Cyber liability insurance covers the costs when your business is hacked, suffers a data breach, or is hit by ransomware β forensic investigation, customer notification, credit monitoring, regulatory fines, lawsuits, business-interruption losses, and the ransom itself (where coverage permits). It splits into first-party (your own losses) and third-party (claims against you). Small businesses pay $500-$1,500/year; mid-size companies $3K-$10K/year; larger or high-record-count businesses $15K-$75K+. Premium is driven primarily by records held, revenue, and your security controls β MFA, tested backups, EDR, and employee training discount the premium 20-40%.
Cyber liability is the only commercial coverage where carriers actively reward security hygiene with premium credits. It's also the line where exclusions and sublimits cut the deepest β many cyber policies cap social engineering at $25K-$100K (vs the multi-million primary limit), exclude pre-existing breaches, and have specific ransomware-payment conditions. Reading the cyber policy is a meaningfully different exercise than reading a GL or BOP. Sources: Insurance Information Institute Cyber Insurance Market Snapshot, NAIC Cyber Insurance Report 2024, Verizon Data Breach Investigations Report 2024, NetDiligence Cyber Claims Study, Get Business Coverage quote-request data (Mar-May 2026). Premium ranges are typical-case + anchored to carrier published rate guidance; specific quotes vary materially with records-held + control posture.
premium, small biz
cost (IBM 2024)
human element (DBIR)
policy limit
- Why every business needs cyber coverage now
- What cyber insurance covers (first-party + third-party)
- What it does NOT cover (key exclusions)
- How much does cyber insurance cost?
- Security controls that lower premium
- Cyber vs Professional Liability (E&O)
- How to buy cyber insurance
- Frequently Asked Questions
Why every business needs cyber coverage now
If your business holds customer information, takes electronic payments, sends invoices by email, or uses a single cloud service β you have cyber exposure. Carriers no longer treat cyber as an optional line; many BOP renewals now require a cyber-affirmative or cyber-exclusionary endorsement, and lender / vendor contracts increasingly require proof of standalone coverage with $1M+ limits.
- Average US data-breach cost: $4.88M (IBM Cost of a Data Breach Report 2024). Small-business breaches average $120K-$3.5M depending on records exposed.
- Ransomware payment alone averages $1.85M when paid (Sophos State of Ransomware 2024) β and that's only the payment, not the downstream forensic / notification / regulatory cost.
- 68% of breaches involve a non-malicious human element (Verizon DBIR 2024) β phishing, credential misuse, accidental disclosure. These are NOT preventable by tech alone; insurance is the backstop.
- State breach-notification laws apply in all 50 states β the moment you know customer PII is exposed, you face statutory notification deadlines (typically 30-60 days) + per-record costs.
- HIPAA / PCI-DSS / GLBA / state privacy law fines can hit even when no actual data theft occurred β failure-to-protect is itself actionable.
What cyber insurance covers (first-party + third-party)
Cyber policies have two distinct coverage halves. Buying just one is usually a mistake.
First-party coverage (your own losses)
Breach response + forensics
Hiring incident-response forensics, legal counsel ("breach coach"), public-relations specialists. Most cyber policies include a panel of pre-approved vendors at preferred rates β using non-panel vendors typically reduces coverage.
Notification + credit monitoring
Per-record statutory notification costs (vary by state), plus 12-24 months of credit monitoring or identity restoration services for affected individuals. NAIC-typical cost: $5-$15 per notified record.
Business interruption + extra expense
Lost revenue + continuing expenses while your systems are down from a covered cyber event, including the "waiting period" deductible (typically 8-12 hours, not days). Some policies extend to dependent-business-interruption (when a critical vendor's outage shuts you down).
Cyber extortion / ransomware
The ransom payment itself (where permitted; OFAC sanctions screening required), plus negotiation services. Note: some carriers now ransom-sub-limit at 50% of the policy aggregate or below.
