Cyber insurance for SMEs in Switzerland

The media regularly report on cyber attacks. What we read or hear about is just the tip of the iceberg. Small and medium-sized enterprises are particularly at risk because they are considered easy victims. They should therefore prepare for cyber attacks and protect themselves against financial risks.

Why does every SME need cyber insurance?

The costs of an attack can threaten a company's existence. Cyber insurance covers the costs of data recovery, business interruptions and liability claims from customers or partners.
50,000
In 2023, almost 1,000 incidents were reported to the National Cyber Security Center (NCSC) every week.
CHF 5 billion
Every year, cyber criminals cause damage amounting to more than CHF 5 billion in Switzerland.
40 %
2 out of 5 companies attacked are SMEs, which are often less well protected and prepared.

When does cyber insurance make sense for an SME?

Cyber risks are a threat to all companies. Not just those that work with confidential data, automate business-critical processes or are dependent on online platforms. Even those that "only" handle office work on computers or communicate electronically. SMEs, which often have fewer resources than large companies and are therefore less well protected, are at particular risk.

How do hackers attack firms?

Ransomware: Cyber criminals infiltrate the network, download all data and encrypt it or block the IT system. They then demand a ransom for the return of data or the release of the IT system. If the victim refuses, they publish the data or sell it.

DDoS attacks: Cyber criminals infect a computer with malware and trigger so many requests to the network, server or website that the system collapses. The malicious data traffic often only stops when the victim pays a ransom.

CEO fraud: For example, cyber criminals send fake emails or voice messages in the name of the CEO and use a credible story to ask the finance department to transfer money. It is of course urgent, and the CEO is unavailable to answer any questions.

Which companies are affected?

Phishing: Cyber criminals try to manipulate their victims with a deceptively genuine email, for example, and trick them into revealing passwords or sensitive data, or clicking on a link.

Remote access: Cyber criminals attack computers without a multifactor authentication solution. To do this, they usually use the RDP interface, try out user names and passwords, and penetrate the company network.

Drive-by infections: Cyber criminals exploit vulnerabilities such as non-updated browsers and position malware in a company network as soon as an employee visits a hacked or malicious website.

Outdated programs: Cyber criminals exploit security vulnerabilities such as non-updated operating systems or programs and download data or control the network.

Partners and service suppliers: Cyber criminals attack companies indirectly, for example when exchanging data with third parties.

Our three-stage insurance concept

Stage 1: Prevent

We help you to understand your cyber risks and protect yourself better against cyber attacks.

Stage 2: Insure

We provide you with modular and customized protection against the financial risks of a cyber attack.

Stage 3: Intervene

In an emergency, every second counts. That's why we are there for you 365 days a year, around the clock.

Our insurance coverage: As individual as you are

No two SMEs are the same. That's why we offer modular cyber insurance in four versions. This means you can align the cover with your insurance needs and only pay for what you need.

Cyber security and data protection expertise for SMEs

Shared knowledge is double the knowledge. We have therefore compiled a list of what SMEs should know about cyber security and data protection, and how they can protect themselves effectively against cyber criminals.

Prevention

The Zurich Cyber Insurance concept helps you to understand your risks and protect yourself against cyber attacks. Together with our partner, we support you in minimizing cyber risks for your organization.

Awareness training

When it comes to cyber security, people are the weakest link in the chain. For all companies, undetected hacker emails are the most common gateway for targeted cyber attacks. This is exactly where Zurich comes in with its free cyber security training for Zurich cyber customers and their employees. The online training was developed by our partner company SoSafe, which specializes in e-learning and cyber security. The five e-learning modules and the phishing simulation sensitize employees to risks on the Internet and thus prevent employees from unintentionally becoming accomplices.

Security check

Time involved for you: 1 hour

The analysis takes place on your premises. With tool support, your systems and applications are checked for vulnerabilities. You will receive a report explaining the criticality of the vulnerabilities, including remediation/mitigation options. Time required: 1 hour for you.

Security assessment

Time involved for you: 2 hours

The comprehensive analysis of security processes and controls with regard to the confidentiality, integrity and availability of systems/applications is carried out on your premises. This also involves a structured interview with you. You will receive a detailed report with the following content:

  • Condition of the security checks
  • Identified vulnerabilities
  • Recommendations for reducing risks

 Find out more now

Insurance coverage

Unfortunately, even a solid cyber security concept does not guarantee absolute protection against cyber attacks. If a cyber incident does occur, Zurich offers the best possible insurance coverage and helps you deal with the consequences.

