The data is clear: Portugal registered a 67% increase in ransomware attacks on companies in 2025, with a growing focus on SMEs with turnovers between 5 and 50 million euros. They are attractive targets because they hold valuable data but invest little in cybersecurity.
The biggest problem? The vast majority discovered that the insurance they had — usually integrated into a multi-risk policy — covered practically nothing.
What a cyber attack really costs
- Direct costs of recovery and digital forensics
- Business interruption (sometimes weeks)
- Mandatory notification to the CNPD and potential GDPR fines
- Reputational damage and loss of customers
- Eventual ransom payment
- Civil liability towards affected customers
What an adequate cyber policy should include
A well-structured cyber risk policy should cover, at a minimum, the following situations:
- Incident response and 24/7 crisis management
- Costs of data recovery and restoration
- Loss of revenue due to business interruption
- Civil liability for third-party data breaches
- Cyber extortion coverage
- Legal and regulatory costs (CNPD, GDPR)
What is usually not covered
Pay attention to the most common exclusions: unsupported legacy infrastructure, unpatched known vulnerabilities, attacks by employees, and indirect reputational damage. These exclusions are negotiable — and this is where the choice of broker makes a difference.
Adler & Rochefort specialises in structuring cyber policies that truly cover what companies face in the real world. Contact us for a free analysis of your exposure.