As cybercrime becomes more sophisticated and widespread, especially with distributed teams and the emergence of the hybrid work environment, cybersecurity is an even more pressing concern for startups. Small and medium-sized businesses are now three times more likely to be attacked than larger companies, and 43% of all data breaches target small businesses.

Additionally, as the majority of data and financial transactions for businesses are occurring electronically, consumers, businesses, and organizations of all sizes are looking for ways to protect themselves, their information, and their assets from online threats. Cyber insurance offers companies the safety net they need to operate online platforms without the fear of sensitive information being leaked, stolen, or mirrored and can help protect startups should a breach or cyberattack occur.

While at first glance it may sound like banks, financial institutions, and other highly regulated industries are the only ones who need to invest in cyber insurance, in reality, many startups from Software as a Service (SaaS) to life science companies have sensitive client data that needs to be protected.

What should cyber insurance cover?

There are many factors to take into consideration. Some of the most common elements in a comprehensive cyber insurance policy include:

• Data breach coverage
• Privacy breach coverage
• Restoration costs
• Cybercrime
• Business interruption coverage

These coverages exist to help companies in the event that a hacker gains access to your system or there has been a data or privacy breach. Breach response and restoration cost coverages help startups cover the costs of identifying the source of the breach and making consumer-announcements, in addition to helping with legal fees and other third-party costs.

Business interruption insurance, both on your own network and through cloud service providers, can also help startups replace income lost in the event of a breach or an attack, should the cyberattack lead to a shutdown or interruption in their networks.

Some policies will even include protection against cybercrimes committed that involve the theft of financial information or securities. These can be extremely helpful coverages to include - in 2024, ransomware accounted for 58% of large cyber claims, and average ransom demands rose 500% to $2 million. Business email compromise (BEC) and funds transfer fraud made up 60% of all claims.

What is not covered by my cyber insurance policy?

Exclusions in cyber insurance vary from policy to policy. One exclusion that's fairly common is cyber terrorism. The NotPetya ransomware attack that caused $10 billion in loss damages and affected companies worldwide was considered to be state sponsored terrorism and was not covered by many insurance polices, and companies were forced to pay out-of-pocket for lost income and damages. 

Every insurance policy comes with a clearly defined list of included and excluded coverages. In most cases, an exclusion exists in the instance that it’s an event meant to be covered under a different policy.

What happens if I don't have enough cyber insurance? 

When setting your limits in a cyber policy, two of the largest factors are the elevated risk and the “underwater costs.” Cyber insurance is a risk-transference tool that not only helps your business protect itself against liabilities and financial loss in the case of a breach, but also makes you a more attractive organization for potential business partners.

A lower coverage limit in your cyber policy could leave you susceptible to paying additional fees such as identity restoration and credit monitoring costs for affected parties, computer forensic fees, and legal fees.

What are the most common coverage limits for companies like mine?

Just like with any other insurance policy, there is no universal coverage that works for everyone. Each company is going to have slightly varying coverage needs. As a general rule of thumb, bigger businesses benefit from more coverage. Below are sample guidelines for Cyber and Errors & Omissions coverage by company stage.

These guidelines are general in nature and may not be right for your business. Every company is unique and should work with a licensed insurance professional to get the right level of coverage in place.

To understand how much Cyber Insurance coverage you need, conduct an internal evaluation on how much customer information your company stores and what type of information is being stored. For instance, first names and email addresses are much less sensitive information than social security numbers and bank accounts.

Additionally, when considering business interruption coverage, assessing the worst-case scenarios around downtime and the recovery period is helpful when selecting your business interruption limit.

You should also be sure to assess your company’s risk tolerance and partnership requirements. Many organizations will only conduct business with firms that meet a certain standard of risk. If you partner with companies like these, you’ll need a higher coverage.

Finally, talk to a licensed expert. A Vouch advisor can walk you through your exact coverage needs, or you can use our Coverage Recommendation tool to help get a better idea of your recommended limits.

