I recently spoke with the CFO of a large manufacturing company. His firm had survived a ransomware attack eight months earlier — three weeks of downtime, losses running into millions, nerves stretched to the limit. When I asked whether they had a cyber policy, his answer did not surprise me: “We did. We thought we did. It turned out that several conditions had not been met, and the insurer refused to pay the full amount.” This is not an exceptional story — it is one I hear regularly.
In the last quarter, three clients asked me the same question: “Is it worth buying cyber insurance, or is it just another cost with no real value?” The answer is: it depends — on what the policy covers, how well the company prepares for it, and whether it understands that insurance is a transfer of risk, not its elimination. In this article I describe everything that CFOs, CISOs and business owners should know before signing a contract with an insurer.
What is cyber insurance and why is demand for it growing?
Cyber insurance (also known as cyber liability insurance) is a financial product that protects an organisation against losses arising from cyberattacks, data breaches and related events. In simple terms: the insurer takes on part of the financial risk arising from incidents in cyberspace — in exchange for a regularly paid premium. It is a risk management instrument, not a substitute for investment in security.
Demand for this product is growing rapidly for several reasons. The global cyber insurance market reached a value of over 16 billion dollars in 2024 and, according to Munich Re forecasts, will exceed 29 billion dollars by 2027. In Poland the market is still relatively young, but the growth rate is one of the highest in Europe — driven primarily by the surge in ransomware attacks and the entry into force of the NIS2 directive.
Behind this growth lie hard numbers on losses. The IBM Cost of a Data Breach Report 2024 indicates that the average global cost of a data breach is 4.88 million dollars. In Poland and the CEE region the figures are lower, but for a medium-sized Polish company a ransomware incident with three weeks of operational downtime can mean a loss of between 2 and 15 million PLN — depending on the industry, scale and client base. For many companies this is a sum that can determine their survival.
Regulatory change is also significant. The NIS2 directive, implemented in Poland through the amendment of the Cybersecurity Act (KSC), introduces personal liability of management boards for cybersecurity and sanctions reaching 10 million euros or 2% of global turnover. In this context, boards have begun to treat cyber insurance not as an optional add-on but as an element of corporate governance — much like liability or Directors and Officers insurance.
Cyber insurance is a financial risk transfer instrument — it does not eliminate threats, but it protects the company’s balance sheet from the catastrophic consequences of an incident. Its value depends on how well the organisation understands what the policy actually covers.
What does a typical cyber policy cover — scope of protection and exclusions?
A typical cyber policy divides protection into two categories: first-party coverage and third-party liability. Understanding this distinction is crucial, because many organisations believe they are buying broad coverage when in reality only selected elements are covered.
The scope of first-party coverage typically includes: incident response costs (forensics, crisis PR, notifications to the regulator and affected parties), losses from business interruption, costs of data and system recovery, fees for decryption or negotiations with attackers (some insurers have specialised units for contact with ransomware groups), and regulatory fines and penalties to the extent permitted by law.
Third-party liability coverage addresses: claims from clients and partners arising from the breach of their data, costs of legal proceedings and settlements, privacy violations (GDPR), and in some policies — reputational damage and crisis communications management costs.
However, what a policy excludes is just as important as what it covers. Standard exclusions include: incidents caused by the organisation’s own employees acting with deliberate intent (insider threats with intent to cause harm), losses resulting from pre-existing vulnerabilities known before the policy was taken out, attacks attributed to state actors (war exclusion — particularly contentious following the ruling in Merck vs. Ace American Insurance), speculative cryptocurrency losses, and damage arising from inadequately maintained IT infrastructure.
Particular attention is drawn to the growing number of exclusions relating to nation-state attacks. Following the Russian invasion of Ukraine, several major insurers began refining clauses excluding losses from attacks attributed to states. For companies operating in sectors that are historically targeted by such attacks (energy, critical infrastructure, defence), this can represent a serious gap in coverage.
Before signing a policy, it is worth commissioning a lawyer specialising in cyber insurance to carry out a thorough review of the exclusion clauses — particularly those relating to war exclusions, known vulnerabilities and procedural requirements whose non-fulfilment may lead to a claim being refused.
How much does cyber insurance cost in Poland — factors affecting the premium?
