What is Cyber Insurance?
Cyber insurance (also called cyber policy or cyber risk insurance) protects companies against the financial consequences of hacker attacks, ransomware (encryption trojans) and data loss. It covers both own damages and third-party liability claims.
Unlike traditional business insurance, cyber insurance covers digital risks: hacker attacks, ransomware attacks, data loss, business interruptions due to IT failures and liability claims for data protection violations. According to the BSI Lagebericht 2024 (Federal Office for Information Security, Germany), 309,000 new malware variants are created daily. That is an increase of 26 percent compared to the previous year.
Why Do Companies Need Cyber Insurance?
According to the Allianz Risk Barometer 2026, cyber incidents are the number one business risk worldwide for the fifth time in a row. The topic is particularly relevant for German companies. The Bitkom study Wirtschaftsschutz 2025 estimates the total damage from data theft, espionage and sabotage at 289.2 billion euros. Of this, 202.4 billion euros are attributable to cyber attacks.
SMEs are particularly in focus. The BSI Lagebericht 2024 shows: About 80 percent of reported cyber attacks target small and medium-sized companies. The reasons are obvious. SMEs often invest less in IT security, rarely have their own IT staff and have fewer reserves to financially withstand an attack.
Current Threat Landscape in Numbers
- 289.2 billion euros total damage for the German economy (Source: Bitkom, Wirtschaftsschutz 2025)
- 45,370 euros average cyber damage per incident (Source: GDV, Cybersicherheit dossier, 2024)
- 309,000 new malware programs daily (Source: BSI, Lagebericht 2024)
- 34 percent of companies suffered ransomware damage in the last twelve months (Source: Bitkom, 2025)
- 1.2 million euros average recovery costs after ransomware in Germany (Source: Sophos, State of Ransomware 2024)
What Does Cyber Insurance Cover?
A comprehensive cyber insurance consists of three building blocks. Which coverage is included depends on the respective tariff and insurer. Check which building blocks are relevant for your company before signing up.
Coverage Overview by Building Block
| Merkmal | Own Damage | Third-Party Damage | Service |
|---|---|---|---|
| IT Forensics and Root Cause Analysis | |||
| Data Recovery | |||
| Business Interruption | |||
| Ransom Payment (Ransomware) | |||
| Liability for Data Protection Violation | |||
| GDPR Notification Costs | |||
| Defense Costs / Legal Disputes | |||
| 24/7 Emergency Hotline | |||
| Crisis Management and PR | |||
| Training and Prevention |
1. Own Damage (First-Party Coverage)
This building block covers the costs that arise for your company directly from a cyber incident:
- IT forensics (investigation after a cyber attack) and root cause analysis
- Data recovery and system repair
- Business interruption damage (lost revenue due to downtime)
- Ransom payments in ransomware cases, where legally permitted
- Crisis management and PR measures
2. Third-Party Damage (Third-Party Coverage)
- Liability claims for data protection violations
- Defense costs in legal disputes
- Notification costs according to GDPR Art. 34
- Damage compensation claims from customers and partners
3. Service Benefits
- 24/7 Emergency Hotline
- IT Forensics Experts
- Legal consultation in data protection cases
- PR and crisis communication
- Training for prevention
Cyber Insurance Test 2026
The analysis firm Franke & Bornberg rates commercial cyber insurance based on a detailed criteria catalog. Franke & Bornberg uses a seven-tier rating class scale from FFF+ (excellent) to F- (insufficient). This is the rating firm's own classification and is not equivalent to a school-grade scale.
Top-rated providers (Franke & Bornberg, status March 2026)
| Insurer | Rating class | Special feature |
|---|---|---|
| Alte Leipziger | FFF | Commercial and doctors tariff |
| HDI | FFF | Incl. cloud outage and technical errors |
| Baloise | FFF | Several configurations available |
| VHV (CyberProtect 3.0) | FFF | Modular design |
| Gothaer | FFF | GewerbeProtect and standalone |
Source: Franke & Bornberg — Rating Gewerbe-Cyberversicherung. Listing reflects providers in the highest rating class FFF as of March 2026. Ratings may change; no claim of completeness. Rankings between providers within the same class do not constitute a recommendation.
Note: A good rating alone is not enough. Check whether the tariff fits your industry and risk profile. An IT service provider needs different coverage modules than a trades business.
How Much Does Cyber Insurance Cost?
The premium depends on industry, revenue, number of employees, IT security level and desired coverage limit. Companies with documented IT security measures typically pay lower premiums.
