Why do cyber insurance claims cost so much?

Editorial headshot of Jen Matteis
There has never been a greater risk of cyberattacks against small businesses, and the costs have never been higher. Learn why cyber insurance claims are so expensive, and how cyber liability insurance can help protect your business.
Server room with cybersecurity padlock

Your small business likely depends on data to operate. That data could include anything from sales projections to sensitive information about customers and vendors. Without proper security measures in place, you may be open to attacks by cybercriminals. And the costs of a cyber liability claim can be enormous.

A data breach or other cyber incident can have long-term effects on your business. It takes companies approximately 200 days to identify a security breach and about 70 days to contain a breach. Recovery can be a lengthy, expensive process.

Credit monitoring service costs can add up for several years. And less obvious expenses from cyberattacks such as damage to your reputation, lost future opportunities, and lower valuation are harder to quantify but just as real.

As costs add up, some businesses won’t be able to survive. In fact, 60% of small businesses go under within six months of a cyberattack.

Fortunately, cyber insurance can protect your business from these potentially devastating costs.

Protect your business with cyber insurance

Why are cyber insurance claims so expensive?

Recovering from a cybersecurity incident will drain your business of both time and money. Every state requires that you quickly notify parties whose personal information was affected. If you don’t, you could face steep fines and penalties.

In most states, you must also investigate and correct the security flaw that led to the breach. The costs of fixing weak cybersecurity can be huge and often the reason why many small businesses have flimsy security in the first place.

But the costs don’t stop there. Expenses can continue to add up months or even years down the road.

A study from the IBM/Ponemon Institute found that the average U.S. data breach cost $4.35 million in 2022, an all-time high. With the average cost increasing 12.7% in the past two years, we expect this number to rise in the future.

Common costs of a data breach or ransomware attack include:

  • Business interruption/lost revenue: Most businesses rely on technology to operate efficiently. But a cyberattack can take down your tech, leaving you unable to offer services or make sales.
  • Ransom demands: The average ransom demand has increased from $60K in 2018 to $555K in 2022 – a nine-fold increase, according to NetDiligence's 2023 Cyber Claims Study.
  • Investigating and eliminating security weaknesses: Hiring experts to find and fix a security flaw can cost you big bucks. A forensic examination by a reputable firm can cost anywhere from $10K to over 100K, according to SecurityMetrics. Your cost will depend on a number of factors, including the size and number of locations of your small business.
  • Public relations costs: As soon as you learn of a data breach, you need to start damage control. A PR firm can be essential to protect your business’s reputation.
  • Regulatory fines/penalties: Regulators are cracking down on companies that fail to protect consumer data, no matter their size. Penalties for negligence can range from massive fines to jail time.
  • Customer notification costs: Following a data breach, you must contact any affected party. This can get expensive, with the average U.S. customer notification cost being $270,000, according to IBM [pdf].
  • Credit monitoring: Your business will also need to cover credit monitoring services for all affected parties for at least two years. Credit monitoring can cost anywhere from $10 to $30 per individual per year, according to Zurich.
  • Reputational damage/lost customers: Even with the best PR, your business’s reputation will take a hit after a breach. It’s hard to measure lost business, but expect it to impact your company’s bottom line.
  • Potential lawsuits from customers or clients: Lawsuits are always a risk after a data breach. According to NetDiligence’s 2023 Cyber Claims Study, the average legal or litigation expenses related to cyber incidents that occurred during 2018–2022 were $562,000 for SMEs.
You may also like
Man in suit hands over notice of lawsuit.
How to avoid getting sued for a data breach
When businesses experience a data breach, they may blame their IT professionals and sue. Here’s how your IT company can avoid these costly lawsuits.

Examples of cyber liability claims and their costs

Here are a few scenarios to demonstrate how cyber security costs can quickly add up in a cyber incident.

Loss of personal customer information

As an example, say a missed Windows software patch at a landscaping company allows a hacker to break in and steal information on 1,200 customers. Cyber insurance claim costs would include:

  • Finding and repairing the cause of the breach
  • Notifying customers
  • Credit monitoring for those customers for two to three years
  • Fines or penalties


Suppose an accounting firm employee falls for a phishing scam and ransomware encrypts files across the company’s network. A message demands payment within three days or data will be lost forever. The company decides to pay, and the company regains access after four days of downtime. Costs could include:

  • Hiring experts to negotiate with hackers
  • Lost productivity as owners/management deal with the attack
  • Paying the extortion demand
  • Lost business due to business interruption
  • Missed deadlines, project delays, and broken contracts for your existing business
  • Loss of both customers and new opportunities due to reputational damage

Client data breach

Let’s say you own an IT consulting firm and misconfigure your client’s firewall. They suffer a data breach and sue. You could be responsible for paying:

  • All your client’s financial losses
  • The costs of your damaged reputation and lost business
  • Defense costs and legal fees

The best way to safeguard your business from outrageous cyber costs is with the right insurance protection.

How do I protect my business from cyber risks?

Understanding your risks is the first step to protecting your business from cyber threats. Talk with the contractors or employees who run your websites or IT networks to learn about any potential weaknesses and try to correct them. In the long run, investing in cybersecurity can be a much cheaper option than paying the costs from a cyberattack.

The best way to safeguard your business from outrageous cyber costs is with the right insurance protection.

Your business likely has a general liability insurance policy, which will cover the costs of third-party injuries, third-party property damage, and advertising injuries. But it typically doesn’t cover cyber claims.

For that, you’ll need cyber insurance. A cyber liability policy can help cover costs such as customer notification, fraud monitoring services, and legal costs if a client blames your company for failing to prevent a data breach.

There are two kinds of cyber coverage:

Most business owners add first-party cyber liability insurance coverage to their general liability policy.

But tech pros who recommend software or handle network security usually opt for technology errors and omissions insurance (tech E&O). This bundle includes third-party cyber liability insurance and also errors and omissions insurance for protection during lawsuits over data breaches, professional errors, contract disputes, and more.

Even the best cybersecurity can’t eliminate the risk of a data breach or other cyber event. And you’ll want to take extra care if you’re responsible for a client’s systems. To protect your business from the steep costs of a cyber claim, make sure your business has the right coverage in place.

Compare cyber insurance quotes from trusted carriers with Insureon

Complete Insureon’s easy online application today to compare insurance quotes from top-rated U.S. carriers. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.

Jen Matteis, Content and Production Editor

Jen is an expert on small business insurance, a talented writer, and meticulous editor. She’s written and edited hundreds of articles to help inform small business owners about their insurance options. Prior to joining Insureon in 2018, Jen served as a senior copywriter at a digital marketing agency, and as a writer and editor for newspapers on both coasts. In her spare time, she writes fiction.

Get business insurance quotes from trusted carriers
What kind of work do you do?