Data restoration + system replacement
Costs to restore data from backups, rebuild compromised systems, replace bricked hardware. Note: requires that you maintain functioning backups; some carriers exclude this if backups weren't tested in the prior 90 days.
Third-party coverage (claims against you)
Privacy liability
Lawsuits from individuals whose PII was exposed in a breach you suffered. Includes defense costs + settlements. Modern cyber policies cover both statutory privacy claims + common-law negligence claims.
Regulatory defense + fines
Defense costs for state AG investigations, FTC inquiries, HIPAA OCR audits, SEC investigations (for public companies). Fines coverage is "where insurable by law" β varies by state and statute.
Network security / media liability
Claims that your network was used to attack a third party (e.g., your compromised server became part of a botnet attacking someone else), plus content-related claims (libel, slander, IP infringement on your website / social media).
Compare cyber liability quotes
Quotes from cyber-specialty carriers in 5 minutes.
See cyber insurance options in 30 seconds
5 quick questions. No phone calls. No contact info.
What cyber insurance does NOT cover
Reading the exclusions list is where cyber buyers most often regret not doing more diligence. The most common gaps:
- Pre-existing breaches β incidents that began before the policy effective date, even if discovered after. This is why the "retroactive date" on a cyber policy matters.
- Social engineering / fraudulent transfer β wire-transfer fraud + invoice-manipulation scams are typically sub-limited at $25K-$250K, not at the full policy limit. Verify before you buy.
- War + cyber-terrorism β post-2017 policy language increasingly excludes state-sponsored attacks. Some carriers add affirmative "attribution carve-back" wording; others don't.
- Unencrypted device theft β a laptop with unencrypted PII stolen from a car may be excluded. Encryption discipline matters.
- Patching failures β some carriers exclude breaches enabled by a known critical vulnerability you didn't patch within a contractual window (often 30 days).
- Intentional acts β anything an insured intentionally did (employee theft has its own line; cyber doesn't cover it).
- Bodily injury / property damage β cyber covers data + business interruption, not physical injuries. If a cyberattack causes a physical accident, that's GL territory.
- IP infringement of patents β content / media liability typically covers copyright + trademark + libel, NOT patent infringement.
How much does cyber insurance cost?
| Business size | Records held | Annual premium range |
|---|---|---|
| Solo / micro (1-5 employees) | <1,000 records | $500-$1,500 |
| Small (under $2M revenue) | 1K-10K records | $1,500-$3,500 |
| Mid-size ($2M-$10M revenue) | 10K-50K records | $3,500-$10,000 |
| Mid-size, regulated (healthcare / finance) | 10K-50K records | $8,000-$22,000 |
| Larger ($10M-$50M revenue) | 50K-500K records | $15,000-$50,000 |
| High-record-count / high-risk | 500K+ records, PHI, payment data | $50,000-$200,000+ |
What drives cyber premium
- Records held β the single biggest factor. PII record counts feed directly into the carrier's modeled exposure. Healthcare PHI and payment-card data carry the heaviest weight.
- Revenue β proxies for business-interruption exposure + scale of operations.
- Industry β healthcare, finance, e-commerce, and managed-service-providers price highest. Professional services, retail, manufacturing lower.
- Security controls posture β MFA, tested backups, EDR (endpoint detection), employee phishing training. See "Security controls" section below β these directly discount premium 20-40%.
- Prior incidents β any prior breach within 3-5 years materially increases premium or makes coverage hard to bind.
- Contractual obligations β if vendor contracts require $5M limits, the higher limit costs proportionally more.
Security controls that lower your premium
Cyber is the only commercial line where carriers will actively discount based on your controls. Most carriers now require attestation on these before they'll bind:
- Multi-factor authentication (MFA) on email, VPN, remote desktop, privileged accounts. This is now table-stakes β most carriers won't bind without it.
- Backups, tested + offline β backups must be tested in the prior 90 days AND have one copy disconnected from the network (immutable / air-gapped).