The question of price is always the first one I hear from CFOs. The direct answer: a cyber policy for a medium-sized Polish company (50–500 employees, turnover of 50–200 million PLN) typically costs between 15,000 and 150,000 PLN per year for cover limits of 2 to 10 million PLN. The range is enormous and stems directly from the risk profile of the specific organisation.
The key factors shaping the premium are, first and foremost, the industry and the type of data processed. Companies in the healthcare, financial, legal and sensitive-data-processing sectors pay up to three to five times more than manufacturing companies with a similar revenue. Processing payment card data or personal data at scale automatically raises risk in the insurer’s eyes.
The second factor is the history of incidents. A company that survived a ransomware attack 18 months ago will pay significantly more, or may not be offered a policy at all by some insurers. What matters critically is how the organisation responded to the incident and what it implemented afterwards — insurers ask detailed questions about remedial action.
The third factor — and the one companies can actively shape — is the level of security maturity. Implemented MFA, EDR, network segmentation, regular backups tested for recovery, a SOC or 24/7 monitoring, formal incident response procedures — each of these elements lowers the premium. Insurers have detailed checklists and assess the organisation almost like security auditors.
The fourth factor is the sum insured and the deductible. A higher deductible — for example 200,000 PLN instead of 50,000 PLN — can reduce the annual premium by 30–40%. For a company that has the cash to cover smaller incidents but needs protection against a catastrophic scenario, a higher deductible is a sensible strategy.
It is worth remembering that the cyber insurance market has changed significantly in the last three years. Following the wave of ransomware attacks in 2020–2022, insurers raised premiums, increased requirements and limited sums insured. Today the market has stabilised somewhat, but insurers are far more demanding than they were five years ago — the application form can run to 50 pages.
The annual premium for cyber insurance should be considered in the context of potential loss. If a week of operational downtime would cost your company 2 million PLN, and the policy costs 40,000 PLN per year — that is 2% of the potential loss. From this perspective, the question is not “can we afford it”, but “can we afford to be without protection”.
What security requirements do insurers impose before issuing a policy?
When a company approaches an insurer for a cyber policy, it receives an application questionnaire to complete. This document, if completed honestly and accurately, describes the organisation’s current level of security. False answers — even through oversight — may provide grounds for a claim to be refused after an incident. It is therefore worth knowing what insurers expect.
The absolute minimum level, below which most insurers will refuse to issue a policy or will offer it on very unfavourable terms, includes:
Multi-factor authentication (MFA) on access to critical systems — email, VPN, financial systems, administrative tools. This is the single factor with the highest weighting in risk assessment. Companies without MFA on email are automatically rejected by many insurers.
Regular creation and testing of backups — the key word is “testing”. Backups that have never been tested for actual recovery are not backups in the insurer’s understanding. Documentation of tests is required.
Antivirus software and EDR on all workstations and servers. EDR in particular — advanced endpoint detection and response — is becoming a standard requirement.
An Incident Response Plan (IRP) — documented, known to key employees, regularly exercised. The insurer may request the document to be provided.
Patch and vulnerability management — regular updates of operating systems and software, a process for tracking and eliminating vulnerabilities within a defined timeframe.
In addition, insurers are increasingly requiring: network segmentation (in particular separation of OT and IT environments), an access policy based on the principle of least privilege, encryption of sensitive data at rest and in transit, monitoring of privileged user activity, and a formal cyberhygiene training programme for employees.
It should be emphasised that insurers are becoming increasingly sophisticated in their assessment of organisations. Some of them use external cyber risk assessment platforms (such as BitSight, SecurityScorecard) that automatically scan a company’s external attack surface — without the applicant’s knowledge. Data from these scans influences the underwriter’s decision. Organisations with publicly visible vulnerabilities, outdated SSL or open ports may receive higher premiums or refusals.
When completing the application questionnaire, never “embellish” your answers. The insurer has access to independent data about your company’s external attack surface. A discrepancy between the declared state and the actual reality is the classic basis for a claim to be refused.
How does NIS2 affect the cyber insurance market?
The NIS2 directive and its Polish implementation through the amendment to the Cybersecurity Act (KSC) are changing the cyber insurance market on several levels simultaneously. This is not merely a regulatory matter — it is a fundamental shift in the approach to cyber risk transfer in European organisations.
