This article is part of VentureBeat’s special issue, “The cyber resilience playbook: Navigating the new era of threats.” Read more from this special issue here.
Today’s cyber attacks can be paralyzing — and extremely costly — for modern enterprises. Armed with AI, hackers are exploiting vulnerabilities faster than ever.
However, standard business insurance products such as general or professional liability policies (errors and omissions, or E&O) typically don’t cover losses or damages as the result of breaches or other cyber-related incidents.
This makes cybersecurity insurance increasingly critical in 2025 and beyond, particularly as AI transforms (and simplifies) hackers’ methodologies. Cybersecurity-specific insurance policies cover a range of remediation cost and recovery efforts to help enterprises limit damage, recover faster and improve their overall cyber hygiene.
But as with any other type of coverage, cyber insurance can be complicated to navigate and full of legalese and loopholes. Let’s go over the basics, why it’s important, what to look for and what trends to expect this year as AI takes center stage.
So what does cyber insurance cover?
Typically, cyber policies offer coverage for first-party (direct losses) and third-party (outside the business) damages. General coverage includes:
- Business interruptions: Lost revenue when an attack takes systems offline;
- Attack remediation: Incident response, forensic investigations or system repairs;
- Customer notification and reputation management: Automated alerts when customers’ personally identifiable information (PII) may have been accessed; credit monitoring and breach hotlines; PR work to help repair the brand;
- Legal expenses: Litigation as the result of a breach (such as lawsuits filed by customers or vendors), what’s known as “duty to defend”;
- Regulatory action: Investigations that require legal services and potential fines.
In the case of ransomware, it’s important to note that, while providers have covered payouts in the past, many are backing off of this practice because hackers are demanding more and regulators are scrutinizing. In some cases, overage of payouts may be “sub-limited,” or subject to a payment cap.
“With the surge of recent ransomware attacks over the past few years, those sub-limits are getting lower and lower, which is why it’s more important than ever to review policy limits carefully,” advises law firm GB&A.
On the other hand…
Again, as with any other type of insurance, there are exclusions. For instance, because social engineering attacks such as phishing or smishing involve user manipulation and human error, insurers often will not cover subsequent losses (or they’ll offer to do so at an additional cost). Similarly, insider threats — when employees’ malicious or negligent actions expose a business — typically aren’t covered.
Exploits of a known vulnerability that the company knew about but didn’t fix are often out of the coverage zone, too, as are network failures resulting from misconfigurations or other errors (as opposed to an all-out breach).
It’s important to note that some insurers won’t even consider offering a quote unless a company has strong security measures in place — such as zero-trust capabilities, multifactor authentication (MFA) controls, endpoint detection, detailed risk assessments and incident response plans and regular security awareness training.
To help reduce cyber insurance premiums, experts advise security leaders to proactively communicate steps the organization has taken to reduce cyber risk and adopt industry-standard frameworks like NIST or ISO 27001.
“Some insurers even offer discounts or reduced premiums for companies that can demonstrate compliance with such frameworks,” security company Portnox points out. In the case of risk assessments, “insurers often see this as an opportunity to lower premiums, especially when the assessments are conducted by third-party vendors.”
Make sure to read the fine print
As with any insurance contract, review policy limits carefully, GB&A advises. Policies should contain broad definitions of extortion and of threats by attackers to:
- Alter, damage or destroy data, software, hardware or programs;
- Access, sell, disclose or misuse info;
- Perform distributed denial of service (DDoS) attacks;
- Phish or otherwise spam customers and clients;
- Transmit malicious code to third parties through an enterprise’s network or website.
Policies should also include definitions of specific computer systems covered (hardware, software, firmware, operating systems, virtual systems and machines, wireless devices, and anything else associated with a network); lost income covered (operating expenses during restoration or costs to hire forensic accountants or other consultants); and data restoration covered (costs to recreate damaged or lost data).
Further, GB&A emphasizes that policies should explicitly outline coverage around extortion expenses — such as the type of digital currency or property surrendered, investigation costs and losses incurred when attempting to make payments.
“Policyholders that find themselves victims of ransomware should be extremely careful in making any payments before consulting their brokers and respective insurers,” the firm advises.
What we saw in cyber insurance in 2024 — and what we might expect in 2025
Business email compromise (BEC), funds transfer fraud (FTF) and ransomware were the top-reported claims in 2024. And claim amounts varied widely, from $1,000 to more than $500 million, the result of attackers stealing or breaching anywhere from 1 million to 140 million records.
Looking to the year ahead, underwriters predict an increase in premiums, according to insurance brokerage and consulting firm Woodruff Sawyer. The firm points out that the most consistent coverage area requiring negotiation in 2024 was the collection of personal information without proper consent — and this will likely continue to be a highly contested area in 2025.
Also, expect continued and expanded coverage for CISOs as the result of new Securities and Exchange Commission (SEC) scrutiny — especially in light of the agency’s landmark charging of SolarWinds’ security head after the company’s notorious late-2020 hack. As Woodruff Sawyer pointed out, coverage for CISO liability can be found in cyber policies and directors and officers (D&O) policies. Some carriers are also offering standalone coverage to cover CISOs’ personal liability.
Further, carriers are requiring their clients to have a robust third-party risk management program in place. This should include requirements for vendors to purchase cyber or technology errors and omissions (E&O) insurance and provide evidence of cybersecurity certifications.
Woodruff Sawyer underscores: “The CrowdStrike [outage] in July 2024 was the latest in a notable string of incidents targeting technology companies to get access to or disrupt their customer networks. Cyber insurance carriers are looking for clients to have a robust third-party risk management program.”