Cyber Insurance: What It Covers, What It Doesn't, and What Insurers Look For

Why Cyber Insurance Alone Is Not Enough

Demand for cyber insurance has multiplied in recent years — and for good reason. Cyberattacks cause damages in the hundreds of billions of euros annually for German businesses. A single ransomware attack can cripple a mid-market company for weeks and cause potentially existential costs.

At the same time, insurers are observing rising claims ratios and increasingly sophisticated attacks. The result: premiums are going up, coverage limits are going down, and IT security requirements for policyholders are getting stricter. Anyone looking to take out a cyber insurance policy today must demonstrate significantly more than just three years ago.

This article explains what cyber insurance actually covers, where its limits lie, how insurers assess risk, and why an ISMS not only improves insurability but also increases the likelihood that claims will actually be paid when an incident occurs.

What Cyber Insurance Covers

The scope of coverage varies considerably depending on the insurer and tariff. There is no uniform standard like motor vehicle liability insurance. Still, typical building blocks can be identified that most policies include.

First-Party Coverage

Business interruption: Reimburses lost profits and ongoing costs (salaries, rent, lease payments) when business operations are interrupted by a cyberattack. Coverage typically kicks in after a waiting period (e.g., 8 or 12 hours) and is limited to a maximum indemnity period (e.g., 180 days). Pay attention to the precise definition of "business interruption": some policies only pay for a complete shutdown, others also for partial impairment.

Data recovery: Covers the costs of restoring lost or encrypted data from backups, including the working hours of IT professionals and, where applicable, external service providers.

Forensics and incident response: Covers the costs of forensic analysis of the incident, identification of the attack vector, containment, and system remediation. Many insurers have framework agreements with specialized IT forensics firms and incident response teams that are immediately available when a claim occurs.

Crisis communication and PR: Covers the costs of professional crisis communication to limit reputational damage. This includes PR consultants, communication with customers, partners, and media, as well as setting up hotlines.

Ransom payments (ransomware): Some policies cover ransom payments, others do not. Covering ransoms is ethically and legally controversial because it enables the financing of criminal activities. When a policy does cover ransoms, payment is typically subject to conditions: prior insurer approval, involvement of law enforcement, and proof that alternative recovery methods were evaluated. Check carefully whether and under what conditions ransoms are covered, and do not rely on this as a primary strategy.

Notification costs: In the event of a data breach affecting personal data, you are required under the DSGVO (GDPR) to notify affected individuals and the supervisory authority. The costs involved (identifying affected individuals, drafting and sending notifications, call centers) can be substantial and are covered by most cyber policies.

Third-Party Coverage (Liability)

Data protection liability: Covers third-party damage claims arising from a data breach. When customer data is stolen and customers suffer financial loss as a result, the insurance covers the defense of unjustified claims and the settlement of justified ones.

Regulatory proceedings: Covers the costs of defending against fine proceedings by data protection authorities and, in some cases, the fines themselves. Note: The insurability of fines is legally contested in Germany. Some policies explicitly cover fines, others exclude them. The legal situation has not been conclusively resolved.

Contractual penalties: If a cyberattack causes you to breach contractual obligations toward customers or partners (e.g., SLA violations), contractual penalties may apply. Some policies cover these, some do not.

Legal counsel: Costs for legal advice and representation in connection with the cyber incident, including data protection law, IT law, and contract law.

Additional Modules

Depending on the insurer and tariff, further modules are available: cyber extortion (beyond ransomware), social engineering and CEO fraud (fraud through forged emails), infidelity losses (damages caused by disloyal employees), cloud outage (business interruption due to failure of a cloud provider), and hardware replacement (when hardware is physically damaged by a cyberattack, e.g., through firmware manipulation).

What Cyber Insurance Does Not Cover

The exclusions in a cyber policy are at least as important as the coverage scope. This is where the pitfalls lurk that can lead to claim denials.

Typical Exclusions

War and state-sponsored attacks: Most policies exclude damages from acts of war and state-sponsored attacks (nation-state attacks). The problem: attributing an attack to a state actor is notoriously difficult and contested. The NotPetya case (2017) showed how problematic this exclusion can be in practice: several insurers denied claims arguing that NotPetya was a Russian act of war. Some courts ruled in favor of the insurers, others did not.

