Cyber attacks continue to increase. To help organizations cope with the financial consequences of these attacks, insurance companies offer cyber insurance policies. These are highly specialized insurance products that should be tailored to each organization’s individual risks and requirements. In this interview, Mihajlo Milanovic, GrECo Competence Center Liability and Financial Lines, and Ulrich Fleck, CEO of CERTAINITY, discuss the requirements, challenges, and benefits of cyber insurance.

What is cyber insurance, and who needs it?

Milanovic: Compared to traditional insurance products, cyber insurance is still relatively new. Development began around 2014 and reached our market in 2018. Since 2019, we’ve seen a significant increase in cyber claims, particularly due to ransomware attacks. Years ago, incidents were generally smaller, but the financial success of cybercriminals has led to the emergence of an entire criminal industry.

Fleck: Ransomware has made virtually every organization a potential target.

What motivates companies to purchase cyber insurance?

Milanovic: Many decide to purchase cyber insurance after experiencing an attack themselves or after seeing a cyber incident affect another company in their industry. Increased media coverage and growing financial losses have also raised awareness.

How do insurers assess the likelihood of an attack and the potential financial impact?

Milanovic: One of the most important factors is the organization’s cyber security maturity. The larger the company, the more demanding the insurer’s security requirements become. Smaller organizations (up to approximately €10 million in annual revenue) typically undergo a relatively simple assessment, whereas larger companies must complete extensive security questionnaires. Most requirements must be fulfilled—otherwise, it is often difficult to find an insurer willing to provide coverage.

Which factors influence the cost of cyber insurance?

Milanovic: Three main factors determine the premium: the organization’s security posture, the desired insurance coverage, and annual revenue. Cyber security maturity determines whether a company is insurable in the first place, while coverage limits and revenue primarily influence the premium.

At present, stronger cyber security does not necessarily translate directly into lower premiums. Instead, organizations with higher security maturity have access to more insurance providers, creating greater competition and potentially better pricing.

Fleck: Some insurers also reduce deductibles if organizations work with recognized cyber security providers and maintain continuous security monitoring programs.

Are insurers currently paying out more in claims than they collect in premiums?

Milanovic: That’s difficult to answer because reliable market statistics are still limited. Even major cyber insurers often don’t report their figures to industry associations, and statistics from the U.S. cannot simply be applied to Europe. Overall, however, the market currently appears to be challenging for insurers.

Fleck: Organizations should remember that insurance does not prevent cyber incidents—it merely helps absorb the financial consequences. Damage to an organization’s reputation, however, is often impossible to compensate financially.

Do backups solve the problem after a cyber attack?

Fleck: Many organizations have backups, but restoring systems often takes so long that some businesses would struggle to survive the downtime. Another challenge is that restoring backups frequently overwrites the original encrypted systems, destroying valuable forensic evidence that could later be used to investigate the attack.

Milanovic: Some organizations address this by purchasing additional storage and duplicating entire environments. However, this approach is expensive and often impractical. For large storage systems, delivery times can easily reach six to eight weeks.

Do companies learn from cyber attacks?

Milanovic: Generally, yes. Following an incident, organizations often invest significantly more in cyber security to remain insurable. The important question is what they actually learned. Insurers want to know which security measures have been improved and how cyber resilience has increased before offering renewed coverage.

How often do you encounter organizations that simply cannot be insured?

Milanovic: It’s uncommon, but it does happen. We conduct a pre-assessment before approaching insurers, allowing us to estimate whether coverage is likely to be available—and under which conditions. In some cases, we advise organizations to first address critical security gaps before applying for cyber insurance.

Which organizations should consider cyber insurance?

Milanovic: I would recommend it to almost every organization. However, companies should first determine which coverage components are actually relevant to their business and seek professional advice. For example, organizations sometimes believe they need cyber insurance when they are actually looking for protection against fraud, which falls under crime insurance.

We also see companies purchasing unnecessarily high levels of coverage. In one case, we determined that the client’s potential business interruption losses were actually limited, making very high coverage unnecessary. One major advantage, however, was that an Incident Response team arrived on-site within two hours through the insurer’s incident response service.

Why do many organizations still not have cyber insurance?

Milanovic: Cost is certainly one reason. Purchasing cyber insurance is ultimately a business decision. In other cases, organizations simply do not qualify because their IT security maturity is too low, or they receive only very expensive offers until they improve their cyber security.

How often do organizations pay the ransom, and are negotiations covered?

Milanovic: Negotiations with attackers are generally covered and occur more often than many people assume. In many cases, ransom payments themselves are also covered under the policy. Paying a ransom is certainly not the preferred outcome—but it is still more common than most organizations realize.

Overall, I would recommend that every organization seriously consider cyber insurance. Improving cyber resilience not only reduces the likelihood and impact of cyber attacks but can also improve insurability and potentially lead to better insurance conditions. Today, every organization is a potential target.

If you have any questions or would like to learn more, please contact us at sales@certainity.com.

If your organization is affected by a cyber attack:

CERTAINITY Incident Response Hotline: 0800 44 30 555 or csirt@certainity.com