Stand-alone Cyber Insurance Can Save Unprepared Small Businesses, Survey Finds

Insurance Information Institute (I.I.I.) and J.D. Power 2018 Small Business Cyber Insurance and Security Spotlight Survey Reveals Massive Cyber Insurance Gap


Sheena Bermingham, Coburn Communication: (212) 730-7045;   
Insurance Information Institute New York Press Office: (212) 346-5500;

NEW YORK (October 18, 2018)— Cyber incidents hit one of every 10 U.S. small businesses last year yet only about one third of them had cyber insurance, according to a survey conducted jointly by the Insurance Information Institute (I.I.I.) and J.D. Power.

The survey results were released today in an eight-page report entitled, Small Business, Big Risk: Lack of Cyber Insurance Is a Serious Threat. Ten percent of the small businesses surveyed had one or more cyber incidents in 2017, resulting in a typical loss of $188,400, an increase of $73,000 from the year before, according to the J.D. Power 2016 Cyber Insurance Pulse StudySM

The overwhelming majority (91 percent) of the small businesses surveyed have 50 or fewer employees. Stand-alone cyber insurance policies typically offer liability coverage for losses related to data breaches. When filing a cyber incident-related insurance claim under these policies, a small business is usually able to recoup its legal and investigative fees as well as the costs the business incurred when contacting customers impacted by their data breach.

“Keeping consumers educated about the value and need of stand-alone cyber insurance coverage is absolutely critical given today’s environment of small businesses being under constant threat or attack,” said Sean Kevelighan, Chief Executive Officer of the Insurance Information Institute. “Insurers are bringing both value and security to their small business customers as long as they can help clients understand how cyber coverages work.”

According to the Insurance Information Institute’s analysis of the survey’s findings:

  • Concern for cyberthreats is growing. Nearly 60 percent of respondents said that their company is very concerned about cyber incidents – and 70 percent think that the risk of being a victim of a cyberattack is growing at an alarming rate. Moreover, nearly half of respondents said their company is not fully equipped to handle cybersecurity threats.
  • Coverage of cyberthreat doesn’t match concern.  Fifty-nine percent of businesses do not have cyber coverage, with the top three reasons being: their business risk profile does not warrant coverage (42 percent); the premiums are too expensive (36 percent); or they felt that the risk is sufficiently handled internally (27 percent).
  • Motivation for cyber coverage varies.  Potential impacts to a business as a result of a cyber incident in rank order are financial loss (47 percent); information breach/theft (35 percent); reputation/brand image issues (14 percent); and regulatory/governance and legal issues (4 percent).
  • Business interruption is the most common type of loss from a cyber incident. Of the 10 percent of companies that had experienced a cyber incident in the past year, 44 percent reported losses from business interruption. Another 33 percent said that they suffered losses from data loss or corruption. Twenty-three percent said they suffered losses from data breaches.

“Insurers have the opportunity to add incredible value for their small business customers through proper education, training and risk assessment services regarding cybersecurity. This survey found it is still a poorly understood and underpenetrated coverage with valuable future growth opportunities for the insurance industry,” noted Jessica McGregor, Director of Insurance at J.D. Power. 

The majority of small businesses that currently have coverage are satisfied with their plans, rating customer satisfaction at an average of 7.19 on a scale of 1 to 10. Those surveyed that experienced a cyberattack and had cyber coverage indicated that their insurance adequately covered their losses (97 percent). Sixty-eight percent of respondents who had cyber insurance said their insurer helps with some form of cyber risk mitigation. Forty percent said their insurer offers contingency planning for data breaches, and 51 percent said their insurer offers a risk assessment of their business’s vulnerability to data breaches. Seventy-six percent of businesses with an incident – but without cyber coverage – said that their internal mitigation efforts were adequate to address cyber loss, leaving 24 percent exposed to losses without insurance or adequate mitigation.

Companies can best protect themselves from cyber-related financial losses with a cyber insurance policy. These policies typically offer liability coverage (and sometimes partial property coverage) for losses related to data breaches. Most of these policies cover a commercial insured’s losses related to the loss of personally identifiable information and expenses from a data breach. These expenses can include legal expenses, investigating a breach, notifying people affected by the breach, managing the insured’s reputation and other crisis-management expenses, and recovering lost or corrupted data.

Some insurance policies also offer coverage for business interruption losses – losses related to expenses and lost revenue resulting from a breached system. Others may also offer “cyberextortion” coverage, which covers costs resulting from an extortion event such as ransomware.

The Insurance Information Institute (I.I.I.) and J.D. Power 2018 Small Business Cyber Insurance and Security Spotlight Survey reached 536 respondents, comprised of small businesses from across various industries and sectors (85 percent), and insurance brokers, agencies, carriers and third-party suppliers (15 percent).



Insurance Information Institute, 110 William Street, New York, NY 10038,

About the Insurance Information Institute
For nearly 60 years, the Insurance Information Institute (I.I.I.) has been the leading independent source of objective information, insight, analysis and referral on insurance for a wide range of audiences, including: Consumers, insurance professionals, the media, government and regulatory organizations, educational institutions and students. The I.I.I.’s mission is to improve public understanding of insurance—what it does and how it works. The I.I.I. is an industry supported organization, but does not lobby for insurance businesses; instead, our central function is to provide accurate and timely information on insurance subjects.

About J.D. Power
J.D. Power is a global leader in consumer insights, advisory services and data and analytics. These capabilities enable J.D. Power to help its clients drive customer satisfaction, growth and profitability. Established in 1968, J.D. Power is headquartered in Costa Mesa, Calif., and has offices serving North/South America, Asia Pacific and Europe. J.D. Power is a portfolio company of XIO Group, a global alternative investments and private equity firm headquartered in London, and is led by its four founders: Athene Li, Joseph Pacini, Murphy Qiao and Carsten Geyer. 

Back to top