Why cyber insurance is not a substitute for companies, but a supplement to IT security measures.
Background:
According to the Allianz Risk Barometer 2025, cyber attacks are once again one of the biggest business risks worldwide. Medium-sized companies in particular are increasingly confronted with the consequences of hacker attacks: Data loss, business interruptions and financial damage are just some of the consequences.
Cyber insurance - What's behind it?
Cyber insurance promises to cushion financial losses following a security incident. For example, they cover the costs of IT forensics, crisis communication, legal advice or data recovery. Claims from third parties, such as business partners or customers, can also be covered if their data has been compromised by the attack.
But protection starts earlier.
Insurance alone is not enough. Many companies - especially small and medium-sized enterprises - underestimate how quickly their own IT infrastructure can be compromised by social engineering attacks or vulnerabilities. According to a survey by GDV and Forsa, 69 % of the companies surveyed do not even have basic IT security measures in place.
What companies need to do now:
- Implement IT security measures: This includes, for example, regular backups, firewalls and updates.
- Train employees: Social engineering targets the human factor - continuous sensitization is necessary here.
- Check cyber insurance: A policy can make sense if it is tailored to the specific risks and needs of the company.
Cyber insurance offers opportunities...
A good policy can help companies to minimize damage and react quickly in an emergency - especially with 24/7 support or clear action plans. However, they are not a panacea.
...but no shortcut to safety
Only those who actively take care of their IT security meet the requirements for taking out such insurance. Insurers generally demand minimum standards - those who do not meet these will not receive any protection or will be left without benefits in the event of a claim.
Important:
The obligations associated with taking out cyber insurance are now so high that they can only be met with a very high level of security. This includes established vulnerability management, a documented ISMS in accordance with common standards (e.g. ISO/IEC 27001) and continuous monitoring of security-relevant systems.
Even in the event of a claim, the utmost care is required: Strict reporting deadlines apply, and the insurance company checks very carefully afterwards whether all contractually agreed obligations have been met - with the clear aim of not having to pay out in case of doubt.
Conclusion:
Cyber insurance makes sense - but only as part of a holistic IT security concept. Companies should not focus on "What does the insurance pay for?", but rather ask: "How can I prevent an emergency from occurring in the first place?"
"Cyber insurance is not a free ride - they check meticulously in the event of an emergency. If you don't meet the high security requirements, you're stuck with the damage.
The aim must be to avoid having to rely on insurance in the first place - because image and reputation cannot be insured.
Security remains a top priority." - Florian Laumer, Customer Success Manager, PASSION4IT GmbH
