Cyber Insurance
Decisions That Limit Damage
Executive peace of mind comes not from optimism, but from clear accountability and demonstrable follow-through.
For Cyber Insurance, the core is manageability: owner, standard, deadline, and regular feedback.
This way, this topic becomes not a periodic discussion, but a manageable part of regular business operations.
Immediate actions (15 minutes)
Why this matters
The core of Cyber Insurance is risk reduction in practice. Technical context supports the choice of measures, but implementation and embedding are central.
The fire you didn't see coming
In March 2023, a mid-sized Dutch logistics company was hit by ransomware. Within four hours, all systems were down: the warehouse management system, the financial administration, the customer portals. The board had taken out a cyber insurance policy two years earlier on the advice of their accountant. "Just to be safe," they said at the time, "just like fire insurance." And just like fire insurance, they only discovered what was and wasn't covered when the damage occurred.
The insurer covered the costs of the incident response team and the forensic analysis -- together over 180,000 euros. The business interruption of three weeks was partially covered. But the two major clients who switched to a competitor? Not covered. The reputational damage that continued for months through lower order volumes? Not covered. The fine from the Dutch Data Protection Authority for reporting the data breach too late? Not covered.
This chapter helps you make a well-considered decision about cyber insurance. Not whether you should have one -- that depends on your situation -- but what you can expect, where the pitfalls are, and how you ensure the policy actually does what you think it does.
What does cyber insurance cover?
Cyber insurance is not a magic blanket that covers all your digital risks. It is a financial product with sharply defined coverages, exclusions, and conditions. Coverage generally falls into two categories: own damage (first party) and liability (third party).
Own damage -- what happens to your organization
| Coverage component | What it covers | Example |
|---|---|---|
| Incident response | Costs of forensic investigation, crisis management, legal advice immediately after an incident | An IR team on-site within 4 hours to analyze the ransomware attack |
| Business interruption | Lost revenue and additional costs because systems are unavailable | Three weeks of being unable to process online orders costs 400,000 euros in missed revenue |
| Recovery costs | Costs to restore systems, data, and networks to their original state | Rebuilding the complete server environment after a wiper attack |
| Ransom and negotiation | Costs of a professional negotiator and potentially the ransom itself | A negotiator reduces the demand from 2 million to 350,000 euros |
| Notification costs | Costs to inform affected parties in case of a data breach (GDPR obligation) | Sending 50,000 letters to customers whose data was leaked |
| Crisis communication | PR agency and communication specialists to limit reputational damage | Press release, customer service script, social media monitoring |
Liability -- claims from others
| Coverage component | What it covers | Example |
|---|---|---|
| Privacy liability | Claims from individuals whose data was leaked | Class action from 10,000 customers after a data breach |
| Network security liability | Claims because your systems were used to attack others | Your compromised mail server sends phishing emails to your customers |
| Media security | Claims due to content on your digital platforms | Defacement of your website with defamatory content about a competitor |
| Regulatory costs | Fines and legal defense in enforcement actions | Defense against an investigation by the Dutch Data Protection Authority |
Important: Read the policy carefully regarding what falls under "recovery costs." Some insurers only cover restoration to the pre-incident state. If your systems were already outdated, you get outdated systems back -- not the upgrade you actually needed.
What does cyber insurance NOT cover?
This is where most organizations get it wrong. The exclusions are at least as important as the coverages.