First and foremost, NIS2 dramatically raises the bar for security requirements — and these are precisely the same requirements that insurers expect. Risk management, incident response procedures, supply chain security, regular training, encryption, MFA — the list from Article 21 of the NIS2 directive almost perfectly mirrors the cyber insurance underwriter’s checklist. For companies that take NIS2 compliance seriously, obtaining a policy on favourable terms will become a natural consequence.
However, NIS2 also introduces new challenges for the insurance market. Personal liability of the management board and potential sanctions of up to 10 million euros are not standardly covered by a cyber policy — this falls more within the domain of D&O (Directors and Officers) insurance. Companies seeking comprehensive protection should analyse how their cyber and D&O policies interact with each other. The gap between these two products can prove costly.
The obligation to report incidents within 24 hours (preliminary notification) and 72 hours (detailed report) arising from NIS2 has a direct bearing on cyber policies. Insurers have begun verifying whether a company has the operational capability to detect and report an incident within these timeframes. Organisations without continuous monitoring (SOC or SIEM) face a problem both with the regulator and with the insurer.
It is also worth mentioning the question of risk accumulation. Insurers, observing a growing portfolio of cyber policies in the NIS2 era, are becoming more cautious in estimating exposure to systemic scenarios — such as a mass attack on a popular cloud platform or an IT service provider serving hundreds of companies simultaneously (the problem of technology monocultures). This may translate into increasing exclusions or limits for such scenarios.
Companies preparing for NIS2 compliance and those seeking to obtain a favourable cyber policy are investing in the same areas: risk management, response procedures, MFA, monitoring. NIS2 compliance and cyber insurability are two objectives effectively achieved through a single security strategy.
Does cyber insurance replace investment in security?
This question comes up regularly in conversations with management boards — particularly in the context of IT budget cuts. The answer is unambiguous: no. And not only because the insurer requires you to maintain a defined level of security as a condition of the policy. The arguments go deeper.
First, insurance covers financial losses — not operational ones. When a company is standing still for three weeks after a ransomware attack, the policy will reimburse the costs of forensics, data recovery and part of the lost revenue. It will not, however, return the lost trust of clients, the damaged reputation, contracts that were not renewed, or key employees who decided to leave in the chaos of the incident. These losses are real and often exceed the value of the insurance — they simply are not in the policy.
Second, the logic of insurance assumes that risk is a random event with a defined probability. A cyberattack on a company with undocumented infrastructure, no MFA, no backups and no security policies whatsoever is not a “risk”. It is near certainty over the course of a few years. Insurers understand this and price accordingly — either refusing to issue a policy or making it so expensive that it ceases to make economic sense.
Third, every good cyber policy contains co-insurance condition clauses — the company must maintain the declared level of security throughout the policy period. If after signing the contract the company dispenses with EDR, neglects system updates or stops making backups — and an incident occurs — the insurer has grounds to refuse payment or reduce it. A policy bought “on paper”, without real investment in security, is a false sense of security.
The correct way to think about the relationship between security and insurance: investment in security reduces the probability and scale of an incident (and lowers the premium), while insurance covers the remaining financial risk that cannot be eliminated by any reasonable security budget. These are complementary, not alternative, instruments.
Cyber insurance makes sense as the last line of financial defence — but only when real lines of technical and organisational defence stand before it. Buying a policy instead of investing in security is like buying a life jacket instead of repairing a hole in the hull of a boat.
How does the claims process work after a cyberattack?
Many clients who have bought a cyber policy have never considered what the actual claims process looks like. This is a mistake — because preparation for this process begins before the incident, not after it. The difference between a smooth settlement and a refused claim often depends on the actions taken in the first hours after an attack is detected.
The first step after detecting an incident is to notify the insurer immediately — not after the crisis has ended, but as quickly as possible. Most policies require notification within 24–72 hours of detecting the event. A delay may provide grounds for claims to be challenged. Upon receiving the notification, the insurer typically assigns a coordinator and — if the policy covers it — dispatches its own specialists to the company: forensics analysts, lawyers, crisis PR management.