- Endpoint detection & response (EDR) β CrowdStrike, SentinelOne, Defender for Business, etc. Carriers prefer EDR over signature-based AV.
- Employee phishing training β annual + simulated. Reduces the 68% human-element breach factor.
- Patch management policy β critical CVEs patched within 30 days; documented process.
- Incident response plan β written, tested annually. Some carriers require IR plan attestation.
- Privileged access management β service accounts segmented, admin credentials separated from daily-use accounts.
Adopting MFA + tested backups + EDR alone typically reduces premium 20-40% on its own. Carriers run vulnerability scans against your external IP space during underwriting; observable exposures (open RDP, exposed databases, expired SSL) all penalize premium.
Cyber vs Professional Liability (E&O) β they're different
The most common confusion in commercial insurance: cyber and Professional Liability (E&O) are separate policies covering different exposures. See our full Cyber vs Professional Liability comparison for the side-by-side.
- Cyber covers data + technology events β breaches, ransomware, network outages, regulatory fines.
- Professional Liability (E&O) covers professional services rendered β bad advice, errors, missed deadlines, client financial loss.
- Real-world test: a CPA emails a client an unencrypted tax return β if the client is harmed by identity theft from that email getting hacked, cyber covers the breach. If the tax return contained an error that cost the client $50K β E&O covers the malpractice claim. Same email, two different policies.
- Most carriers offer both as separate policies or as a bundled "Tech E&O + Cyber" combined form for technology businesses specifically.
How to buy cyber insurance
- Inventory your data. Count PII records, payment-card transactions/year, PHI records (if applicable), and identify all vendors with access to your data.
- Tighten controls FIRST, then quote. Carriers price the control posture they see today. Spending 2 weeks enabling MFA + testing backups + deploying EDR before the underwriting questionnaire can knock 20-40% off the initial quote.
- Compare standalone vs BOP-rider. Many BOPs include $25K-$100K cyber sublimit β useful but inadequate for most. Standalone cyber starts at $250K-$1M limits.
- Get 3+ specialty-carrier quotes. Cyber underwriting differs widely; Coalition / At-Bay / Chubb / Beazley / Travelers Tech each price the same risk differently.
- Read the social-engineering sublimit + the OFAC ransomware clause before binding. These are the most common claim-time surprises.
- Verify retroactive date β if you've held any prior cyber policy, the retro date on the new one should match the original effective date to maintain continuous coverage.
Specialty cyber carriers
| Carrier | Best for | Notes |
|---|---|---|
| Coalition | SMB cyber + active monitoring | Includes free vulnerability scanning; data-driven underwriting |
| At-Bay | Tech-forward small-mid biz | Active security scanning; emphasizes control posture |
| Chubb | Larger / complex risks | Broad form, robust breach-response panel |
| Beazley | Healthcare / regulated industries | Strong HIPAA / regulatory defense bench |
| Travelers CyberRisk | Bundle with existing commercial | Smooth bundle for BOP/WC customers |
| Hiscox | Solo / micro businesses | Fast bind, simple application |
Frequently Asked Questions
Do I need cyber insurance if I have a BOP?
Probably yes. Most BOPs include a cyber sublimit of $25K-$100K β useful as a backstop but inadequate for most claims. Standalone cyber starts at $250K-$1M limits and covers the full breach-response stack (forensics + notification + regulatory defense + business interruption), which BOP cyber sublimits often don't.
Does cyber insurance pay the ransom?
Most cyber policies cover ransomware payment subject to: (1) the cyber-extortion sublimit (typically $250K-$1M, often less than the policy aggregate), (2) OFAC sanctions screening of the recipient, and (3) the carrier's pre-approval. Some carriers now require you to attempt restoration from backups first. Read the cyber-extortion clause carefully.
How is cyber insurance priced?
