Cyber Insurance for Professional Services Firms: FAQs
Cyber insurance has become a near-essential risk management tool for professional services firms — but navigating cover, exclusions, and the underwriting process is increasingly complex. Insurers have hardened their requirements significantly since 2020, and many professional services firms find that their current cover has gaps they were not aware of. This FAQ addresses the most common questions about cyber insurance for professional services organisations.
60% of professional services firms have no formal incident response plan — a key factor in cyber insurance underwriting.
Frequently Asked Questions
What does cyber insurance typically cover for professional services firms?
A standard cyber insurance policy for professional services firms typically covers: first-party costs (incident response, forensic investigation, notification costs, ransomware negotiation, business interruption, data recovery); third-party costs (claims from clients or third parties whose data was compromised); and regulatory defence costs (ICO investigation defence, regulatory fines — subject to insurer consent and policy terms). Many policies also include sub-limits for social engineering/BEC fraud, which is where professional services firms most commonly claim.
What security controls do cyber insurers now require?
Insurers typically require the following controls as a minimum for professional services firms: MFA on email and remote access (non-negotiable since 2021); email authentication (DMARC, SPF, DKIM); endpoint protection on all devices; regular data backups tested for recovery; a documented incident response plan; staff security awareness training; and patch management. Firms unable to demonstrate these controls may be declined cover or offered significantly higher premiums.
Are BEC losses covered by cyber insurance?
Coverage for BEC under cyber insurance varies significantly. Many policies have a separate, lower sub-limit for "social engineering fraud" or "funds transfer fraud" — which may be substantially less than the overall policy limit. Some policies exclude BEC entirely if the firm did not have appropriate verification procedures in place. Review your policy wording carefully, and ask your broker specifically about BEC cover and what verification procedures are required to maintain it.
How much cyber insurance does a professional services firm need?
Coverage requirements depend on firm size, client contract obligations, and regulatory context. A starting framework: first, review client contracts for any minimum insurance requirements (common in enterprise contracts); second, consider your largest single client data exposure and the cost of a worst-case breach notification exercise; third, consider business interruption costs for a worst-case operational outage. For most small to mid-sized professional services firms (10–200 staff), £1M–£5M of cyber cover is a reasonable starting point, with specific attention to ensuring BEC/social engineering sub-limits are adequate.
Review your security posture for insurance
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.