Do You Need Cyber Insurance? (Lutz)

November 13, 2020 - Lutz

This is a thought leadership article by PrimeGlobal member firm Lutz which looks at whether firms need cyber insurance. 
Ransomware attacks have crippled everything from major cities to school districts. Federal officials are even concerned they could be used to disrupt the current presidential election. Last week, a major supplier of software services to state, county and local governments, Tyler Technologies, was hit.

In the U.S. alone, 764 healthcare providers were victimized last year by ransomware, according to data compiled by the cybersecurity firm Emsisoft. It estimates the overall cost of ransomware attacks in the U.S. to $9 billion a year in terms of recovery and lost productivity.

While data breaches occurring in big corporations are often what we hear about, small businesses are equally vulnerable to attack. According to Purplesec, a business, on estimate, falls victim to a ransomware attack every 14 seconds. One way to protect against this risk is to invest in cyber-insurance. Cyber-insurance is gaining popularity now, with about 80% of companies looking to transfer their risk to a third-party company. 


Cyber-liability insurance, as the name suggests, is an insurance policy designed to help businesses or individuals recover from data breaches, malicious attacks, or other cyber-security threats. It helps you address any expense that might occur as a result of an attack, including forensic investigations, business losses, extortion attempts due to the breach, and legal claims resulting from it. The idea here is to shift some of your cyber-risk to a third party, i.e., the insurance company. 

While most cyber-insurance policies are designed to protect only businesses, as that is the primary goal of coverage, some policies can also extend to clients who interact with your business. 


No matter how much you secure your data, the risk of cyber-attacks can never be completely eliminated, especially if your business is a small one. With incidences of cyber-attacks increasing every year, businesses are now at a higher risk than ever of their data being stolen or held hostage.

If your security systems fail to prevent a cyber-attack, the consequences could prove fatal to your business. In fact, according to the National Cyber Security Alliance, 60% of small and mid-sized companies go out of business within six months of a cyber-attack. 


Every cyber-insurance policy is unique, so it’s always best to review the coverage a particular policy provides before signing up for it. Some losses that these policies typically don’t cover include:

  • Property loss, such as a computer stolen during a cyber-attack
  • Expenses that exceed coverage limits on the policy
  • Robbery, theft, property damage, bodily injury, and other criminal activity unrelated to cyber-crime
  • Losses due to prior breaches or cyber-attacks that happened before the policy was purchased
  • Cyber-attacks caused or initiated by employees
  • Failure to correct a known vulnerability in your cyber-security system
  • Expenses involved in upgrading or improving security systems 
  • Preventable security issues caused by humans, such as careless mishandling of digital assets

Some policies do cover attacks initiated due to social engineering, i.e., when an employee is tricked into revealing information that might result in a breach. However, this coverage is not included in all policies, although it may be available as an add-on to a policy. 


For most businesses, the answer is yes. You do need cyber-insurance because the costs of not having it can be quite high. If your business involves the storage of sensitive data online, you need an insurance policy to help mitigate your risks, especially if you are a small or mid-sized business. A cyber-insurance policy will help you respond quickly and effectively to a data breach, cover your costs, mitigate your risks, and move on from the attack.  

However, it is important to remember that cyber-insurance can’t be your only protection against losses due to cyber-attacks. You need to take proactive measures to ensure that your data is secure, and your systems are up-to-date. In the event of a cyber-attack, you need to prove to your insurance provider that your company did everything it could to prevent the attack. In fact, insurance providers have been known to reject claims if they find that the company failed to properly secure their systems.

Content by:


Since our founding in 1980, Lutz has steadily grown because of our integrity, work ethic and collaboration to become the largest locally owned firm of its kind in Nebraska. Our clients' goals are our goals and we believe that understanding our clients is a vital part of getting to the bottom line and ensuring their success. We provide accounting services such as tax, assurance, business consulting and valuation. We also support our clients in the areas of investments and planning, recruiting and technology services.

Learn more