Do I need cyber insurance if I don’t handle sensitive customer information?

If your company doesn’t handle, work with, or store sensitive consumer information, cyber coverage may not seem like a necessity. But there are other benefits to carrying cyber insurance beyond keeping sensitive information secure.

If there's a breach, and your company is pulled into a lawsuit in response to that breach, cyber insurance policies can be activated to help cover the legal fees and other costs associated with making your defense. A very common scenario, for example, is when a startup stores sensitive consumer information using an outside vendor, such as a cloud service or for payment/billing purposes. Should that payment or cloud service provider be hacked, the startup could potentially be named in a lawsuit alongside the outside vendor and be financially liable for expenses and damages their customer incurred.

Additionally, any startup that relies on their online systems to conduct business can benefit from having business interruption and cyber insurance in place should their product experience down-time related to a breach event. Cloud-related breaches are the most expensive type of cyber attack, averaging $5.17 million per incident.

What's the difference between the first- and third-party coverage limits?

A first-party claim on a cyber policy is filed when a company’s own system is breached. At that point, the limit on the policy helps cover fees and costs associated with notifying customers, monitoring and restoring credit, and conducting forensic analysis.

Third-party claims are when your customers are affected by the breach. This is when the private or sensitive information of others gets leaked, thereby opening your company up to potential lawsuits. In this instance, third-party coverage on a cyber insurance policy assists with defense and law fees, settlements, and judgements.

An important note: when business partners require that your company have cyber insurance they are often referring to the third-party limit.

Will my cyber insurance policy pay for ransomware? What about social engineering?

Ransomware accounted for 58% of large cyber insurance claims in 2024 and email-based attacks, including email compromise and funds transfer fraud made up 60% of all claims. There are cyber coverage policies that include coverage for cybercrime and can be activated in response to cyber extortion (i.e. ransomware). Cyber extortion is a threat or series of threats made by an outside person or entity that is prolonging or tampering with sensitive data events. In the instance that your organization undergoes a cyber extortion event, your cyber insurance policy can cover both extortion costs, and costs associated or incurred through social engineering.

Why are the costs of cyber insurance increasing across the board?

When it comes to pricing insurance, there are two main factors that adjusters consider: the first is how frequent claims of that nature come in; the second factor is how costly a claim of that category is. Taking these two things into account gives a sense of how to price an insurance policy.

Average ransom demands rose 500% in 2024 compared to the previous year, 65% of financial organizations experienced ransomware attacks, and the average global cost of a data breach in 2024 was $4.88 million. In short, attacks are happening more frequently, and the financial cost of the cumulative attacks are on the rise.

What are the risks of not getting a cyber insurance policy?

A report in 2020 marked a massive increase in activity in cybercrime, and as a result found a nearly 200% ROI on investments in bolstered cyber security.

While cyber insurance policies are optional, with the threat of cybercrimes growing, the risks of not having this insurance go up as well. In fact, a cyberattack can be a business-ending event: 60% of startups and small businesses that are victims of a cyberattack go out of business within six months.

Many companies and investors also require that you have some kind of cyber insurance policy in place before they’ll partner with you. Your company could also end up with high costs to pay in the instance of a breach if you opt out of insurance. The decision whether or not to invest in this type of insurance really comes down to how at risk your company is and how high your risk tolerance is.

How do I make a cyber insurance claim?

Sign in to your Vouch account and click “file a claim.” At Vouch, we respect and appreciate that our customers are busy and so we’ve simplified the claim-filing process. After hitting the “file a claim” button, you’ll be asked for a brief description of the claim, and hit submit.

After that, a member of the Vouch team will reach out to you within a business day with next steps.

Is there a deductible I have to pay when I make a claim?

Depending on how the cyber insurance policy is set up, there will likely be a retention fee/deductible. It’s important to note that most cyber insurance policies are designed to protect companies from catastrophic losses, not common customer disputes. As such, the higher the limits requested, and the more risk exposure your company brings, the higher the retainer or deductible will be.