It is crucial that, before any incident, the organisation has clearly defined: who calls the insurer, when, and with what information. The insurer’s phone number (incident hotline) should be known to the CISO, CTO and compliance officer — not sitting in a drawer with the policy documents.
After notification, the insurer opens proceedings and begins collecting documentation. This is where the biggest trap appears: any expenditure incurred without the insurer’s approval may not be reimbursed. If the company engages external forensics specialists independently, before the insurer has approved their involvement — it may turn out that the cost of that engagement is not covered by the policy. The expenditure approval procedure must be understood and respected in the heat of the crisis.
In practice, claims settlement takes from several weeks to several months. The insurer examines the causes of the incident in detail, checks whether the company was meeting the policy conditions at the time of the attack, and verifies the reported losses and costs. Every discrepancy, every lack of documentation, every declaration in the application questionnaire that turns out to be untrue — these are arguments for the insurer to reduce the payment or refuse it entirely.
A good practice is to conduct a trial “fire drill” with the insurer or broker — a simulation of the first 24 hours of an incident and verification that the organisation knows what to do. Many insurers offer such workshops as part of the policy or for an additional fee. This is an investment that can determine whether the payment is made in full.
Cyber claims settlement is a legal and financial process, not merely a technical one. Organisations that prevail with their insurer are those with documentation: logs, procedures, proof of implementations, approved expenditures. A chaotic response to an incident with no documentation is an unintentional gift to the insurer’s claims department.
What mistakes by organisations lead to claims being refused?
In my practice and in conversations with cyber brokers, several recurring mistakes emerge that lead to claims being refused or significantly reduced. It is worth knowing them — ideally before, rather than after, an incident.
The most common mistake is false or incomplete answers in the application questionnaire. A company declares that it applies MFA to all privileged accesses — when in reality MFA is only implemented on email but not on RDP or VPN. The attacker enters through the unsecured VPN. The insurer rejects the claim because the declaration did not correspond to the actual state of affairs. This is a scenario that has actually happened.
The second mistake is failure to notify the insurer within the required time. Companies often respond to an incident under their own steam for several days — which is understandable in the chaos of a crisis — but do not notify the insurer. When the claim is eventually filed, the missed deadline becomes a formal basis for challenging the claim.
The third mistake concerns “known vulnerabilities”. If the company had documented warnings about vulnerabilities (for example from a previous security audit, a penetration testing report or alerts from a vulnerability management system) and took no remedial action, and the attacker exploited precisely those vulnerabilities — the insurer may argue that the risk was known and not covered by the policy.
The fourth mistake is approving expenditure without the insurer’s consent. In a panic, the company pays external specialists 300,000 PLN for forensics. The insurer says: “We did not approve this vendor, and our policy has a limit of 150,000 PLN for forensics with preferred providers.” Half the expenditure is lost.
The fifth, often underappreciated mistake is the absence of documentation of the ongoing application of required controls. The policy is taken out for one year. During that time the company makes changes — discontinues a particular tool, does not renew an EDR subscription, lays off a security specialist without replacing them. The insurer checks whether the policy conditions were being met at the time of the incident — and if they were not, it has grounds for reducing the payment.
Refusal of a cyber claim rarely stems from bad faith on the part of the insurer — it usually arises from documentable discrepancies between the declared and the actual state of security. The best policy is one where you will not be embarrassed by any answer in the questionnaire.
How to prepare the organisation to obtain a favourable policy?
Preparing to obtain a cyber policy is in essence a project to improve security maturity — with the additional benefit of a lower premium and better insurance terms. The table below shows the key areas of preparation, insurer requirements, required evidence and the estimated impact on the premium.