Choose the right package for your company

Cyber data and system restoration

  • Technical clarifications and computer forensic analyses: What exactly happened?
  • Restoration or replacement of data and information
  • Replacement of damaged hardware (bricking)
  • Identification of software weaknesses and measures to improve security (betterment)
  • Cyber blackmail payments and costs for preventing cyber blackmail
  • Assumption of costs in the event of telephone hacking

Basic // Optimum // Premium

Cyber crisis management

  • Review of reporting duties and notification obligations
  • Notification of affected persons on a voluntary basis
  • Official proceedings and (insurable) fines and penalties
  • Contractual penalties in the event of a breach of PCI DSS standards
  • Call center, credit card monitoring and identity monitoring for persons affected
  • Goodwill campaigns, such as discount campaigns and price discounts for persons affected
  • Planning and implementation of public relations campaigns in the event of negative media reporting

Basic // Optimum // Premium

Cyber liability

Damages and defense against unjustified claims in the event of or in connection with:

  • loss, theft or publication of data – irrespective of a cyber incident
  • infringement of data protection law (including GDPR)
  • infringement of rights to a name, copyrights and trademark rights
  • court costs and defense costs

Basic // Optimum // Premium

Cyber legal protection

  • Advice on immediate legal measures
  • Assertion of claims for damages
  • Criminal defense in the event of negligent violation of data privacy provisions

Basic // Optimum // Premium

Cyber business interruption and added costs

  • Due to a cyber incident or an operating error
  • Due to an official order as a result of a data privacy violation
  • Coverage of loss of net profits and added costs for keeping the business running

Optimum // Premium

Cyber crime

  • Cyber fraud due to active deceptive activities by third parties (social engineering)
  • Cyber theft through manipulation of computer systems by third parties (e-banking hacking)

Premium

Find out more now

Claims management

In the event of a loss or harm, things have to move quickly. You can therefore reach our hotline 24/7. During office hours, our cyber claim specialists will take care of your case. Outside office hours, your call will be forwarded directly to our IT partner Compass Security.

We will organize the experts for you as required. We also work with the IT security company Compass Security for this purpose. Thanks to its experience and expertise, our partner is ideally equipped to find a quick and sustainable solution to your cyber incident. Based on the root cause analysis, measures will also be recommended to you for sustainable cyber protection. This way, you can protect your company comprehensively in the future.

We not only help with IT problems, but also have the right partners when it comes to legal issues, be it checking the obligation to provide information, defending against claims for damages or filing criminal charges. A company's reputation can also be put at risk quickly. That's why we organize specialists to communicate with external parties if the worst comes to the worst, helping you to protect your reputation.

Find out more now

Further prevention services

  • We help you to navigate the complexity of cyber space and meet the new legal requirements.
  • Our resilience packages are based on scientific research so that you can focus on the most effective security measures and build up insurance coverage.
  • Increase your cyber maturity and resilience against cyber threats. With Zurich Cyber Resilience Solutions, we offer you a pragmatic and cost-effective approach to cyber security.

"Starter" for SMEs with annual turnover of up to CHF 10 million

  • Cyber snapshot: Assessment to evaluate the company's cyber security situation based on a maturity level (checklist)
  • External and internal vulnerability scans: Automated process for identifying and detecting security vulnerabilities in computer systems and networks
  • Cyber awareness training: Empower your employees to recognize potential cyber threats and reduce the likelihood of successful cyber attacks

Package price: CHF 4,000

"Essential" for SMEs with annual turnover of CHF 10 million to 100 million

  • Cyber health check or cyber maturity assessment: Assessment based on the standard questionnaires of Zurich and the National Institute of Standards and Technology (NIST), including a detailed report and appropriate recommendation
  • Financial exposure: Financial risk based on predefined cyber risk scenarios that help define and prioritize cyber investments
  • Cyber awareness training: Empower your employees to recognize potential cyber threats and reduce the likelihood of successful cyber attacks
  • Phishing simulation: Simulation to test employees' ability to recognize phishing emails and respond appropriately

Package price: CHF 9,900

What is cyber insurance?

Cyber insurance protects companies against the financial consequences of cyber attacks or data breaches (data discontinuity). It covers a wide range of risks, including data loss, business interruption, ransomware extortion and reputational damage, as well as the costs of reporting data breaches and legal representation.

What does cyber insurance cover?

Typically, cyber insurance covers the costs of restoring data, third-party liability claims due to data breaches, loss of earnings and additional costs due to business interruptions, ransom payments in the event of ransomware attacks, as well as public relations and crisis management.

How much does cyber insurance cost?

The cost of cyber insurance depends on the size of the company, the industry, the type and scope of the data, the deductible and the scope of cover. The premium can cost anywhere from a few hundred to several thousand Swiss francs per year. The basic version of our cyber insurance, for example, costs CHF 410 per year.

When does an SME need cyber insurance?

Any company that processes, stores or sends sensitive data such as customer data, payment information, intellectual property or other confidential information is at risk. Just like all companies with business-critical processes that depend on their IT. Cyber attacks and data breaches are on the rise. Cyber insurance can help to cover financial losses and the costs of data recovery, legal liability or reputational damage, and ensure ongoing business operations. This is particularly true for SMEs without their own IT security department or with too few resources, but who need access to specialists around the clock.

Is cyber insurance really necessary?

The number of cyber attacks is increasing from year to year. A data breach can result in high costs, significant outlay and reputational damage that threatens the company's existence. That's why cyber insurance is a sensible investment in risk management for any company, regardless of its size.

