Cyber liability insurance pays for the costs your business faces after a data breach or cyberattack — including breach notification, credit monitoring, legal defense, regulatory fines, and third-party claims from affected customers. A standalone cyber policy typically covers both first-party losses (your own recovery costs) and third-party liability (claims from others).
Who this is for: Any business that stores customer data, processes payments, or relies on digital systems — from medical offices and law firms to contractors using cloud-based project management tools.
TL;DR — Key Takeaways
- General liability does NOT cover cyber losses. Most GL and commercial property policies explicitly exclude data breach and network security claims.
- First-party + third-party coverage in one policy. First-party pays your incident response costs; third-party pays claims from customers, patients, or partners whose data was exposed.
- Premiums typically run $800–$4,500/year for small-to-mid-size businesses, depending on revenue, industry, data volume, and security controls.
- Claims-made trigger is standard. The policy in effect when the claim is reported — not when the breach occurred — responds; this means coverage gaps during lapses are a real risk.
- Ransomware and social engineering are the top drivers of small-business cyber claims in the U.S. today.
What Does Cyber Liability Insurance Actually Cover?
A commercial cyber policy is split into two major coverage towers:
First-Party Coverage (Your Own Losses)
| Coverage Element | What It Pays |
|---|---|
| Breach response / notification costs | Forensic investigation, attorney fees, and required notice to affected individuals |
| Credit monitoring & identity restoration | Typically 12–24 months for affected individuals |
| Public relations & crisis communications | PR firm fees to manage reputational damage |
| Business interruption (cyber BI) | Lost net income and extra expense while systems are down |
| Ransomware / extortion payments | Ransom payments and negotiation costs (subject to policy conditions and sanctions screening) |
| Data restoration | Cost to restore or recreate corrupted or destroyed data |
| Social engineering / funds transfer fraud | Losses from fraudulent wire transfer instructions (often sublimited) |
Third-Party Liability Coverage
| Coverage Element | What It Pays |
|---|---|
| Network security liability | Claims that your systems transmitted malware or enabled a breach of a third party |
| Privacy liability | Claims from individuals or regulators for failure to protect personal information (PII/PHI) |
| Regulatory defense & fines | Legal defense costs and covered fines/penalties under HIPAA, state breach laws, CCPA/CPRA, etc. |
| Media / content liability | Claims for online copyright infringement or defamation in digital content |
| PCI-DSS fines & assessments | Contractual fines from card brands following a breach (check policy; often sublimited) |
Important distinction: Social engineering losses (e.g., an employee wired money to a fraudster) are covered by many cyber policies but often sublimited to $25,000–$100,000. Verify your specific policy language.
What Cyber Insurance Does NOT Cover
- Intentional or criminal acts by the insured
- Prior known incidents or circumstances — anything you knew about before the policy effective date
- Bodily injury or property damage caused by a cyberattack (these route to GL or commercial auto)
- Infrastructure or utility failures not caused by a covered cyber event
- Costs to improve or upgrade systems beyond pre-loss condition
- War and nation-state cyberattacks — carriers are increasingly adding war exclusions; review carefully if you operate critical infrastructure
How Much Does Cyber Insurance Cost?
Premiums vary significantly based on five underwriting factors: annual revenue, industry (healthcare and finance pay more), volume and sensitivity of data held, security controls in place, and claims history.
Illustrative Annual Premium Ranges by Business Type
| Business Type | Annual Revenue | Typical Annual Premium | $1M Limit |
|---|---|---|---|
| Retail / e-commerce | $500K–$2M | $800–$1,800 | $1M |
| Professional services (consulting, marketing) | $1M–$5M | $1,200–$2,500 | $1M–$2M |
| Healthcare / medical practice | $1M–$5M | $2,500–$6,000 | $1M–$2M |
| Law firm (under 10 attorneys) | $2M–$8M | $2,000–$5,000 | $1M–$2M |
| Technology company / SaaS | $1M–$10M | $2,500–$8,000 | $1M–$3M |
| Construction / trades (cloud tools, PII) | $2M–$10M | $900–$2,200 | $1M |
Ranges are illustrative estimates based on typical market conditions as of mid-2026. Your actual premium will depend on carrier underwriting, MFA adoption, endpoint protection, backup practices, and other controls. Request a formal quote for accurate pricing.
