Cyber Insurance for SMEs: What’s Actually Covered
8 min Read Time
Cybercrime caused €178.6 billion in damages in Germany in 2024. Yet only 36 percent of small and medium-sized enterprises (SMEs) hold cyber insurance. This gap isn’t due to disinterest – it stems from uncertainty: What does a policy really cover? Where do exclusions kick in? And does the investment still make sense when premiums rise every year? This practical review reveals exactly what a cyber insurance policy delivers – and what it doesn’t – for SMEs.
The Key Takeaways
- €178.6 billion in cybercrime damages 2024: The threat landscape disproportionately impacts SMEs, as they less frequently have incident-response capabilities (Bitkom, 2024).
- Only 36 percent of SMEs insured: Large enterprises are over 70 percent covered, while the mid-market remains a protection gap (GDV, 2024).
- Premiums stabilizing: After increases of up to 50 percent (2021-2022), rates have been dropping by an average of 5 percent since 2024. Strong security standards are rewarded (Marsh, 2024).
- State-sponsored attacks excluded: Since 2023, most insurers require exclusion of nation-state attacks. This applies even during peacetime (Lloyd’s of London).
- MFA, EDR, IR plan mandatory: Without multi-factor authentication, endpoint detection, and a tested emergency plan, policies are scarcely available in 2026 (Coalition Claims Report, 2024).
What a Cyber Policy Actually Covers
Cyber insurance is not an all-in-one shield. It’s a financial instrument designed to absorb specific, predefined loss scenarios. For SME managing directors, understanding which components a typical policy includes is critical:
First-Party Losses: Costs related to IT forensics after an attack, data recovery, business interruption due to system outages, and crisis management – including PR consulting. Some policies also cover ransom payments in ransomware incidents – but with increasingly strict conditions, often requiring prior insurer approval.
Third-Party Losses: Liability claims from customers or business partners whose data was compromised. GDPR fines are covered by many policies – but only in jurisdictions where insuring administrative penalties is legally permissible. In Germany, this remains legally contested.
Service Benefits: Many insurers offer 24/7 hotlines, access to specialized incident-response teams, and initial legal advice. For SMEs without in-house security departments, this service layer is often the most valuable part of the policy.
In practice, insurers distinguish between first- and third-party losses. First-party losses affect the insured company directly: business interruption, data restoration, ransom payments. Third-party losses arise when customers or partners suffer harm – e.g., if personal data leaks trigger GDPR-related liability claims. Not every policy covers both. Managing directors must explicitly verify whether third-party coverage is included, as GDPR liability can easily dwarf internal losses.
Where Coverage Ends: Critical Exclusions
Knowing a policy’s exclusions is at least as important as understanding its coverage scope. Three exclusions particularly impact SMEs:
Nation-State Attacks: Since March 2023, all major insurers – acting on guidance from Lloyd’s of London – exclude state-sponsored cyberattacks. This may sound abstract, but it increasingly affects SMEs: The line between criminal and state-backed cyber activity is blurring. If a ransomware attack is attributed to a group acting on behalf of a foreign government, the insurer may deny the claim outright.
Systemic Events: A coordinated attack on a major cloud provider that simultaneously impacts thousands of companies could fall under the “catastrophe exclusion” clause. Insurers cap their total exposure via aggregate limits – meaning payouts in such cases would be prorated.
Breach of Duty of Care: If you declare in your application that multi-factor authentication (MFA) is in place – and then fail to implement it – you risk full claim denial. According to Coalition, in 2024, inadequate security measures were identified as a contributing cause in 82 percent of rejected claims.
“Claim severity has dropped by over 50 percent; large losses exceeding €1 million have declined by roughly 30 percent – driven by massive cybersecurity investments made by large enterprises.”
Paraphrased from Allianz Commercial, Cyber Risk Trends 2025
What the Application Process Demands from Managing Directors
As of 2026, applying for cyber insurance resembles an IT security audit. Insurers no longer assess only revenue and industry – they evaluate your actual security architecture. Three measures have become mandatory entry requirements:
Multi-Factor Authentication (MFA): 95 percent of insurers require MFA on email, VPN, remote access, and admin accounts – not merely “available,” but actively enforced and documented. Phishing-resistant methods like FIDO2 are increasingly expected.
Endpoint Detection and Response (EDR): 89 percent of insurers mandate EDR on all endpoints. Merely installing the software isn’t enough. Insurers ask: Who monitors alerts? How quickly do you respond? Is the process documented?
Tested Incident-Response Plan: A written emergency plan with clearly defined roles and contact lists. Insurers check when the plan was last tested. An untested plan gathering dust in a drawer carries no weight.
For SMEs without dedicated IT security teams, this means managed security services are now a prerequisite for insurability. An external SOC (Security Operations Center) service costs €500-€2,000 per month – but makes the difference between eligibility and outright rejection.
How Much Cyber Insurance Costs SMEs
Premiums depend on industry, revenue, employee count, and security maturity. Here’s a realistic cost breakdown for SMEs:
Small business (10-50 employees, up to €5 million revenue): Annual premium €1,500-€5,000, with coverage limits of €500,000-€1 million.
Midsize enterprise (50-250 employees, €5-€50 million revenue): Annual premium €5,000-€25,000, with coverage limits of €1-€5 million.
