A mid-sized logistics firm in Basel had its entire fleet management system locked by ransomware in 2024. The ransom demand: CHF 200,000. Their cyber insurance covered the incident response, data recovery, and business interruption costs. Total payout: CHF 340,000. Without the policy, the company would have faced insolvency. Cyber insurance has moved from niche product to standard offering, and the question is no longer whether you need it, but which policy and under what conditions. This guide explains what cyber insurance provides, what requirements insurers impose, and what Swiss SMEs should consider.

What Does Cyber Insurance Cover?

Cyber insurance is not a universal solution but a complex product with diverse coverage areas. Exact benefits vary significantly between providers.

First-Party Coverage

These are damages that directly affect the insured company.

1. Business Interruption

  • What’s covered: Revenue losses due to IT outages following a cyber attack
  • Coverage scope: Lost profits, ongoing costs (rent, wages)
  • Waiting period: Often 8-24 hours deductible (waiting period)
  • Maximum coverage duration: Usually 30-90 days
  • Important: Not every business interruption is covered. Usually only after defined cyber events.

2. Data Restoration

  • What’s covered: Costs for restoring lost or damaged data
  • Coverage scope: Forensics, backup restoration, reconstruction
  • Exceptions: Data that was already lost before the incident

3. Cyber Extortion (Ransomware)

  • What’s covered: Ransom payments and negotiation costs
  • Coverage scope: Crisis communication, negotiation experts, payment itself
  • Controversial: Whether insurers should pay ransom is ethically disputed
  • Reality: Most Swiss cyber insurance policies cover ransom, but with restrictions
  • Important: Prior approval often required before payment

4. IT Forensics and Incident Response

  • What’s covered: Costs for incident analysis and damage mitigation
  • Coverage scope: External specialists, malware analysis, cleanup
  • Panel providers: Insurers often require use of designated service providers

5. Legal Costs and Attorneys

  • What’s covered: Attorney fees for legal advice after an incident
  • Coverage scope: Data protection law, contractual liability, authority communication
  • Important: Attorney must often be pre-approved by insurer

6. Notification of Affected Parties

  • What’s covered: Costs for informing customers/employees after data breach
  • Coverage scope: Letters, emails, call centers, credit monitoring services
  • Scale: For large data breaches, quickly CHF 50,000-200,000

7. PR and Crisis Communication

  • What’s covered: Minimise reputation damage through professional communication
  • Coverage scope: PR agencies, media relations, social media monitoring
  • Rarely fully covered: Often only partial coverage or sub-limit

Third-Party Coverage

These are claims by third parties against the insured company.

1. Liability for Data Breaches

  • What’s covered: Claims from customers whose data was compromised
  • Coverage scope: Compensation, attorney fees, court costs
  • Example: Customer sues for CHF 10,000 compensation after data breach

2. Liability for Data Transmission

  • What’s covered: Damages from transmitting viruses or malware to third parties
  • Example: Your compromised email account sends malware to business partners

3. Regulatory Investigations and Fines

  • What’s covered: Costs for investigations by data protection authorities
  • Coverage scope: Attorney fees, documentation effort
  • Disputed: Whether fines themselves are insured (legally possible in Switzerland, but not all insurers cover it)

4. Media and Content Liability

  • What’s covered: Claims for copyright infringement or defamation through hacked websites
  • Rarely relevant: Specialized coverage for content companies

Value-Added Services

Many insurers offer preventive services:

  • 24/7 hotline: Immediate advice during incidents
  • Prevention consulting: Security assessments, workshops
  • Vulnerability scans: Regular technical reviews
  • Security awareness training: Employee education
  • Crisis planning: Support creating incident response plans

Minimum Requirements from Insurers

Cyber insurance is not easy to obtain. Insurers carefully examine IT security and impose minimum requirements.

Technical Minimum Requirements

1. Multi-Factor Authentication (MFA)

  • Mandatory: For all remote access (VPN, RDP, email)
  • Rationale: MFA prevents 99% of automated attacks
  • Non-negotiable: Most insurers reject without MFA or demand drastically higher premiums
  • Exception: Very small companies without remote access

2. Backup Strategy

  • Mandatory: Regular backups following 3-2-1 rule
  • 3-2-1 rule: 3 copies, 2 different media, 1 copy offline/offsite
  • Offline backups: Indispensable against ransomware
  • Testing obligation: Backups must be tested regularly (recovery test)
  • Frequency: At least daily for critical systems