What Lowers Your Premium
- Multi-factor authentication (MFA) on email and remote access
- Endpoint detection and response (EDR) software
- Tested, offline data backups
- Security awareness training for employees
- Incident response plan on file
Cyber Insurance Policy Structure: Key Terms to Know
Claims-made trigger: The policy in force when you report the claim responds — not the policy in force when the breach happened. If you cancel or let coverage lapse, you lose coverage for unreported incidents even if they occurred during a prior policy period. A retroactive date sets how far back in time the policy will reach.
Retention (deductible): Most cyber policies use a per-claim retention of $2,500–$25,000 for small businesses. Some policies use a straight deductible (the carrier pays the loss, then bills you for the retained amount), while others use a self-insured retention (SIR) that you must exhaust before the carrier's obligation attaches.
Sublimits: High-exposure coverages like social engineering, PCI fines, and ransomware payments are often subject to sublimits lower than the overall policy limit. Always compare the sublimit, not just the headline limit.
Coinsurance: Rarely used in cyber policies, but some carriers apply a co-insurance provision on business interruption — verify before binding.
How to Get Cyber Coverage in 5 Steps
- Audit your data exposure. Identify what personal data you hold (customer PII, payment card data, protected health information), where it lives, and who has access.
- Harden your security posture. Enable MFA, deploy EDR software, and document your backup procedures before applying — underwriters will ask, and better controls mean lower premiums.
- Complete the cyber application. Modern applications ask specific questions about MFA, patching cadence, vendor access, and backup testing. Answer honestly; misrepresentation can void a claim.
- Compare quotes across carriers. Cyber policy language varies more than almost any other commercial line. Compare sublimits, war exclusions, retroactive dates, and panel counsel provisions — not just premium.
- Bind coverage and document the retroactive date. Record the retroactive date; it determines how far back in time the policy will cover unknown incidents that surface later.
Real-World Scenario: Ransomware Attack on a Mid-Size Medical Practice
The situation: A 12-physician orthopedic practice in Texas with $8M in annual revenue is hit by a ransomware attack that encrypts its electronic health records system and billing platform. The attackers demand $150,000 in Bitcoin. Systems are down for nine days.
What the cyber policy paid (illustrative):
| Loss Category | Estimated Amount |
|---|---|
| Forensic investigation (IR firm) | $28,000 |
| Ransom payment (carrier-approved) | $95,000 |
| Legal / HIPAA breach counsel | $22,000 |
| Patient notification (3,400 patients) | $18,500 |
| Credit monitoring (12 months × 3,400) | $34,000 |
| Business interruption — 9 days lost revenue | $63,000 |
| Public relations firm | $12,000 |
| Total insured loss | ~$272,500 |
The practice carried a $2M cyber limit with a $10,000 retention. Out-of-pocket cost: $10,000. Without the policy, the practice would have absorbed the full ~$272,500 — plus potential HIPAA fines that were settled for an additional $45,000 (covered under the regulatory defense sublimit up to $250,000).
This example is illustrative only. Actual claim outcomes depend on policy terms, carrier claim handling, and facts of the incident.
Frequently Asked Questions
Does my general liability policy cover a data breach?
No. Standard ISO commercial general liability (CGL) forms contain a "Distribution of Material in Violation of Statutes" exclusion and, increasingly, explicit cyber exclusions (ISO endorsement CG 21 07 or similar). A standalone cyber policy is required for breach response and network security liability.
Is cyber insurance required by law or contract?
No federal law currently mandates cyber insurance for most private businesses, but contracts often do — particularly technology services agreements, healthcare vendor agreements (Business Associate Agreements under HIPAA), and contracts with large retailers or government agencies. Check your vendor and client contracts.
What is a retroactive date and why does it matter?
The retroactive date on a claims-made cyber policy is the earliest date from which unknown incidents will be covered if discovered and reported during the policy period. If your retroactive date is January 1, 2025, a breach that occurred in 2024 will NOT be covered even if you report it today. Never accept a retroactive date later than your prior policy's retroactive date when renewing.
How does cyber insurance handle ransomware?