Cyber premium is driven primarily by records held (PII / PHI / payment data), revenue, industry, and your security controls posture. Unlike WC or commercial auto, cyber doesn't use NCCI class codes β every carrier has its own underwriting model. Adopting MFA + tested backups + EDR typically discounts premium 20-40%.
What is social engineering coverage and why is it sublimited?
Social engineering = phishing, vishing, business email compromise β attacks that trick employees into wiring funds or sharing credentials. Carriers sub-limit these because they're high-frequency and depend on human behavior more than technical controls. Typical sublimit: $25K-$250K. If your business depends on wire transfers, request a higher sublimit at binding.
How long does it take to bind a cyber policy?
Coalition / At-Bay / Hiscox can bind small-business cyber in same-day to 48 hours with a digital application. Larger or healthcare/finance risks ($10M+ revenue) typically take 1-2 weeks for underwriter review. Healthcare regulated entities + breached-within-prior-3-years risks may need 30+ days and an underwriting interview.
Will a prior breach make me uninsurable?
Not uninsurable, but materially harder. Carriers ask 3-5 years back on the application. A prior breach typically: (a) excludes the prior incident retroactively, (b) increases premium 30-100%, (c) sometimes adds a coinsurance / increased deductible, and (d) may require remediation attestation. Working with a cyber-specialty broker matters here.
Is cyber insurance tax-deductible?
Generally yes β commercial cyber liability premiums are deductible as an ordinary business expense (consult your CPA for your specific situation). Claim payments to you for first-party losses are generally not taxable (they restore loss); third-party defense / settlement payments aren't income to you.
What's the difference between cyber and tech E&O?
Tech E&O (also called Technology Errors & Omissions) covers a technology business when its product or service fails and causes a client financial loss β e.g., your SaaS product has a bug that costs your customer money. Cyber covers data + breach events. Tech companies typically buy both, often as a combined Tech E&O + Cyber form from carriers like Beazley or Coalition.
Do I need cyber insurance if all my data is in the cloud?
Yes. Cloud providers protect THEIR infrastructure; you're still responsible for YOUR account compromise, misconfigured permissions, and downstream client breach claims. The shared-responsibility model means your AWS/Azure/Google subscription doesn't transfer liability. Verify your cyber policy includes dependent-business-interruption so a cloud outage that shuts you down is covered.
What does a typical cyber claim look like?
Phishing email lands β an employee clicks β credentials harvested β attacker accesses email + accesses a few SharePoint folders β 2,400 customer records exposed. Day 1-3: forensics firm engages (covered). Day 3-7: breach coach + state notification preparation. Day 14-21: notification mailers + 12-month credit monitoring offered to affected customers (per-record cost ~$15). Total claim: $80K-$180K. Median small-business breach severity per NetDiligence.
Quick glossary β cyber-insurance terms
- First-party coverage
- Pays for the insured's OWN losses β forensics, notification, business interruption, ransom.
- Third-party coverage
- Pays defense + settlement when someone sues you over a breach you suffered. Privacy liability, regulatory defense, network security.
- Retroactive date
- The earliest incident date the policy will cover. Breaches that started before this date are excluded even if discovered during the policy period. Match retro to your first-ever cyber policy effective date.
- Waiting period (business interruption)
- The time-based deductible for BI coverage β typically 8-12 hours. Outage shorter than this isn't covered.
- Social engineering sublimit
- Lower cap on losses from phishing / impersonation / fraudulent transfer (vs the main policy limit). Often $25K-$250K. Verify before binding.
- OFAC compliance clause
- Restriction on paying ransom to sanctioned entities. Carriers screen ransom recipients against the OFAC SDN list; payments to sanctioned parties are uncovered.
- Breach coach / panel counsel
- Pre-approved attorneys + forensic firms the carrier will pay at preferred rates. Using non-panel vendors typically reduces coverage 20-50%.
- Dependent business interruption
- Coverage for YOUR losses when a critical vendor (cloud host, payment processor) has an outage. Available as an endorsement on most cyber policies.