Skip to content

Is cybersecurity insurance relevant for SAP?

Cybersecurity insurance

Cybersecurity is a top-of-mind priority for organizations of all types. From businesses to government agencies and non-profits, leaders must consider a growing number of cyber threats, risks, and vulnerabilities. All organizations face uncertainty or risk. Typically, it is the risk manager’s job to guide the C-suite toward the most appropriate options for each identified hazard. The size and growth of the cybersecurity insurance market suggests an extraordinary demand.  

Renowned experts estimated that the cybersecurity insurance market will peak at $12.2 billion by 2022 and expects it to exceed double its size in 2027 at ~$28 billion. As a CISO or CRO, you must constantly ask yourself whether the risks you face are covered. Usually, when securing SAP ERP, the security departments are often helpless, especially since common processes, insights, and standardization are missing or hard to achieve.  

However, cybersecurity insurance is only one of many tools that organizations can use to manage their risk profile (a prioritized inventory of their most significant risks).  

What is cyber insurance?

Cyber insurance protects your business from a threat in the event of a hacker attack, for example, on mission-critical SAP applications.  

Frequently, a cyber-attack encrypts essential data or folders to paralyze your business and then extorts a ransom in exchange for releasing the company’s data.  

For SAP customers, a data breach usually occurs after being threatened about making sensitive customer data such as payment information, patient records, commercial conditions, and trade secrets publicly available on the internet or darknet. 

Meaning that a hacker attack brings several problems, such as: 

  • Business downtime 
  • Incurred ransoms 
  • Damage claims for damages caused by unknowingly passing malicious content to third parties or data protection violations. 

As a result, this is where cyber insurance comes into play. Cyber insurance includes the following benefits: 

  • Compensation for financial damage. i.e., caused by lost sales in the event of a business interruption, like if production is “paralyzed” or the SAP ERP is “down”.  
  • Assumption of notification and legal costs in the event of a data breach (patients, customers, etc. must be informed immediately, depending on the type of attack, and you must defend against DSGVO fines)  
  • It assumes the costs of possible damages incurred during third parties’ personal rights violations due to unknowing disclosure of the virus or malware. In addition, cyber insurance defends you against unjustified claims for damages against you.  
  • Some insurers even pay the ransom to the extortionists if this is the last resort. (AND we do not recommend doing so! 
  • Many companies rely on the trust of their customers, and suffering from a cyberattack can cause a significant reduction in business. If insured, damaged reputation coverage compensates the insured for lost income caused by damage to their reputation following a cybersecurity event for a specified duration.   

What are the minimum requirements for cyber insurance?

A positive basis for cyber insurance is always a holistic cybersecurity concept because cyber insurance cannot replace it but only supplement it.  

Especially in the SME market, the requirements are vague and, according to my research, almost always include the following: 

  • An ongoing virus protection that is always up to date  
  • Use of firewalls  
  • A concept with firmly defined and graduated access rights  
  • Regularly performed data backups to external systems  

Today, cyber insurance policies offer coverage beyond data breaches. They offer protection against a broad range of cyber threats. To determine your level of insurance coverage, you need to know your risk profile – before picking any items from the insurer’s menu card. When selecting specific insurance coverage, new requirements always come to light. Like with all insurances, you must deal in detail with the clauses in the contract, especially with the exclusion clauses.  

For example, SAP systems require documentation and enforcement of segregation of duty concepts. As a manufacturer of a cybersecurity solution for SAP that covers vulnerability management, code analysis, security patch management, and real-time monitoring, we are asked by insurance companies what belongs to the holistic protection of SAP besides an authorization concept. 

What are the costs for cyber insurance for SAP?

Many factors influence the costs of cyber insurance. The common variables used by insurers are the number of employees in the company, the countries in which the company operates, and the annual turnover. However, if you want to secure specific coverage like a Business Email Compromise (BEC), premiums will also be positively impacted by email security tools’ usage.  


The cyber insurance segment has boomed lately. Today, it has become a topic that nearly every business leader is thinking about, and many organizations have already purchased insurance. Regarding the operators of SAP environments, I can only re-emphasize that these applications always serve a business purpose, and their failure entails dramatic consequences.  

Before taking out an insurance policy, companies must determine their risk profile and not rely naively on the advice of a broker. Established cybersecurity standards and tools are a positive factor for many insurers when calculating premiums. Some even require the use of vulnerability management and attack monitoring solutions. 

Posted by

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.