What is Cyber Insurance?
Cyber insurance (also called a cyber policy or cyber risk insurance) protects companies against the financial consequences of hacker attacks, ransomware (encryption trojans) and data loss. It covers both your own damages and third-party liability claims.
Regular business insurance stops at physical and professional risks. Cyber insurance steps in for the digital ones: hacker attacks, ransomware, data loss, business interruption after an IT failure and liability claims for data protection breaches. The scale of the threat is not abstract. The BSI Lagebericht 2024 (Federal Office for Information Security, Germany) counts 309,000 new malware variants every day, 26 percent more than the year before.
Find the guide for your business
Cover needs and premiums differ by business type. Pick your situation to jump straight to the right comparison.
Why Do Companies Need Cyber Insurance?
Cyber attacks rank among the top business risks for German companies. The Bitkom study Wirtschaftsschutz 2025 estimates the total damage from data theft, espionage and sabotage at 289.2 billion euros (Source: Bitkom, Wirtschaftsschutz 2025). Of this, 202.4 billion euros are attributable to cyber attacks.
Smaller companies carry much of that burden. The BSI Lagebericht 2024 reports that about 80 percent of recorded cyber attacks hit small and medium-sized companies. They tend to spend less on IT security, rarely employ dedicated IT staff and hold fewer reserves to absorb the cost of an incident. That combination makes a single attack disproportionately expensive for them.
Cyber Attack Statistics for Germany
- 289.2 billion euros total damage for the German economy (Source: Bitkom, Wirtschaftsschutz 2025)
- 45,370 euros average cyber damage per incident (Source: GDV, Cybersicherheit dossier, 2024)
- 309,000 new malware programs daily (Source: BSI, Lagebericht 2024)
- 34 percent of companies suffered ransomware damage in the last twelve months (Source: Bitkom, Wirtschaftsschutz 2025)
What Does Cyber Insurance Cover?
A comprehensive cyber insurance consists of three building blocks. Which coverage is included depends on the respective tariff and insurer. Check which building blocks are relevant for your company before signing up.
Coverage Overview by Building Block
| Merkmal | Own Damage | Third-Party Damage | Service |
|---|---|---|---|
| IT Forensics and Root Cause Analysis | |||
| Data Recovery | |||
| Business Interruption | |||
| Ransom Payment (Ransomware) | |||
| Liability for Data Protection Violation | |||
| GDPR Notification Costs | |||
| Defense Costs / Legal Disputes | |||
| 24/7 Emergency Hotline | |||
| Crisis Management and PR | |||
| Training and Prevention |
1. Own Damage (First-Party Coverage)
This building block covers the costs that arise for your company directly from a cyber incident:
- IT forensics (investigation after a cyber attack) and root cause analysis
- Data recovery and system repair
- Business interruption damage (lost revenue due to downtime)
- Ransom payments in ransomware cases, where legally permitted
- Crisis management and PR measures
2. Third-Party Damage (Third-Party Coverage)
- Liability claims for data protection violations
- Defense costs in legal disputes
- Notification costs according to GDPR Art. 34
- Damage compensation claims from customers and partners
3. Service Benefits
- 24/7 Emergency Hotline
- IT Forensics Experts
- Legal consultation in data protection cases
- PR and crisis communication
- Training for prevention
Which Providers Score Best in Independent Ratings?
The analysis firm Franke & Bornberg rates commercial cyber insurance against a detailed criteria catalogue. It applies a seven-tier scale from FFF+ (excellent) down to F- (insufficient). This is the firm's own classification and does not map onto a school-grade scale.
Top-rated providers (Franke & Bornberg, status March 2026)
| Insurer | Rating class | Special feature |
|---|---|---|
| Alte Leipziger | FFF | Commercial and doctors tariff |
| HDI | FFF | Incl. cloud outage and technical errors |
| Baloise | FFF | Several configurations available |
| VHV (CyberProtect 3.0) | FFF | Modular design |
| Gothaer | FFF | GewerbeProtect and standalone |
Source: Franke & Bornberg — Rating Gewerbe-Cyberversicherung. Listing reflects providers in the highest rating class FFF as of March 2026. Ratings may change; no claim of completeness. Rankings between providers within the same class do not constitute a recommendation.
Note: A good rating alone is not enough. Check whether the tariff fits your industry and risk profile. An IT service provider needs different coverage modules than a trades business.
How Much Does Cyber Insurance Cost?
The premium depends on industry, revenue, number of employees, IT security level and desired coverage limit. Companies with documented IT security measures typically pay lower premiums.
Premium Overview by Company Size
| Company Size | Premium per Year | Typical Coverage Limit |
|---|---|---|
| Solo self-employed | from 230 EUR | 100,000-250,000 EUR |
| Micro enterprises (1-5 employees) | 300-800 EUR | 250,000-500,000 EUR |
| Small companies (6-20 employees) | 800-2,500 EUR | 500,000-1 million EUR |
| Medium companies (21-100 employees) | 2,500-8,000 EUR | 1-5 million EUR |
| Larger mid-sized companies (100+ employees) | from 8,000 EUR | 5 million EUR+ |
Reference values, as of March 2026. Premiums vary by provider, industry and IT security level. Detailed information can be found on our page Cyber Insurance Costs.