What information do I need to take out cyber insurance?

As a rule, you must disclose details about your business operations, the type and scope of data stored and processed, IT infrastructure, security policies and processes, as well as previous cyber attacks and security incidents.

What does cyber insurance not cover?

  • Willful act: If a member of executive management intentionally damages the IT system, this may be considered a willful act, which may not be covered by the insurance. For example, if the employee deliberately deletes or steals sensitive data. If the employee is not a member of executive management, the loss would be covered.
  • Breaches of obligations: The breach of contractual insurance obligations can lead to the rejection of benefits. For example, if a company does not take the necessary security measures to protect its computer network.
  • Known data breaches: Claims arising from events that occurred before the start of the insurance can be excluded. For example, if cyber insurance is only taken out after an attack.
  • Bodily injury and property damage: Cyber insurance covers financial damage and not bodily injury or property damage. For example, there is no insurance coverage if a hacker attack leads to a power failure and production machines are damaged as a result.
  • Economic value: The economic value of software and data licenses or a trade secret is not covered if, for example, the data is stolen and published and the company loses its market advantage.
  • War and terrorism: Damage caused by acts of war or terrorism is generally not insured. For example, a hacker attack during a war or an attack on the IT system. Cyber terrorism is excluded from this.

The exact exclusions and conditions of cyber insurance can be found in the General Conditions of Insurance (GCI) under "Downloads"

What are the biggest cyber risks for SMEs?

  • Phishing emails and malware attacks are one of the biggest threats to SMEs. Hackers can use fake emails or infected attachments to gain access to company networks and data.
  • Ransomware attacks are becoming increasingly common. Hackers encrypt data and demand a ransom for its release. This can lead to considerable financial losses and business interruptions.
  • Employees can pose a significant risk to a company's IT security and data privacy. Accidentally or intentionally, they can steal sensitive data, sabotage systems or pass on information to outsiders.
  • The loss of sensitive data can have serious consequences, whether due to hackers, technical errors or human error. And this can result in legal, financial and reputational damage.
  • Social engineering: By manipulating employees, cyber criminals can gain access to systems and data. For example, with techniques such as spear phishing, CEO fraud or identity theft.
  • Vulnerabilities and security gaps in software and systems are constantly being discovered. If companies do not regularly update and patch their IT and programs, attackers can exploit these vulnerabilities and security gaps.
  • The use of cloud services brings with it new security risks. Insecure configurations, inadequate access controls or data leaks can lead to data loss.

How can an SME protect itself against cyber attacks and their consequences?

  • Up-to-date and patched systems: Make sure that all operating systems, applications and programs are up to date and that patches are installed regularly to close security gaps.
  • Strong passwords and access control: Use strong and unique passwords, if possible with two-factor authentication. Restrict access to sensitive data and systems to authorized persons.
  • Training: Sensitize all employees to phishing emails, social engineering and other attack techniques. Conduct regular training and awareness campaigns to raise security awareness. Zurich offers such training courses.
  • Firewall and antivirus software: Install a firewall and anti-virus software on all devices and networks to block unwanted traffic and malware.
  • Data backup with recovery plan: Carry out regular backups of your data and create a well-documented and tested recovery plan.
  • Network security: Monitor your network with an intrusion detection or prevention system (IDS/IPS) and other security solutions to detect and ward off attacks.
  • External service suppliers: Ensure that your partners have implemented appropriate security measures and comply with contractually agreed security standards.
  • IT contingency plan: Create an incident response plan that includes clear responsibilities and steps for containing the attack, recovering data and communicating with those affected.
  • Business continuity plan: Create a plan that ensures that the company can maintain its business-critical processes even in an emergency or crisis.
  • Cyber insurance: Take out cyber insurance to cover the financial damage and costs of cyber attacks and data privacy breaches.

Well informed, better protected

How SMEs protect against hacker attacks

A hacker attack threatens a company's existence

Every week, the National Cyber Security Center (BACS) receives hundreds of reports of cyber incidents: at peak times over 2,000 per week. SMEs are at particular risk. What dangers lurk for small and medium-sized enterprises?
Man looking something in a tablet

Plan B: Business continuity plan for SMEs

When IT stands still, most companies stand still. This is why SMEs – which are increasingly falling victim to cyber attacks – need a continuity plan as a plan B.
Two employees in the server room

IT contingency plan: How SMEs protect themselves

Nowadays, no company can afford a prolonged IT system failure. In the best case, the failure "only" costs money; in the worst case, it costs the company its existence. Every company therefore needs an IT contingency plan.
Woman sitting at a computer in a warehouse

Authentication: Protect your network and your data

With strong authentication such as 2FA or MFA, SMEs protect their company network and data with a password and at least one other factor.
Men having a cheerful discussion

The story of our cyber insurance customer Planted

The start-up Planted is causing a stir with its innovative plant-based foods.
Young man

Kaisin: New entrepreneurs with a recipe for success

Success with delicious poké bowls – co-founder Delano Fischer chats about his innovative Zurich start-up.