurisdictions), and paying for credit monitoring services if personal data was stolen. Second, the financial losses from being unable to operate adds up especially if ransomware locks your systems for a week and you lose revenue, that business interruption loss is usually covered. Third, the legal costs if customers or partners sue you because their data was compromised.
Insurance does not prevent attacks. What it does is prevent a recoverable incident from becoming an unrecoverable one.
What does the market look like today?
By Gary Bernstein
Insurance is profitable when the claims paid out are significantly less than the premiums collected. For cyber insurers, the years between 2019 and 2022 were deeply unprofitable. Ransomware attacks surged, losses mounted, and many insurers found their cyber portfolios were costing more than they were earning. Their response was to tighten dramatically while raising premiums, reducing what they were willing to cover, and most significantly, raising the bar for who they would cover at all.
The practical takeaway is this: if your organisation is planning to apply for or renew a cyber policy in the next twelve months, the best preparation is not shopping for a better broker. It is making sure your security fundamentals are genuinely in place before the application lands on an underwriter’s desk.
What do you need to do to qualify?
Cybersecurity insurance has become harder to obtain for the same reason that any maturing market tightens its standards as early enthusiasm gave way to painful losses, and the industry recalibrated. The policies available today are better defined, more honestly priced, and written by insurers who have a clearer picture of what they are covering.
This is the question most business leaders are asking right now, and the answer involves a brief detour into how insurance economics work.
The requirements vary by insurer and policy size, but there is a core checklist that has become industry standard. If your business cannot demonstrate these, expect to either be declined or face significantly higher premiums.
Multi-factor authentication on all critical systems is the first and most consistently required control. Email accounts, remote access tools, and any system containing customer data should all require a second verification step beyond a password. Insurers treat the absence of this as a red flag that cannot be offset by anything else in the application.
The bottom line
Jaguar Land Rover learned this lesson the hard way. When a cybersecurity incident disrupted three of its major manufacturing facilities, the company had no cyber insurance in place, meaning the entire economic loss hit its financial statements directly.
Think of it this way: the price of a gym membership has come down, but the gym now requires a fitness test before they let you join. Cheaper is not the same as easier.
What it does not always cover is equally important, and this is where many businesses get caught out. Attacks linked to government-backed hacking groups are excluded from many policies as insurers classify these as acts of war, which are excluded from standard coverage just as they are in property insurance. Many policies also now exclude or strictly limit ransomware payments, meaning the insurer will help you recover but will not necessarily pay the attackers directly.
The result is that buying cyber insurance today looks much more like applying for a mortgage than filling out a form. Insurers want to see evidence of specific security practices before they will offer a policy. Multi-factor authentication — the process of requiring a second form of verification beyond a password is now a firm requirement, with insurers refusing coverage to businesses that don’t have it. Endpoint protection software, regular staff security training, and documented incident response plans have all moved from nice-to-haves to non-negotiable prerequisites.