| Exclusion | Why | Consequence |
|---|---|---|
| Long-term reputational damage | Too difficult to quantify and too indirect | Loss of customers due to breach of trust is not covered |
| Known vulnerabilities | The insurer expects you to patch known gaps | If your Exchange server was unpatched for three months, the claim may be denied |
| War and state-sponsored attacks | The "acts of war" clause excludes state-sponsored attacks | The 2017 NotPetya attack was classified as an act of war by some insurers |
| Future income loss | Only the direct interruption period is covered | The structurally lower revenue level after an incident falls outside coverage |
| Post-incident improvement | Insurers cover recovery, not improvement | The costs of implementing better security after the incident are at your own expense |
| Intellectual property | Theft of trade secrets, patents, R&D | A competitor using your stolen product designs causes damage that is not covered |
| Fraud and social engineering | Some policies exclude this or provide limited coverage | CEO fraud where an employee transfers 200,000 euros to a scammer |
| Third-party systems | Outages at a cloud provider or SaaS vendor | An outage at your ERP vendor brings your business to a halt, but you were not hacked |
Note: The "acts of war" exclusion has become one of the most debated clauses in the industry since the NotPetya case (Merck vs. insurers). Ask your insurer explicitly how they classify state-sponsored cyberattacks and whether there is a separate "cyber warfare" clause.
The Dutch and European market
The cyber insurance market in Europe is growing rapidly but is still relatively young compared to the American market. This has implications for what you can expect.
Premium trends. Following the wave of ransomware attacks in 2020-2022, premiums in Europe increased by 50 to 100 percent. Since then, the market has stabilized as insurers imposed stricter requirements on policyholders, reducing the claims volume. Organizations with demonstrably good security now pay less than during the peak years, but still more than before 2020.
Dutch providers. Most major Dutch insurers offer cyber insurance, often in partnership with specialized reinsurers such as Hiscox, Chubb, AIG, or Zurich. Additionally, there are specialized cyber agencies that act as intermediaries and can compare policies from multiple insurers. The Dutch Association of Insurers has published guidelines for standardizing policy terms, but true uniformity does not yet exist.
NIS2 effect. The introduction of NIS2 has further driven demand for cyber insurance. Executives who are personally liable for cybersecurity negligence seek additional assurance -- a theme also addressed in chapter 5 on executive liability, where personal consequences and D&O coverage are discussed. At the same time, insurers use NIS2 compliance as one of the assessment criteria for acceptance.
How do insurers assess your risk?
Before an insurer accepts you, they want to know how likely it is that they will have to pay out. This assessment determines whether you are insurable at all, and if so, at what premium.
The risk assessment
| Assessment method | What they evaluate | How you prepare |
|---|---|---|
| Questionnaire | MFA, patch policy, backup strategy, network segmentation, incident response plan | Answer honestly -- an incorrect declaration can lead to claim denial |
| External scan | Publicly visible vulnerabilities, open ports, SSL configuration, email security | Check your own external attack surface before the insurer does |
| Meeting with CISO | Maturity of the security program, governance, culture | Prepare a concise overview of your security measures and investments |
| Claims history | Previous incidents and claims, including with other insurers | Be transparent -- insurers share information |
Premium-determining factors
The premium is not a fixed percentage of your revenue. It depends on a combination of factors:
- Sector -- healthcare and financial services pay more than manufacturing
- Revenue and size -- larger organizations pay more, but relatively less per euro of revenue
- Security maturity -- MFA, EDR, segmented backups, and a tested incident response plan significantly lower the premium
- Coverage scope -- higher limits and lower deductibles cost more
- Claims history -- previous incidents increase the premium or lead to exclusion
- Geography -- organizations with activities in the US pay more due to higher claims risk
Tip for executives: Invest in security first, then in insurance. Organizations that can demonstrate they have MFA, patch management, and offline backups pay up to 40% less in premiums. The investment in security pays for itself through lower premiums -- and you are actually better protected as well.
Security maturity and insurability
There is a direct relationship between how well your security is organized and whether (and how) you are insurable. Insurers have introduced a series of minimum requirements in recent years that have become the de facto standard.
