Cyber-Versicherung - Deckungsschutz und Grenzen bei Cyberangriffen
Cyber insurance covers financial losses resulting from cyberattacks: business interruption, data recovery, ransom payments (ransomware), third-party liability (GDPR fines only partially covered!), IT forensics, crisis management, and notification costs. Prerequisite: Proof of a minimum security standard (MFA, backup strategy, patch management). Policies distinguish between first-party and third-party coverage. GDPR fines are not insurable in Germany.
Cyber insurance is no substitute for IT security—but it is an essential part of every company’s residual risk strategy. Anyone who believes an insurance policy can replace technical security measures risks losing both their insurance coverage and the very existence of their business.
What cyber insurance covers
First-party losses (own losses)
Business interruption:
- Lost profits during the outage
- Typical scenario: A ransomware attack paralyzes production
- Waiting period: usually 8–12 hours (deductible)
- Maximum duration: 30–180 days (depending on the policy)
Data recovery:
- Costs for backup restoration
- If no backup: Data reconstruction (expensive!)
- Includes additional costs for manual rework
Ransom payments (ransomware):
- Many insurers: YES, ransom is covered
- BUT: Check the OFAC sanctions list (REvil, Darkside)
- Practice: Insurer coordinates payment through a specialized firm
- Trend 2024: Insurers pay less frequently (bad experiences)
IT Forensics:
- External incident response service providers
- Breach investigation: What was stolen?
- Costs: €5,000–50,000 (depending on effort)
Crisis Management / PR:
- Communications agency
- Press releases, customer communications
- Reputation protection
Notification Costs (GDPR Art. 33/34):
- Notifying affected individuals
- With 10,000 affected individuals: significant costs!
- Includes call center for inquiries
Third-Party Damages (Liability)
- Customers/partners who have been harmed by the incident
- GDPR claims for damages (Art. 82 GDPR)
- Contractual liability toward customers
> Important: GDPR fines (Art. 83) are not insurable in Germany (insurance against administrative penalties is contrary to public policy, §138 BGB).
Requirements for Insurance Coverage
Minimum Technical Requirements
MFA (Mandatory!):
- Remote Access: VPN + MFA (e.g., Authenticator app)
- Email (Microsoft 365/Google Workspace)
- Admin accounts: MFA required without exception!
- If MFA is missing: The insurer may deny coverage!
Backup:
- Regular backups (at least daily for critical systems)
- Offline/immutable backups (separate from the production network)
- Verifiable backup testing (DR test at least annually)
- Without a verifiable backup strategy: rejection or exclusion
Patch Management:
- Critical patches: applied within 72 hours (documented)
- End-of-life systems: Risk must be justified
- Systems without support: often explicitly excluded
EDR/AV:
- Endpoint Detection & Response on all systems
- Up-to-date and active (no expired contracts!)
Proof in the event of a claim
- Insurer checks: Were all the measures listed actually in place?
- False statements in the application → Denial of coverage (Fraud!)
- "Was MFA active everywhere?" → An unsecured RDP is sufficient grounds for denial
Typical exclusions
What cyber policies do not cover:
- State-sponsored cyberattacks (War clause!): NotPetya 2017: Insurers refused to pay; "Act of War" clause: highly controversial; Lloyd's 2023: explicit war clause introduced
- Security vulnerabilities known prior to the start of coverage
- Negligent failure to implement promised measures
- GDPR fines (administrative penalties, §138 BGB)
- Lost profits due to reputational damage (long-term)
- Costs for security improvements following the incident
- Insider threat (theft by own employees, partially excluded)
NotPetya precedent:
- Mersk: $1.4 billion in damages, insurers refused to pay
- Argument: state-sponsored attack (Russia/Ukraine)
- Courts: partially in favor of policyholders
- Result: War clauses were clarified and tightened
Market and Value-for-Money Orientation
Major Providers (DE/DACH)
| Provider | Product | Target Audience |
|---|---|---|
| Allianz | CyberSchutz | SMEs + Enterprise |
| AXA | Cyber & Data Risks | with response network |
| HDI | CyberPlus | Mid-market |
| Hiscox | Specialist | SMEs |
| ERGO | Digital Guard | - |
| Zurich | - | Enterprise-focused |
Price Trends
- 2020–2022: Extreme price increases (+100–200%) due to the ransomware explosion and massive losses
- 2023–2024: Stabilization, stricter requirements
Price Guidelines (rough estimates for 2024)
| Revenue | Annual Premium | Coverage |
|---|---|---|
| < 5 million EUR | €2,000–6,000 | 1–3 million EUR |
| €5–25 million | €6,000–20,000 | €3–10 million |
| €25–100 million | €20,000–80,000 | €10–25 million |
| > €100 million | Custom | Custom |
Factors that increase the premium:
- Critical infrastructure sector (energy, healthcare, finance)
- Large data assets (significant amounts of personal data)
- Outdated IT / no MFA
- Previous claims in the last 5 years
Factors that reduce the premium:
- ISO 27001 certification (verified!)
- Proven SOC / SIEM operation
- Regular penetration tests (submit reports)
- Low claims history
Integration into the security strategy
Risk treatment according to ISO 27005
| Option | Meaning |
|---|---|
| Avoid | Eliminate risk triggers |
| Reduce | Technical + organizational measures |
| Transfer | Insurance (residual risk) |
| Accept | Conscious, documented decision |
Cyber insurance = residual risk transfer:
- Does not replace: penetration tests, MFA, EDR, patch management
- Complements: the remaining financial risk
Checklist Before Signing
- BIA: Which systems, what is the maximum loss in case of failure?
- RTO/RPO defined and aligned with coverage
- MFA implemented everywhere (proof required!)
- Backup strategy documented and tested
- Incident response plan in place
- All policy conditions met (not just claimed!)
- Exclusions understood and accepted
- Sufficient coverage amount (based on BIA!)