Premium Overview by Company Size
| Company Size | Premium per Year | Typical Coverage Limit |
|---|---|---|
| Solo self-employed | from 230 EUR | 100,000-250,000 EUR |
| Micro enterprises (1-5 employees) | 300-800 EUR | 250,000-500,000 EUR |
| Small companies (6-20 employees) | 800-2,500 EUR | 500,000-1 million EUR |
| Medium companies (21-100 employees) | 2,500-8,000 EUR | 1-5 million EUR |
| Larger mid-sized companies (100+ employees) | from 8,000 EUR | 5 million EUR+ |
Reference values, as of March 2026. Premiums vary by provider, industry and IT security level. Detailed information can be found on our page Cyber Insurance Costs.
Damage Examples from Practice
Cyber attacks affect companies across all industries. The following scenarios show how cyber insurance works in practice.
IT Service Provider: Ransomware Encrypted Customer Data
An IT service provider with 12 employees becomes the victim of a ransomware attack. The attackers encrypt company data and demand 50,000 euros ransom. The business is shut down for eight days. Cyber insurance covers IT forensics, data recovery and lost income: totaling around 120,000 euros.
Medical Practice: Patient Data Stolen
A medical practice with four employees has patient data stolen through a phishing attack (fake emails for data harvesting). The practice must notify all affected individuals according to GDPR Art. 34, inform the data protection authority and expect damage compensation claims. Cyber insurance covers notification costs, legal consultation and liability: totaling around 85,000 euros.
Trades Business: Payment Fraud through Social Engineering
A painting business receives a fake email that looks like an invoice from a supplier. The business transfers 28,000 euros to the wrong account. Cyber insurance reimburses the amount minus the deductible and covers the costs for IT security measures to prevent future attacks.
NIS-2: What Changes for Companies?
The NIS-2 Implementation Act has been in force in Germany since December 6, 2025 (Source: Bundesregierung). It significantly expands the circle of companies that must implement mandatory cybersecurity measures.
Affected are companies in certain sectors that exceed legally defined thresholds for employees, revenue or balance sheet. They fall into the categories "essential entities" or "important essential entities" and must, among other things:
- Implement technical and organizational security measures
- Report security incidents within 24 hours
- Register with the BSI portal (available since January 2026)
- Conduct regular risk assessments
Cyber insurance does not replace these obligations. However, it covers the financial consequences if an incident occurs despite security measures. Detailed information can be found in our Guide to the NIS-2 Directive.
For Whom is Cyber Insurance Worthwhile?
In principle, any company that processes digital data or depends on functioning IT systems benefits from cyber insurance. The protection is particularly important for:
- Doctors, lawyers, tax advisors: sensitive client and patient data
- IT service providers: liability to customers for security incidents
- Online merchants and e-commerce: payment data and customer data
- Trades businesses: increasingly digitalized order processing
- SMEs in general: growing regulatory requirements through NIS-2
- Freelancers and self-employed: often no IT staff, but responsibility for customer data
Who is cyber insurance suitable for?
Suitable for
- SMEs with digital business processes
- Companies with sensitive customer data (doctors, lawyers, tax advisors)
- IT service providers and software companies
- Online merchants and e-commerce companies
- Companies falling under the NIS-2 directive
- Trades businesses with digital order processing
Less suitable for
- Companies without digital processes or IT systems
- Businesses without customer data or sensitive information
- Companies with comprehensive IT risk coverage through existing policies
Checklist: Do You Need Cyber Insurance?
Answer the following questions. The more points apply, the more urgent cyber insurance is for your company.
- Do you process personal data (customers, employees, patients)?
- Does your business depend on functioning IT systems?
- Do you use cloud services or store data externally?
- Do you have fewer than 50 employees (and thus limited IT resources)?
- Would a multi-day IT outage be existential for your company?
- Does your company fall under the NIS-2 directive?
- Do you work with sensitive business data (patents, contracts, financial data)?
- Do business partners or investors require cyber insurance?
From three applicable points, cyber insurance is strongly recommended. From five points, you should compare offers promptly.
What to Look for When Comparing?
When choosing cyber insurance, not only premium and coverage limit matter. Check the following criteria:
- Coverage limit (maximum reimbursement amount): Does it match the potential damage to your company?
- Deductible (own share in case of damage): Higher deductible lowers premium, but increases your risk.
- Sublimits: Are there partial limits for individual services (e.g., business interruption, ransom)?
- Exclusions: What damage types are not covered? Checking outdated software, intentional actions.
- Response time: How quickly is emergency support available (24/7 hotline)?
- Industry suitability: Does the tariff cover the specific risks of your industry?
Use our independent comparisonto obtain suitable offers for your company.
Conclusion
Cyber insurance protects SMEs, freelancers and self-employed from the financial consequences of hacker attacks, data breaches and IT failures. Costs start at around 200 EUR per year and depend on industry, revenue and desired coverage limit.
Key is that the policy covers both own and third-party damages and offers a 24/7 emergency hotline. Use our independent comparison to compare tariffs and coverage from different providers.