Commercial Insurance Cyber Liability
Commercial Insurance

Cyber Liability Insurance —Because Every Business Is a Target

Ransomware, phishing, data breaches — cyber threats are no longer just an enterprise problem. We help businesses of all sizes get cyber coverage that matches their actual risk, from a standalone policy to cyber included in a package.

Get a Cyber Quote Talk to an Advisor

Cyber coverage has two distinct sides — and you need both

Most businesses think of cyber insurance in terms of what happens to their customers. But the costs to your own business from a cyber event — the ransom, the recovery, the downtime — are often far larger. A complete cyber policy covers both.

First-Party Coverage — Your Losses

Covers costs your business incurs directly as a result of a cyber incident.

  • Ransomware payments and negotiation
  • Data recovery and system restoration
  • Business interruption and lost revenue
  • Forensic investigation costs
  • Crisis communications and PR
  • Notification costs to affected individuals
  • Credit monitoring for affected parties

Third-Party Coverage — Others' Claims

Covers claims made against your business by customers, partners, or others affected by a breach.

  • Customer data breach liability
  • Privacy violations and regulatory fines
  • PCI-DSS credit card assessments
  • Network security liability
  • Media liability (defamation, copyright)
  • Defense costs for regulatory investigations
  • State attorney general actions

Your General Liability policy does NOT cover cyber losses

Most GL policies have explicit cyber exclusions. If you store customer data, process payments, or rely on technology to operate, you need a standalone cyber policy or explicit cyber endorsement.

The Threats Businesses Face Today

Cyber attacks are more frequent, more sophisticated, and more expensive than ever. Here's what we're seeing most often.

Most Common

Ransomware

Malware that encrypts your files and demands payment for decryption. Average ransomware payments have reached six figures — and that's before recovery costs and downtime.

  • Ransom payment coverage
  • Negotiation support
  • Data recovery costs
  • Business interruption during recovery
Most Common

Business Email Compromise

An employee is tricked into wiring funds or sharing credentials via a convincing spoofed email. BEC is one of the most financially damaging cyber crimes.

  • Social engineering fraud
  • Funds transfer fraud
  • Invoice manipulation schemes
  • Executive impersonation
Most Common

Data Breach / Privacy Incident

Customer records, employee data, health information, or financial data is exposed — whether by hackers or employee error. Notification obligations alone can be enormous.

  • HIPAA and state law compliance
  • Notification to affected parties
  • Credit monitoring services
  • Regulatory defense and fines

Network Interruption

Your systems go down — whether from a cyber attack, a third-party provider outage, or a system failure triggered by a cyber event. Business interruption pays your lost revenue.

  • Lost revenue during downtime
  • Extra expenses to restore operations
  • Dependent business interruption
  • Contingent network outage

Cyber Extortion

Beyond ransomware — threats to publish stolen data, DDoS attacks demanding payment, or threats to damage your systems or reputation.

  • Extortion payment coverage
  • Threat negotiation services
  • Response team costs
  • Monitoring and prevention assistance

Third-Party Technology Claims

If you provide software, SaaS, or technology services and your product causes a client a cyber-related loss, you face professional liability exposure.

  • Technology E&O component
  • Client data breach from your systems
  • Software failure or outage liability
  • Included in many cyber policies

What Underwriters Look At

Cyber insurers have become significantly more selective. Here's what they evaluate — and what you can do to get better rates.

Multi-Factor Authentication (MFA)

MFA on email, remote access, and privileged accounts is now essentially required by most cyber carriers. Without it, you'll face exclusions or significantly higher premiums.

Patch Management

Keeping systems and software updated closes known vulnerabilities. Outdated software is one of the most common entry points for attackers.

Endpoint Detection & Response (EDR)

EDR tools that monitor and respond to suspicious activity on devices are increasingly required — especially for businesses over $25M in revenue.

Employee Security Training

Phishing simulation and security awareness training reduces the risk of business email compromise and credential theft.

Data Backup Practices

Offline or immutable backups significantly reduce ransomware exposure. Insurers want to know how frequently you back up and whether those backups are tested.

Incident Response Plan

Having a documented IR plan demonstrates maturity and helps reduce costs when an incident occurs. Some carriers offer premium credits for formal plans.

Common Questions

  • Almost certainly not. Most GL policies have explicit cyber exclusions, and even those without clear exclusions were not designed to cover ransomware payments, data recovery, breach notification, or regulatory fines. You need a standalone cyber policy.

  • Cost depends on your revenue, industry, data types you handle, and security controls in place. Small businesses may pay $500—$2,000/year for basic coverage. Larger businesses with significant data exposure or weaker security controls may pay significantly more. The market has hardened since 2020 — early buyers get better rates.

  • Yes. Small businesses are disproportionately targeted precisely because attackers know their defenses are often weaker. The costs of a ransomware attack or data breach are roughly the same regardless of company size — and often more devastating to a small business that lacks the reserves to absorb them.

  • Cyber policies often have sublimits — separate, lower limits for specific coverages like ransomware payments, social engineering fraud, or business interruption. A policy with a $1M overall limit might only pay $100K for funds transfer fraud. We review sublimits carefully to make sure your coverage matches your actual exposures.

  • Multi-factor authentication (MFA) is now essentially required. Carriers also look favorably on regular data backups, endpoint detection and response (EDR) tools, employee security training, and a documented incident response plan. We'll help you understand what's required before you apply.