Intent and gross negligence: If an employee deliberately deletes data or a managing director knowingly violates security policies, the insurance does not cover the resulting damages. Gross negligence leads to a reduction or complete exclusion, depending on the contract.

Known vulnerabilities: If you fail to remediate a known vulnerability over an extended period and are attacked through it, the insurer may reduce or deny the claim. The argument: you knowingly accepted a risk that was known to you.

Lack of basic security (breach of obligations): In the insurance application, you state which security measures you have implemented. If these statements are not truthful or if you fail to maintain the agreed measures, this constitutes a breach of policy obligations. This can lead to a complete denial of claims. Example: you state that all systems are protected with MFA, but the VPN access actually only requires a password.

Pre-contractual incidents: Damages from attacks that occurred before the policy start date (even if discovered later) are generally not covered. The question of whether an attacker was already in the network before the policy started (dwell time) can be critical in a claim.

Reputational damage: Long-term reputational loss and the associated revenue decline after a cyberattack are not covered by most policies. The policy covers crisis communication, but not the customer loss that occurs regardless.

Infrastructure outage: When a large-scale outage (e.g., of the power grid or internet backbone) interrupts business operations, cyber insurance generally does not apply because the cause is not a cyberattack on your company.

How Insurers Assess Risk

Before an insurer offers you a policy, it assesses your individual cyber risk. This assessment determines whether you are insurable at all, what premium you pay, and what coverage limit and deductible are offered.

The Application Process

The application process typically involves an IT security questionnaire. This questionnaire is becoming more comprehensive and detailed year by year. Typical questions cover backup strategy (what, how often, where, tested?), patch management (how quickly are critical patches applied?), multi-factor authentication (where implemented? for all users?), network segmentation (is the network segmented? how?), employee training (are security awareness trainings conducted? how often?), incident response plan (does a plan exist? has it been tested?), encryption (disk encryption? transport encryption? data encryption?), access management (least privilege? regular review?), and service providers and cloud (which cloud services? how secured?).

Truthfulness in the Application

Answering the questionnaire is a pre-contractual disclosure obligation under § 19 VVG (German Insurance Contract Act). Incorrect statements — even unintentional ones — can have severe consequences: the insurer may deny the claim, contest the contract, or withdraw from the contract.

This means: answer the questionnaire honestly, even if it means checking "no" on some items. An honest "no, we don't have MFA for VPN access yet" is better than a false "yes" that costs you your entire coverage in the event of a claim. And use the opportunity to close the identified gaps before you submit the application.

External Assessment

Some insurers conduct external assessments before or during the policy term, for example an automated scan of the publicly accessible infrastructure (open ports, known vulnerabilities, SSL configuration, email security), an interview with the IT manager or CISO, or an on-site audit for high coverage limits. The results feed directly into the risk assessment and premium calculation.

Premium Calculation

The premium depends on several factors: industry (some industries like healthcare and financial services pay more), company size (revenue, headcount), IT security level (result of the questionnaire and external assessments), desired coverage limit, deductible (higher deductible lowers the premium), and claims history (previous cyber incidents increase the premium).

The ISMS as an Insurance Foundation

A functioning ISMS is the strongest factor you can bring to the table when negotiating with insurers. It demonstrates that you manage information security systematically, not just on an ad hoc basis. Those just getting started can find a practical step-by-step guide in the article on building an ISMS.

Advantages of an ISMS for Insurance

Better insurability: Companies with a verifiable ISMS are preferred by insurers. In a market where many insurers are cleaning up their portfolios and rejecting higher-risk clients, an ISMS can make the difference between "insurable" and "not insurable."

Lower premiums: Insurers grant discounts for demonstrated security measures. An ISO 27001 certification can reduce premiums by 10 to 25 percent, depending on the insurer and industry.

Higher coverage limits: When the insurer has confidence in your security level, it offers higher coverage limits because the risk of a major loss is lower.

Better position in the event of a claim: If you can demonstrate that you had implemented appropriate security measures at the time of the attack, the risk of a claim reduction due to breach of obligations drops significantly. Your ISMS documentation is your proof.