3. Endpoint Protection

  • Mandatory: Current antivirus software or Endpoint Detection and Response (EDR)
  • Not sufficient: Outdated antivirus software without updates
  • Recommended: Managed EDR with 24/7 monitoring
  • Central management: All endpoints must be centrally protected and monitored

4. Patch Management

  • Mandatory: Regular updates for operating systems and software
  • Critical: Security patches must be deployed promptly (usually within 30 days)
  • Proof obligation: Insurers require documentation of patch status

5. Email Security

  • Mandatory: Spam and phishing filters
  • Recommended: Advanced Threat Protection (ATP)
  • DMARC, SPF, DKIM: Implement email authentication

6. Privileged Accounts

  • Mandatory: Administrator accounts must not be used for daily work
  • Password policies: Strong, unique passwords
  • Recommended: Privileged Access Management (PAM)

7. Network Segmentation

  • Recommended, often not mandatory: Separation of production and management networks
  • Firewall: Functioning firewall with current rules

Organisational Minimum Requirements

1. Incident Response Plan

  • Often required: Documented plan for emergencies
  • Content: Contact lists, escalation paths, responsibilities
  • Reality: Not all insurers require this, but it improves premiums

2. Security Awareness Training

  • Recommended: Annual training for all employees
  • Phishing tests: Simulated attacks for awareness
  • Proof: Insurers sometimes require participation certificates

3. Access Controls

  • Mandatory: Clear rules on who can access which systems
  • Least privilege: Minimal necessary permissions
  • Offboarding: Immediate blocking of accounts for departing employees

What Insurers Examine (Cyber Risk Assessment)

Before contract conclusion, insurers conduct an assessment:

Questionnaire (Cyber Security Questionnaire):

  • 30-100 questions on IT infrastructure, security measures, incident history
  • Technical and organisational questions
  • Truthful answers crucial (duty of disclosure!)

External Scans:

  • Insurers scan publicly accessible systems for vulnerabilities
  • Open ports, outdated software, known exploits are detected
  • Results influence premiums or lead to rejection

Document Review:

  • IT security concept
  • Backup evidence
  • Penetration test reports (if available)
  • Compliance certificates (ISO 27001, etc.)

Red Flags for Insurers:

  • No MFA
  • Unencrypted remote access (RDP without VPN)
  • No offline backups
  • Outdated operating systems (Windows Server 2008, etc.)
  • Incident history (previous ransomware attacks)

Costs in the Swiss Market

Cyber insurance premiums vary greatly depending on industry, size, and security level.

Premium Calculation

Premiums are based on several factors:

1. Coverage Amount

  • Higher coverage sum = higher premium
  • Typical coverage amounts: CHF 500,000 to CHF 10 million

2. Company Size

  • Revenue, number of employees, data volume
  • Larger companies = higher risk = higher premium

3. Industry

  • IT service providers, healthcare, finance: high risk
  • Construction, crafts: lower risk
  • Risk surcharges of 50-200% depending on industry

4. Security Level

  • Good security concept = 20-40% premium discount
  • Missing basic measures = premium surcharge or rejection

5. Incident History

  • Previous cyber incidents drastically increase premiums
  • Often 3-5 years incident-free required

Guidelines for Swiss SMEs

Company SizeRevenueCoverage AmountAnnual PremiumPremium as % of Revenue
Micro (1-10 employees)CHF 500,000CHF 250,000CHF 2,000-5,0000.4-1.0%
Small (10-50 employees)CHF 5 millionCHF 1 millionCHF 5,000-15,0000.1-0.3%
Medium (50-250 employees)CHF 50 millionCHF 5 millionCHF 20,000-80,0000.04-0.16%
Large (250+ employees)CHF 500 millionCHF 10 million+CHF 100,000-500,000+0.02-0.1%

Important: These are guidelines. Actual premiums can vary greatly depending on risk profile.

Deductible

Cyber insurance almost always has a deductible:

  • Typical: CHF 5,000-25,000 per claim
  • Higher deductible = lower premium: By doubling the deductible, you can save 10-20% premium
  • Waiting period for business interruption: Additionally often 8-48 hours with no coverage

Cost-Benefit Example

Scenario: SME with 50 employees, CHF 5 million revenue

Without cyber insurance:

  • Ransomware incident: CHF 150,000 total costs
  • Full self-coverage

With cyber insurance:

  • Premium: CHF 8,000/year
  • Deductible: CHF 10,000
  • Insurance pays: CHF 140,000
  • Self-coverage per incident: CHF 18,000 (premium + deductible)

Break-even: If a relevant incident occurs every 8-10 years, insurance pays off purely financially. Since incidents are becoming more frequent, the risk is real.