Damage Examples from Practice
Cyber attacks affect companies across all industries. The following scenarios show how cyber insurance works in practice.
IT Service Provider: Ransomware Encrypted Customer Data
An IT service provider with 12 employees becomes the victim of a ransomware attack. The attackers encrypt company data and demand 50,000 euros ransom. The business is shut down for eight days. Cyber insurance covers IT forensics, data recovery and lost income: totaling around 120,000 euros.
Medical Practice: Patient Data Stolen
A medical practice with four employees has patient data stolen through a phishing attack (fake emails for data harvesting). The practice must notify all affected individuals according to GDPR Art. 34, inform the data protection authority and expect damage compensation claims. Cyber insurance covers notification costs, legal consultation and liability: totaling around 85,000 euros.
Trades Business: Payment Fraud through Social Engineering
A painting business receives a fake email that looks like an invoice from a supplier. The business transfers 28,000 euros to the wrong account. Cyber insurance reimburses the amount minus the deductible and covers the costs for IT security measures to prevent future attacks.
NIS-2: What Changes for Companies?
The NIS-2 Implementation Act has been in force in Germany since December 6, 2025 (Source: Bundesregierung). It significantly expands the circle of companies that must implement mandatory cybersecurity measures.
Affected are companies in certain sectors that exceed legally defined thresholds for employees, revenue or balance sheet. They fall into the categories "essential entities" or "important essential entities" and must, among other things:
- Implement technical and organizational security measures
- Report security incidents within 24 hours
- Register with the BSI portal (available since January 2026)
- Conduct regular risk assessments
Cyber insurance does not replace these obligations. It covers the financial fallout when an incident slips through despite your security measures. For the full picture, read our guide to the NIS-2 Directive. If your work involves professional advice or services for clients, pair cyber cover with professional liability insurance, which handles claims from professional errors that a cyber policy does not.
For Whom is Cyber Insurance Worthwhile?
In principle, any company that processes digital data or depends on functioning IT systems benefits from cyber insurance. The protection is particularly important for:
- Doctors, lawyers, tax advisors: sensitive client and patient data
- IT service providers: liability to customers for security incidents
- Online merchants and e-commerce: payment data and customer data
- Trades businesses: increasingly digitalized order processing
- SMEs in general: growing regulatory requirements through NIS-2
- Freelancers and self-employed: often no IT staff, but responsibility for customer data
Who is cyber insurance suitable for?
Suitable for
- SMEs with digital business processes
- Companies with sensitive customer data (doctors, lawyers, tax advisors)
- IT service providers and software companies
- Online merchants and e-commerce companies
- Companies falling under the NIS-2 directive
- Trades businesses with digital order processing
Less suitable for
- Companies without digital processes or IT systems
- Businesses without customer data or sensitive information
- Companies with comprehensive IT risk coverage through existing policies
Checklist: Do You Need Cyber Insurance?
Answer the following questions. The more points apply, the more urgent cyber insurance is for your company.
- Do you process personal data (customers, employees, patients)?
- Does your business depend on functioning IT systems?
- Do you use cloud services or store data externally?
- Do you have fewer than 50 employees (and thus limited IT resources)?
- Would a multi-day IT outage be existential for your company?
- Does your company fall under the NIS-2 directive?
- Do you work with sensitive business data (patents, contracts, financial data)?
- Do business partners or investors require cyber insurance?
From three applicable points, cyber insurance is strongly recommended. From five points, you should compare offers promptly.
What to Look for When Comparing?
When choosing cyber insurance, not only premium and coverage limit matter. Check the following criteria:
- Coverage limit (maximum reimbursement amount): Does it match the potential damage to your company?
- Deductible (own share in case of damage): Higher deductible lowers premium, but increases your risk.
- Sublimits: Are there partial limits for individual services (e.g., business interruption, ransom)?
- Exclusions: What damage types are not covered? Checking outdated software, intentional actions.
- Response time: How quickly is emergency support available (24/7 hotline)?
- Industry suitability: Does the tariff cover the specific risks of your industry?
Use our independent comparisonto obtain suitable offers for your company.
Which Cyber Insurance Is Right for You?
Cyber insurance protects businesses, freelancers and the self-employed against the financial fallout of hacker attacks, data breaches and IT failures. Premiums start at roughly 230 euros per year and rise with your revenue, headcount and the coverage limit you choose.
The most important criterion is that the policy covers both your own and third-party damages and provides a 24/7 emergency hotline. Beyond that, the right choice depends on your business type. A freelancer needs a different setup than a 50-person company. Start with the SME guide or the segment links above, then use our independent comparison to weigh tariffs and coverage from different providers.
Note: The information on this page is for general guidance only. It does not replace individual advice from a licensed insurance broker or adviser. Premium ranges and ratings are reference values as of March 2026 and can change.
