Skip to content
FortaRisks
Back to the glossaryGovernance and risk management

Cyber insurance

Cyber insurance is a contract that covers all or part of the financial consequences of a cyber incident: response costs, business interruption, extortion, third-party liability. It is a risk-transfer tool, complementary to but never a substitute for security controls.

Updated on July 2, 2026

What is cyber insurance?

Cyber insurance is a contract under which an insurer covers, subject to defined conditions, part of the financial losses resulting from a cyber incident. It is risk management in the sense of transfer: rather than absorbing everything yourself, you transfer part of the residual risk to a third party in exchange for a premium.

It is not a technical protection. A policy does not prevent an attack: it mitigates the financial consequences, provided the terms of the contract are met.

Why it matters for your organization

A major incident can cost far more than technical remediation alone: business interruption, notification, legal fees, reputational harm. Cyber insurance absorbs that financial shock and is now an integral part of a mature risk-management strategy.

The market has evolved, however. Insurers have become demanding: they condition coverage on a minimum level of security and verify posture before committing. Cyber insurance is therefore also a lever that pushes organizations to strengthen their defenses.

What insurers look at

  • Multi-factor authentication on sensitive access.
  • Backups that are isolated and regularly tested.
  • Patch and vulnerability management.
  • Incident response plan, documented and exercised.
  • Third-party risk management and supply-chain security.

Where organizations most often fall short

The most dangerous mistake is treating cyber insurance as a substitute for security: buying a policy and easing off. Yet coverage only triggers if the declared commitments are met. The other pitfall is not reading the exclusions: many discover too late that their claim falls under an exclusion clause.

Frequently asked questions

What does a cyber insurance policy cover?

Typically incident response costs (forensics, notification, legal), business interruption losses, extortion costs in a ransomware event, and civil liability toward affected third parties. Coverage varies widely from one contract to another: exclusions and limits matter as much as the guarantees.

Why do insurers sometimes refuse to cover?

Because they now assess security posture before covering. Without baseline controls (multi-factor authentication, tested backups, patch management, a response plan), an organization may be refused a policy, charged a high premium, or discover after the fact that a claim is not paid.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.