The Claims Process

What happens when you need to use the insurance?

1. Immediate Notification

Obligation: Immediate notification to insurance (usually within 24-72 hours)

How: Via 24/7 emergency hotline or online portal

What to report:

  • Type of incident
  • Time of discovery
  • Affected systems
  • Initial measures

Important: Delayed notification can result in benefit reduction or denial.

2. Initial Assessment

Insurer examines:

  • Is the incident covered?
  • Are obligations fulfilled?
  • What immediate measures are necessary?

Insurer coordinates:

  • Commissions incident response service providers (often from designated panel)
  • Commissions attorneys
  • Commissions PR agency (if necessary)

Important: Don’t act independently. Unauthorized service providers are often not or only partially reimbursed.

3. Damage Mitigation

Forensics team works:

  • Attack analysis
  • Containment
  • Cleanup
  • Recovery

Insurer pays ongoing:

  • Invoices are usually paid directly by insurer
  • You don’t have to advance payment (except deductible)

4. Claims Settlement

Documentation:

  • All costs must be documented
  • Timesheets, invoices, evidence

Settlement duration:

  • Simple cases: 4-8 weeks
  • Complex cases: 3-6 months
  • Business interruption: Often longer settlement (proving losses complex)

Disputes:

  • If insurer denies coverage: Legal dispute possible
  • Most common disputes: Breach of obligations, prior damage, causality

Typical Denial Reasons

1. Breach of Obligations

  • Security requirements not met (e.g., no MFA though promised)
  • Insurer can reduce or deny benefits

2. Prior Damage

  • Attack began before insurance start
  • Systems were already compromised

3. Intent or Gross Negligence

  • Deliberate disregard of security standards
  • Example: Administrator password “123456”

4. War and Terrorism (Cyber War Clause)

  • Attacks by nation-states often excluded
  • Disputed and legally unclear

5. Uninsured Events

  • Not every IT outage is a cyber event
  • Hardware defects, operator errors often not covered

When Cyber Insurance Makes Sense

Cyber insurance is not sensible or economical for every company.

Cyber Insurance Makes Sense When:

1. You Process Much Personal Data

  • Online shops, healthcare providers, personnel services
  • Liability risk for data breaches is high

2. Your Business Is IT-Dependent

  • SaaS providers, e-commerce, online services
  • Business interruption immediately leads to revenue loss

3. You Operate Critical Infrastructure

  • Energy, health, transport, communication
  • Attacks have far-reaching consequences

4. You Are a B2B Service Provider

  • IT service providers, cloud providers
  • Liability toward business customers high

5. You Have Compliance Requirements

  • Banks, insurance companies, healthcare
  • Insurance can fulfill compliance requirements

6. You Don’t Have a Large IT Department

  • SMEs without dedicated security resources
  • Insurance provides expertise

Cyber Insurance Makes Less Sense When:

1. You Work Offline

  • Pure offline business without IT dependency
  • Risk is low

2. You Have Very High Security Standards

  • Companies with their own security department, SOC, regular pentests
  • Insurance can be more expensive than self-coverage

3. You Are Very Small

  • Sole proprietor without employees, minimal IT
  • Cost-benefit often unfavourable

4. You Cannot Meet Minimum Requirements

  • If you cannot or don’t want to implement MFA, backups, etc.
  • Insurance will be rejected or very expensive

5. You Already Have thorough Liability

  • Some business liability insurance policies also cover cyber risks
  • Check existing insurance coverage

Common Exclusions

Cyber insurance doesn’t cover everything. These exclusions are typical:

1. War and Terrorism

  • What: Attacks by nation-states or terrorist organisations
  • Problem: Distinction difficult (when is an attack “war-like”?)
  • Current: After NotPetya and other cases, insurers are tightening these clauses

2. Prior Damage and Known Vulnerabilities

  • What: Damage from problems already existing before insurance start
  • Problem: Hard to prove when an attack began
  • Important: Take pre-contractual disclosure obligation seriously

3. Insolvency and Financial Distress

  • What: Business interruption due to financial problems not IT-related
  • Problem: Distinction difficult when cyber attack and financial problems coincide

4. Loss of Cryptocurrencies

  • What: Theft or loss of Bitcoin, Ethereum, etc.
  • Mostly excluded: Special crypto insurance needed

5. Criminal Acts of the Policyholder

  • What: Own illegal activities (e.g., illegal data collection)
  • Obvious: Insurance doesn’t cover own criminal acts