Minimum requirements for acceptance (2025-2026):
- Multi-factor authentication on all external access points and admin accounts
- Regular patch management with a demonstrable process
- Offline or immutable backups that are tested
- Network segmentation between IT and OT (for industrial organizations)
- Endpoint Detection and Response (EDR) on all workstations and servers
- A documented and tested incident response plan
- Security awareness training for employees
- Privileged Access Management for administrative accounts
Insurers increasingly require evidence of active monitoring and logging -- a requirement that aligns with the technical setup described in the chapter on logging, monitoring, and SIEM. Organizations that do not meet these minimum requirements are simply rejected by most insurers. It is no longer a matter of higher premiums -- without basic security, you are uninsurable.
Common pitfalls
1. The "sub-limit" trap
Your policy has a total coverage of 5 million euros. Sounds good. But the sub-limit for ransomware payments is 500,000 euros, and the one for business interruption is 1 million euros with a waiting period of 12 hours. The headline coverage is rarely what you can actually claim.
2. The retroactive date
Many policies only cover incidents that occur after the effective date, but the discovery must also fall within the policy period. An attacker who had been in your network for months before you took out the policy? Not covered.
3. The duty to cooperate
In the event of an incident, you must immediately notify the insurer. If you engage an IR team on your own without the insurer's approval, the claim may be denied or limited. Make sure you know your insurer's emergency number as well as you know the fire department's. Include this in your incident response plan -- the chapter on incident response and crisis management describes how to set up that plan and give the insurer a permanent place in it.
4. The incorrect declaration
If during the application it was declared that MFA was enabled on all systems, but during the incident it turns out that a legacy VPN was running without MFA, the insurer can deny the claim due to incorrect declaration. Honesty during the application is not optional -- it is a requirement.
When to get it, when not
Cyber insurance is not a substitute for security. It is a financial safety net for the residual risk after you have taken all reasonable measures. Whether it makes sense for your organization depends on a trade-off.
| Situation | Cyber insurance useful? | Explanation |
|---|---|---|
| Processing large volumes of personal data (healthcare, HR, retail) | Yes | The costs of a data breach (notification, legal, fines) can be enormous |
| High dependency on digital systems | Yes | Business interruption is your biggest financial risk |
| Limited IT budget and small organization | Possibly | The premium must fit, but an incident can be existential |
| Excellent security and in-house IR capability | Limited | You need less coverage, but residual risk remains |
| Basic security not in order | No | You are uninsurable or the premium is unaffordable -- invest in security first |
| Compliance requirement from client or regulator | Yes | More and more tenders and contracts require cyber insurance |
| Supplier role in critical chains | Yes | NIS2 places responsibility for the chain with you |
Rule of thumb: Cyber insurance makes sense if your organization cannot financially absorb a cyber incident from its own resources, and you already have basic security in order. It is a last layer in your defense, not the first.
The costs in perspective
Premiums for cyber insurance vary enormously, but as a rough indication for the Dutch market (2025-2026):
| Organization size | Indicative annual premium | Typical coverage |
|---|---|---|
| Small (< 5 million revenue) | 2,000 – 8,000 euros | 500,000 – 1 million euros |
| Medium (5 – 50 million revenue) | 8,000 – 40,000 euros | 1 – 5 million euros |
| Large (> 50 million revenue) | 40,000 – 250,000+ euros | 5 – 25 million euros |
These amounts are indicative and depend heavily on sector, security maturity, and desired coverage. The deductible typically ranges from 5,000 euros (small) to 100,000 euros or more (large).
Do this this month
Remember: Cyber insurance is not an indulgence for poor security. It is a sensible financial measure for organizations that take their security seriously and want to cover the residual risk. Invest in prevention first, then in the policy.
Now that you know how to use the financial safety net of cyber insurance, the next question arises: how do you as an executive maintain structural visibility into the effectiveness of all these measures? In the next chapter on security metrics and executive reporting, you will learn how to set up a dashboard that tells you at a glance whether your organization is on track -- and where course correction is needed.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Compliance — following rules without losing your mind
- Incident Response — when things go wrong
- Supply chain attacks — the weakest link problem
- "Are we a target?"
- Ransomware — digital hostage-taking for beginners and advanced users
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