Larger SME (250+ employees, €50+ million revenue): Annual premium €25,000-€100,000, with individually tailored coverage concepts.
The good news: After steep premium hikes between 2020 and 2022, the market has stabilized. Competition among insurers is intensifying, and terms are improving. Companies with demonstrable security controls pay significantly less than those without.
A comparison via platforms like CyberDirekt or Finanzchef24 shows: For a trading company with €5 million revenue and 30 employees, annual premiums range from €1,500 to €4,000 – depending on chosen coverage limit and deductible. Typical deductibles sit between €2,500 and €10,000 per incident. Lowering the deductible increases the premium by 20-40 percent – but substantially reduces financial risk when a claim occurs.
The Math: Does the Policy Pay Off?
The average ransomware incident costs a midsize company €250,000-€2 million. Breakdown: IT forensics (€30,000-€80,000), business interruption (varies by sector and duration), legal counsel (€15,000-€40,000), crisis communications (€10,000-€30,000), and potential GDPR fines.
Even assuming a conservative annual breach probability of just 5 percent, the expected annual loss for a midsize firm ranges from €12,500 to €100,000. Against premiums of €5,000-€25,000, insurance proves economically justified in most scenarios.
Add in the service value: Having an incident-response team on the phone within two hours can mean the difference between a contained incident and full-blown corporate crisis. For SMEs without internal security teams, that’s priceless.
According to the GDV (German Insurance Association), 28 percent of SMEs report at least one cyber incident within three years. With an average loss of €95,000 and an annual premium of €2,500, a single incident amortizes the policy for 38 years. So the question isn’t whether an incident will occur – but when. Betting on remaining untouched is no longer prudent risk management at a 28 percent likelihood.
Checklist: Five Steps to Securing SME Cyber Insurance
1. Document your IT security posture. Is MFA active? Is EDR installed? What’s your backup strategy? How robust is patch management? The better your documentation, the stronger your negotiating position – insurers reward verifiable evidence.
2. Calculate your coverage needs. Estimate daily business interruption costs. Count how many personal data records you process (this determines GDPR exposure). Realistically estimate your maximum plausible loss.
3. Understand exclusions. Read the fine print on nation-state attacks, systemic events, and duty-of-care clauses. Anything excluded must be self-insured – or mitigated through other means.
4. Engage a specialist broker. The cyber insurance market is complex. Brokers like Finlex, CyberDirekt, or Marsh know insurers’ underwriting profiles and negotiate better terms than direct purchases.
5. Complete the application truthfully. Any misrepresentation can void coverage when a claim arises. Better to honestly tick “no” and implement the measure afterward than to falsely promise it.
Conclusion
Cyber insurance doesn’t replace IT security – but it adds a financial safety net that can be existential for SMEs. After peaking in 2021-2022, premiums have returned to accessible levels – yet security architecture requirements continue rising. For managing directors, the question is no longer whether to buy coverage – but how: Which coverage fits your risk profile? Which exclusions are acceptable? And which security controls are prerequisites for insurability?
The most critical step isn’t signing the contract – it’s preparation: documenting IT security, understanding compliance requirements, and treating the policy as a complement – not a substitute – for technical safeguards. Get both right, and you’ll sleep better.
Frequently Asked Questions
Does cyber insurance cover ransom payments in ransomware attacks?
Some policies do – but with growing restrictions. Many insurers require pre-approval, cap payment amounts, or exclude ransom payments entirely in certain jurisdictions. In France, reimbursement has been contingent since 2023 on filing a police report within 72 hours.
Are GDPR fines insurable?
In Germany, insuring administrative fines remains legally contentious. Many policies nominally cover GDPR penalties – but add the caveat “where legally permissible.” Legal defense costs and compensation claims from affected individuals, however, are clearly insurable.
What happens if I provide false information in my application?
The insurer may reduce or fully deny coverage upon claim. Most critical are misrepresentations about implemented security controls – like MFA or EDR. If these are found missing during an incident, a breach of contractual obligations applies.
Do micro-businesses with fewer than 20 employees need cyber insurance?
Precisely because they rarely have in-house IT security capacity, micro-businesses are especially vulnerable. Premiums range from €1,500-€5,000 annually. Even the 24/7 emergency hotline and access to incident-response teams can prove existential in a crisis.
How do I find the right insurer?
Through a specialist broker. Providers like CyberDirekt, Finlex, or Marsh compare policies across multiple insurers, understand underwriting criteria, and negotiate superior terms. Buying directly from the first insurer you encounter often yields expensive policies with unfavorable exclusions.
Editor’s Reading Recommendations
- Cyber Insurance 2026: What Companies Must Know Before Signing a Policy
- Ransomware 2026: Incident Response in the First 60 Minutes
- Data Governance for SMEs: A Practical Review of the New DGG
- 87 Percent Identify AI Vulnerabilities as Their Top Risk
More from the MBF Media Network
- MyBusinessFuture– Digitalization, AI, Business
- cloudmagazin– Cloud, SaaS, IT Infrastructure
- SecurityToday– Cybersecurity, IT Security
- Digital Chiefs– C-Level Thought Leadership
Header Image Source: Pexels / Sora Shimazaki