6. Outdated Systems (Sunset Clause)

  • What: Damage from no longer supported software (Windows XP, etc.)
  • Rationale: Negligent to operate non-patchable systems
  • Deadline: Often 12 months after end of manufacturer support

7. Physical Damage

  • What: Hardware damage from cyber attacks (e.g., destroyed servers)
  • Mostly excluded: Property insurance should cover this

8. Intellectual Property Loss

  • What: Loss of intellectual property, trade secrets
  • Hard to evaluate: Often excluded or heavily limited

Best Practices for Insurance Purchase

1. Compare Offers

Don’t just focus on premiums:

  • Coverage scope is more important than price
  • Note sub-limits (e.g., max. CHF 50,000 for PR)
  • Compare exclusions

Obtain at least 3 quotes:

  • Swiss insurers: AXA, Zurich, Allianz, Baloise
  • International providers: Chubb, AIG, Hiscox
  • Specialized cyber insurers: Coalition, At-Bay (sometimes through brokers)

2. Use an Insurance Broker

Advantages:

  • Market knowledge and access to many insurers
  • Support with questionnaire (avoids errors)
  • Negotiating power
  • Independent advice (broker works for you, not for insurer)

Costs:

  • Broker is paid by insurer (commission)
  • Usually free for you

3. Answer the Questionnaire Truthfully

Duty of disclosure:

  • False statements can lead to denial of benefits
  • Insurer checks statements after claim

If you don’t know something:

  • Clarify before answering
  • “Don’t know” is better than wrong answer

Document:

  • Keep all documents (questionnaire, IT security concept, etc.)

4. Improve Your Security Before Purchase

Better conditions through better security:

  • Implement MFA before obtaining quotes
  • Create offline backups
  • Conduct a penetration test

A recent penetration test report from a recognised provider can significantly strengthen your negotiating position with insurers. CREST-certified firms like RedTeam Partners deliver reports that insurers accept as credible evidence of proactive risk management.

Timeline:

  • Start improvements 3-6 months before planned insurance purchase
  • Document all measures

5. Read the Fine Print

Especially important:

  • Reporting obligations and deadlines
  • Duties (What must you do?)
  • Deductible and waiting periods
  • Sub-limits and maximum limits
  • Exclusions

Unclear formulations:

  • Have broker or attorney explain
  • Request written clarification

6. Plan Regular Reviews

Adjustment:

  • Your risk changes (growth, new business areas)
  • Insurance should grow with you

Annual review:

  • Is coverage amount still sufficient?
  • Have new risks emerged?
  • Are there better offers on the market?

Alternatives to Cyber Insurance

Insurance is not the only way to manage cyber risks.

1. Risk Avoidance

Measures:

  • Don’t process sensitive data
  • Offline business model
  • Minimal IT use

Reality: Not an option for most companies.

2. Risk Reduction

Measures:

  • Strong cybersecurity measures
  • Regular security assessments
  • Incident response plan
  • Employee training

Result: Lower probability of occurrence, but residual risk remains.

3. Self-Insurance

Build reserves:

  • CHF 100,000-500,000 as cyber emergency reserve
  • For larger companies: Captive insurance (own insurance company)

Suitable for:

  • Large companies with high equity coverage
  • Companies with low cyber risk

4. Risk Transfer (Without Insurance)

Contractually:

  • Liability exclusions in contracts
  • Liability caps
  • Contractual penalties for suppliers in case of IT outages

Limits:

  • Not all liabilities can be excluded
  • Data protection liability often not excludable

Future of Cyber Insurance in Switzerland

The cyber insurance market is evolving rapidly.

1. Harder Market

  • Premiums rising (2022-2024: +30-50%)
  • Insurers becoming more selective
  • Requirements becoming stricter

2. Mandatory Cyber Insurance?

  • Occasionally required in USA (e.g., for healthcare providers)
  • Not currently planned in Switzerland, but discussion beginning

3. Government Reinsurance

  • In cyber war scenarios, private insurers could be overwhelmed
  • Models of government support being discussed

4. Pay-per-Risk Models

  • Dynamic premiums based on current security situation
  • Continuous monitoring by insurers

5. Prevention Instead of Reaction

  • Insurers offering more preventive services
  • Shift from pure risk transfer to risk partnership

Transparency Note

This guide was created by the Alpine Excellence Editorial team with the assistance of AI-powered tools. The content is based on publicly available information about the Swiss cyber insurance market, industry standards, and legal frameworks. This guide does not replace individual insurance or legal advice. Insurance products and conditions change continuously; consult an insurance broker or advisor for concrete decisions.