What is Cyber Insurance?

    Updated: 9 March 2026

    Cyber insurance covers financial losses a business suffers as a result of a cyber incident, such as ransomware, a data breach, a DDoS attack, or a system intrusion. Cover typically includes first-party costs (system recovery, business interruption, ransom payments), third-party liability (claims from customers whose data was compromised), and crisis management (forensic investigation, legal advice, reputation management). Cyber insurance is increasingly required as a contractual procurement condition from IT service providers and data processors.

    How does cyber insurance work?

    A cyber insurance policy has two main components. First-party cover responds to costs the business itself incurs following an incident: system and data restoration, business interruption losses while IT systems are unavailable, ransom payments in ransomware cases, forensic investigation costs, legal fees, and crisis communications. Regulatory fines from data protection authorities may also be covered depending on the policy.

    Third-party cover responds to claims from clients, suppliers, or other parties whose data was compromised or who suffered loss as a result of the incident. This includes the cost of defending such claims in addition to any damages paid.

    Insuers increasingly require businesses to meet minimum security standards before issuing a cyber policy: multi-factor authentication on all remote access, an active patch management programme, regular offline backups, and a documented incident response plan. Failure to maintain these controls can void cover or result in substantially higher premiums.

    In contracts with IT service providers, software developers, and data processors, cyber insurance is increasingly included as a procurement condition: the contractor must produce a current certificate of cyber cover and maintain it throughout the contract term. This mirrors the professional indemnity requirement for advisory service providers.

    The minimum indemnity level required should be proportionate to the data volumes processed and the business-critical nature of the systems involved.

    Why does this matter for SMBs?

    A cyber incident generates immediate and substantial costs: system recovery alone can run to tens of thousands; business interruption adds lost revenue on top; a data breach triggers GDPR obligations, potential fines, and reputational damage. Without cyber insurance, an SMB absorbs all of these directly.

    As a buyer of IT services, you also have an indirect interest in your supplier's cyber cover. If a managed service provider is compromised, your systems may be affected. Require evidence of cyber insurance (with defined minimum limits) as a standard condition in IT and data processing contracts.

    How to manage this correctly

    • 1Require IT service providers and data processors to provide a current cyber insurance certificate with minimum cover limits
    • 2Confirm that your own cyber policy includes both first-party costs and third-party liability
    • 3Review the indemnity limit annually as your digital footprint grows
    • 4Maintain demonstrable baseline security controls (MFA, backups, patch policy); these are policy conditions
    • 5Store the incident response plan alongside the policy documentation for immediate access during an incident

    Manage all your contract deadlines automatically

    Tracking Contracts alerts you well ahead of every notice deadline. No spreadsheets, no missed renewals.

    Start free month

    Related terms

    Professional Indemnity Insurance

    Professional indemnity insurance (PI insurance) covers a professional or service provider for financ…

    Contract management

    Public Liability Insurance

    Public liability insurance covers a business for claims made by third parties (customers, visitors,…

    Contract management

    NDA (Non-Disclosure Agreement)

    A non-disclosure agreement (NDA), also called a confidentiality agreement, is a contract in which on…

    Contract types