| Area | Insurer requirement | Required evidence | Impact on premium |
|---|---|---|---|
| Authentication | MFA on email, VPN, administrative and financial systems | System configuration, access policy | Reduction of 15–25% |
| Backups | Regular offline/immutable backups, recovery tests at least quarterly | Backup schedule, test reports | Reduction of 10–20% |
| Endpoint protection | EDR on all endpoint devices and servers | List of deployments, device management policy | Reduction of 10–15% |
| Vulnerability management | Scanning at least monthly, critical vulnerabilities remediated within 72h | Scan reports, patching history | Reduction of 5–15% |
| Incident response | Documented IRP, tested at least once a year | IRP document, exercise protocol | Reduction of 5–10% |
| Network segmentation | Separation of production/OT network from office network, DMZ zones | Network architecture diagram | Reduction of 5–15% |
| Employee training | Regular phishing training, at least 2x per year plus simulations | Training schedule, simulation results | Reduction of 5–10% |
| Monitoring and SIEM | Centralised event logging, anomaly alerts, log retention of at least 12 months | SIEM configuration, logging policy | Reduction of 10–20% |
| Access management | Least privilege policy, access reviews quarterly, offboarding within 24h | Review reports, IAM policy | Reduction of 5–10% |
| Encryption | Encryption of sensitive data at rest and in transit | Encryption policy, list of deployments | Reduction of 5–10% |
It is worth emphasising that the table shows estimated ranges — the actual impact of each element depends on the insurer, the industry and the company’s risk profile. The cumulative effect of implementing all the areas listed can mean a reduction in the premium of 40–60% compared with an organisation with no formal security controls.
A practical plan for preparing to obtain a cyber policy is best divided into three phases. The first phase (60–90 days) is closing critical gaps: deploying MFA everywhere, enabling EDR, verifying and testing backups, creating a basic IRP. This is the minimum required to obtain any sensible policy at all.
The second phase (3–6 months) is building maturity: deploying SIEM or security monitoring, formalising the vulnerability management process, initial phishing training and simulations, access reviews, documentation of network architecture. In this phase the organisation becomes an attractive client for higher-tier insurers.
The third phase (6–12 months) is optimisation and continuity: regular IRP tests (tabletop exercises), automation of vulnerability management, a continuous training programme, SOC integration. An organisation in this phase can obtain a policy on the best terms and actively negotiate the premium.
Preparing for a cyber policy is not a “paper” project. Insurers verify declarations, use external data about your attack surface and ask detailed technical questions. The only effective strategy is genuine implementation of security controls — which has the added benefit of actually protecting the company.
How does an nFlo security audit help lower the cyber insurance premium?
Over the past year we have carried out security audits for over a dozen organisations that had plans to purchase or renew a cyber policy. The results were consistent every time: detailed, documented audit findings are one of the most effective negotiating arguments with an insurer.
nFlo works with over 200 clients in Poland, delivering over 500 cybersecurity projects. Our client retention rate is 98% — not because we sell services, but because we deliver measurable results. One of those results is precisely a reduction in cyber insurance premiums — documentable and measurable.
What does cooperation look like in the context of cyber insurance?
Our support process for preparing for a cyber policy begins with an assessment of the current state — a security audit oriented towards the requirements of insurers. We check system configurations, verify processes and documentation, and analyse the external attack surface. The output is a report that can be shown to the insurer as evidence of the organisation’s security maturity.
We then identify gaps — those with the greatest impact on the premium and the risk of an actual attack. We do not generate a list of 200 technical recommendations. We prioritise: what to implement first in order to obtain a policy on acceptable terms, and what can be planned for subsequent quarters.
We then help implement the key controls — MFA, EDR, vulnerability management, IRP, monitoring. Every implementation is documented in a way that meets the evidentiary requirements of insurers. Backup test protocols, training reports, architecture documentation — all of this constitutes the organisation’s “security portfolio”.
We also work in a continuous model: our SOC provides 24/7 monitoring with a response time of under 15 minutes, which is directly translatable to the underwriter’s assessment of operational readiness. The ability to detect and report an incident within 24 hours — a requirement of both NIS2 and insurers — is naturally fulfilled in this model.
Clients who have gone through our cyber policy preparation programme achieved an average premium reduction of 25–40% compared to the initial quotation. Some of them had previously been unable to obtain a policy at all — after implementing the controls and documentation they became attractive clients for insurers.
If you are planning to purchase or renew a cyber policy, I invite you to a direct conversation. A quick assessment of the current state and a roadmap to an optimal policy — this typically takes 2–3 weeks of work, and the effect can mean hundreds of thousands of PLN in savings on premiums over the course of several years.
FAQ — frequently asked questions about cyber insurance
Do small companies also need cyber insurance?