What Insurers Specifically Want to See

The following measures are considered a baseline or premium-relevant by most insurers:

Must-have (without these, insurance is often denied): Multi-factor authentication for remote access and privileged accounts, regular and tested backups (ideally following the 3-2-1 rule), patch management with timely remediation of critical vulnerabilities, up-to-date endpoint protection (antivirus/EDR), employee training (security awareness).

Premium-relevant (lowers the premium): Network segmentation, incident response plan (documented and tested), encryption of data (at rest and in transit), regular vulnerability scans or penetration tests, access management following least privilege, and ISO 27001 certification or comparable verification.

Finding the Right Insurer

Comparison Criteria

Do not compare on premium alone. The following criteria are at least as important: coverage scope in detail (which modules are included, which cost extra?), exclusions (especially the war clause and policy obligations), coverage limit and deductible, sublimits (maximum reimbursement for individual modules such as ransom or notification costs), assistance services (24/7 hotline, incident response team, forensics partner), insurer response time in the event of a claim, and the insurer's experience with cyber claims (references, claims handling).

Engage a Broker

A broker specializing in cyber insurance can survey the market for you, compare offers, and negotiate contract terms. The effort is particularly worthwhile for higher coverage limits and complex risk profiles. The broker knows the differences between insurers that are not always apparent from the standard documentation.

Choosing the Right Coverage Limit

The right coverage limit depends on your individual risk profile. A rough guide: calculate the costs of a two-week business interruption (lost revenue, ongoing costs), add the estimated costs for forensics, recovery, and crisis communication (typically EUR 100,000 to 500,000 for SMEs), and add a buffer for liability claims and regulatory proceedings. The sum gives you an orientation for the required coverage limit. For many mid-market companies, it lies between EUR 1 and 5 million.

Cyber Insurance and Risk Management

Cyber insurance is an instrument of risk treatment. In the context of an ISMS, it fits in as follows:

Risk avoidance: The risk is eliminated by ceasing the risk-bearing activity. Example: no longer processing certain data.

Risk mitigation: The risk is reduced through measures. Example: implementing MFA, segmenting the network, training employees.

Risk transfer: The remaining risk is transferred to a third party. This is the domain of cyber insurance.

Risk acceptance: The remaining risk is consciously accepted. Example: the residual risk after implementing all measures and taking out insurance.

The sequence is crucial: first, you avoid and mitigate risks through measures (ISMS). Then you transfer the remaining residual risk through insurance. The insurance should cover what can happen despite all measures — not what you cause yourself through a lack of measures.

A company that has no MFA, no patch management, and does not train its employees will not find a cyber insurer willing to underwrite that risk. And even if it does, the premium will be so high that it bears no relation to the benefit.

Practical Recommendations

Take the application process seriously: The questionnaire is not a formality. Take the time to fill it out carefully and honestly. Involve the IT manager and the CISO.

Maintain ISMS documentation: Keep your ISMS documentation in a state where you can present it to the insurer upon request. Risk registers, action plans, training records, and audit reports are the documents insurers most commonly want to see. In ISMS Lite, these records can be managed centrally and exported as an audit-ready package when needed.

Review annually: Check annually whether the coverage limit is still sufficient, whether the statements in the application are still accurate, and whether new risks (e.g., cloud migration, new business area) require additional coverage.

Report immediately in the event of a claim: Report cyber incidents to the insurer without delay, even if you are not yet sure whether damage has occurred. Late reporting can lead to claim reductions. Most insurers offer a 24/7 hotline that you should use.

Use assistance services: The service providers made available by the insurer (forensics, legal counsel, crisis communication) are included in the premium. Use them. They are typically highly qualified and specialized in cyber incidents.

Further Reading

• IT Security Clauses in Contracts: What You Should Demand from Service Providers
• IT Manager Liability: Personal Risks and How to Protect Yourself
• Ransomware Attack: Immediate Actions and Step-by-Step Guide
• Risk Treatment: Mitigate, Accept, Transfer, or Avoid
• What Does an ISMS Cost? Budget Planning for Mid-Market Companies