What security budget?

It is difficult to determine an actual percentage of a companies revenue that should be allocated to its cybersecurity budget for protecting it against data breaches and cyberattacks. Even though the proportion varies based on the corporate’s industry and revenue among different elements, most firms usually underspend on cybersecurity.

Though there isn’t a commonplace or rule of thumb for what proportion of an organization’s income ought to be allotted in direction of cybersecurity, most enterprises spend a very small proportion of their income for IT safety. Enterprises such as JP Morgan Chase and Bank of America, who proudly advertise their IT safety budgets, still spend less than 1% of their income to protecting their data. The percentage of the IT budget that companies spend on cybersecurity is still quite low. A study shows that 62% of consumer businesses spend between 4% – 8% of their annual IT budget on cybersecurity. If we boil this down to the company revenue, it translates to just 1.4% of the company revenue. According to research commissioned by IBM, a company should ideally spend around 13.7% of their IT budget on cybersecurity. Only 14% of companies spend more than 10% of their It budget on security.

Considering that some of the protection measures relatively small in comparison to the total cost of a breach or security incident, this is a basic risk against cost calculation, and can cyber insurance plug the gap?

However, some cyber insurances will pay out on ransomware, my view is this will fuel the problem and the bottom line is no one should pay a ransom. Payment of a ransom doesn’t guarantee your computer systems and information shall be undamaged after their release, or that they’re going to be released at all. 

The commonest instance is an employee duped into sending cash from your bank accounts to a malicious hacker. Social engineering coverage can be found on most cybercrime insurance policies, sometimes at with greater limits and broader protection than on a cyber-specific insurance policy. You can protect your small business against the costs related to data breaches by buying a cyber insurance policy or a better solution would be to train the staff to recognise malicious emails and implement multifactor authentication along with robust access control.

Cyber Insurance

Market forecasts for cyber insurance policies vary from $14 billion by 2022 to $20 billion by 2025, up from less than $1.5 billion in 2016. Cyber insurance usually covers your business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, bank card numbers, account numbers, driver’s license numbers and health information.

Cyber insurance policies can cover the price of hiring consultants or experts to help protect or reconstruct data in the case of a breach. 

Also paying out to your company as a result of a breach, amounting to the cost of informing your clients about a hacker attack.

Third-Party cover applies to claims against your organisation by people or companies which were injured because of your actions or failure to react. For instance, a client sues you for negligence after a hacker steals his personal data from your laptop system and releases it on-line.

But does this mean less money should be spent on cybersecurity protection? or is cyber insurance included in the IT security budget of a company?

Data Breaches

Data breaches can cost companies millions of pounds in losses and preventing these losses, a company has to take into account the IT security providers that it needs to protect itself against cyberattacks, again is the spend on security enough to have sufficient protection?

68 per cent of U.S. companies haven’t bought any form of cyber liability or information-breach protection, displaying that businesses usually are not adopting cyber insurance at a price that matches the dangers they face. 

It’s important to work along with your insurance broker to know how a cyber and crime insurance coverage coverage can work together to cover your profit. Most cyber insurance policies indeed comprise some mixture of the above protection parts, and in a well-brokered cyber insurance cover, the basic insuring agreements might be covered up to the full coverage limits.


I would take this opportunity to compare household insure or even motor car insurance with either of these there will be a loss adjuster involved and if it is discovered the burglary of your house could have been prevented by implementing basic security such as locking doors and windows or setting the alarm the insurance company would consider a reduced payout or even dismiss the claim altogether. My view is that insurance companies need to drive good behaviour in companies to ensure that they have sufficient security installed working and maintained in their IT infrastructure.

Damage to Your Reputation 

Some insurance policies cover the costs you incur for marketing and public relations to protect your company’s reputation following a data breach, this should be checked and included in any cyber insurance policy the cost to repair a companies reputation in itself can be considerable. Again coming back to risk against cost a small amount of protection can and will reduce the risk of damage to reputation.

An example of implementing encryption when using, transferring or storing personal data renders the data valueless to cybercriminals.


There have been a variety of lawsuits from companies against insurance companies because of their cyber claims not being covered by non-cyber insurance policies. Social engineering protection is designed to guard firms against the likes of CEO fraud conditions, where a staff member receives an email pretending to be from the CEO and asking them to pay a sum of money. 

Resident blogger for Zenosec, interested in all things cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.