Most cyber policies cover ransom payments as a first-party expense, subject to the policy limit or a ransomware sublimit, OFAC/sanctions screening (carriers will not pay ransoms to sanctioned entities), and carrier pre-approval for the payment. The carrier's incident response panel typically handles negotiations. Some policies also cover cryptocurrency conversion fees.
Will my cyber insurer cancel me after a claim?
Carriers may non-renew or significantly increase premiums after a material claim. However, mid-term cancellation (during the policy period) for a single claim is uncommon unless fraud is involved. Insurers may require enhanced security controls as a condition of renewal.
What limits should a small business carry?
Most advisors recommend a minimum of $1M per occurrence / $1M aggregate for businesses with modest data exposure. Healthcare, legal, and technology businesses should consider $2M–$5M given regulatory exposure and client contractual requirements. Large enterprises often carry $10M or more in layered tower programs.
Does cyber insurance cover employee errors?
Yes — most cyber policies cover accidental employee actions that result in a breach, such as sending an email with unencrypted patient data to the wrong recipient or misconfiguring a cloud storage bucket. Intentional or criminal acts by the insured or their employees are excluded.
How is cyber insurance different from a data breach rider on my BOP?
BOP data breach endorsements (sometimes called "cyber liability add-ons") are typically narrow, offering $50,000–$100,000 for notification costs only. They rarely include business interruption, ransomware, third-party liability, or regulatory defense. A standalone cyber policy provides materially broader protection.
Why Morrow for Cyber Insurance
1. We access multiple cyber markets — not just one. As an independent agency, Morrow shops your risk across admitted and surplus lines cyber carriers to find coverage that matches your actual exposure, not just the cheapest price. Carrier cyber policy language differs substantially; we compare sublimits, exclusions, and panel counsel provisions, not just premium.
2. We understand regulated industries. Healthcare practices, law firms, financial services businesses, and technology companies face heightened cyber exposure and contractual requirements. Morrow producers understand HIPAA Business Associate Agreement requirements, state breach notification thresholds, and client contract demands for specific cyber limits.
3. Fast certificates and documentation. If a client or vendor contract requires proof of cyber coverage, Morrow can provide evidence of insurance quickly — typically same day or next business day for standard requests.
4. Claims advocacy when it matters. A ransomware event is not the time to navigate an insurer's claims portal alone. Morrow actively monitors open claims and advocates with carriers to ensure proper coverage application, timely reserve setting, and use of the carrier's incident response panel.
5. Security control consultation. Beyond placing the policy, Morrow helps clients understand which security improvements most meaningfully reduce both premium and exposure — especially for businesses undergoing their first cyber underwriting process.
Get a Cyber Insurance Quote
Ready to protect your business from data breach and ransomware losses? Morrow makes it straightforward.
Request a cyber insurance quote → | Call [Morrow to confirm]
Morrow (Afthonea Inc, DBA Morrow) is a licensed independent commercial insurance agency. [Morrow to confirm: licensed states, NPN]. Carriers represented include [Morrow to confirm]. Customer reviews: [Morrow to confirm rating platform and score].
Related Pages
- Commercial Insurance Overview
- General Liability Insurance
- Business Owners Policy (BOP)
- Technology E&O / Tech Professional Liability
- Errors & Omissions (Professional Liability)
- Cyber Insurance Cost Guide
- Cyber Insurance for Healthcare
- What Is a Retroactive Date?
Author: Morrow Editorial Team, reviewed by a licensed commercial P&C producer [Morrow to confirm: named producer credential, e.g., CPCU, ARM] Published: June 2026 Last updated: June 2026
Sources: - Insurance Information Institute (III) — Cyber and Identity Theft Insurance, iii.org - National Association of Insurance Commissioners (NAIC) — Cyber Insurance Report, naic.org - U.S. Department of Health & Human Services — HIPAA Breach Notification Rule, hhs.gov/hipaa - Cybersecurity & Infrastructure Security Agency (CISA) — Ransomware Guide, cisa.gov - ISO (Insurance Services Office) — CGL form CG 00 01 and cyber exclusion endorsements - Federal Trade Commission (FTC) — Gramm-Leach-Bliley Act safeguard rules, ftc.gov - California Privacy Protection Agency — CCPA/CPRA enforcement guidance, cppa.ca.gov