Yes — and they are often more exposed than large corporations, because they less frequently have advanced defence systems. Attackers know that small companies have weaker security and target them with greater intensity. Policies for companies with fewer than 50 employees are available from a few thousand PLN per year for cover limits from 500,000 PLN.
Does a cyber policy cover ransomware attacks?
A standard cyber policy covers ransomware attacks — both the costs of data recovery and any negotiations with attackers and decryption costs, if the insurer assesses this as the most effective solution. However, the condition for payment is typically that the requirements regarding backups and MFA have been met — without these elements the insurer may argue that the organisation did not exercise due care.
How long does it take to obtain a cyber policy?
From submission of the application to the issuance of the policy typically takes 2–6 weeks for medium-sized companies. The time extends with higher sums insured, a more complex risk profile or when the company does not have a complete set of documentation. It is worth planning the process well in advance — not waiting until the policy is needed “yesterday”.
Does cyber insurance cover GDPR fines?
Some cyber policies cover administrative fines from the supervisory authority / GDPR fines — but only to the extent permitted by law. In Poland, fines imposed by the regulatory authority (UODO) are generally insurable, however the specific conditions depend on the policy and jurisdiction. Always verify this clause with a lawyer when signing the contract.
What is a deductible in a cyber policy?
The deductible is the amount the company covers independently before the policy is activated — the equivalent of an excess. For example, with a deductible of 100,000 PLN and a loss of 500,000 PLN, the insurer will pay 400,000 PLN. A higher deductible means a lower premium — but also higher own risk for small and medium incidents.
Is a broker needed when purchasing a cyber policy?
Absolutely — particularly for companies without experience in specialist insurance. A good cyber insurance broker knows the market, can compare offers from a dozen or more insurers, will help complete the questionnaire correctly and will represent the company in the claims settlement process. The broker’s remuneration is typically covered by the insurer as a commission — the service is free of charge for the company.
Sources
- IBM Security, Cost of a Data Breach Report 2024, IBM Corporation, 2024. https://www.ibm.com/reports/data-breach
- Munich Re, Cyber Insurance: Risks and Trends 2024, Munich Re Group, 2024. https://www.munichre.com/en/risks/cyber-risks
- Directive of the European Parliament and of the Council (EU) 2022/2555 of 14 December 2022 (NIS2), Official Journal of the European Union, L 333/80. https://eur-lex.europa.eu/eli/dir/2022/2555
- Marsh & McLennan, Cyber Insurance Market Report Q3 2024, Marsh LLC, 2024. https://www.marsh.com/en-us/insights/research/cyber-insurance.html
- Chainalysis, Crypto Crime Report: Ransomware Revenue 2023, Chainalysis Inc., 2024. https://www.chainalysis.com/blog/ransomware-2024
- Polish Financial Supervision Authority (UKNF), Recommendations on business continuity risk management, KNF, 2023. https://www.knf.gov.pl
- S&P Global Market Intelligence, Cyber Insurance: Market Dynamics and Underwriting Trends 2024, S&P Global, 2024. https://www.spglobal.com/marketintelligence/en/solutions/cyber-insurance
Related concepts
Explore key terms related to this article in our cybersecurity glossary:
- Ransomware — Ransomware is malicious software that encrypts a victim’s data and demands…
- Risk management — Risk management is a systematic process of identifying, assessing and mitigating…
- Incident Response — Incident Response is a structured process for responding to security incidents…
- NIS2 — NIS2 (Network and Information Security Directive 2) is an EU directive…
- EDR — EDR (Endpoint Detection and Response) is a technology for monitoring and…
Learn more
Explore related articles in our knowledge base:
- How to conduct a KSC NIS2 readiness audit? A practical guide for CISOs
- Incident response plan: how to build and test IR procedures
- Cyber risk management: how to identify and value IT risk
- IT security audit: what it covers and how to prepare
- KSC NIS2 and the supply chain: how to manage supplier risk
Check our services
Do you need cybersecurity support? See:
- Security audits — comprehensive assessment of security posture against insurer requirements
- NIS2 Compliance — compliance with the NIS2 directive and preparation for regulatory requirements
- SOC as a Service — 24/7 monitoring with a response time of under 15 minutes, required by insurers
- NIS2 Readiness Check — rapid assessment of NIS2 readiness and cyber insurability
