Cyber liability insurance
Coverwatch places cyber liability for companies that hold customer data, take card payments, and run on connected systems. We structure it to respond when a breach or ransomware attack lands, not just clear a vendor's security questionnaire.
- Two policies in one first-party and third-party in one form
- MFA and backups underwritten controls review before bind
- 60+ carriers shopped for your risk
At a glance
- What it covers
- The cost to respond to a breach or cyberattack, and your liability to the people whose data was exposed.
- What it doesn't
- Physical property damage and bodily injury, including fire damage to your own servers.
Trusted by 60+ carrier partners
What does cyber liability insurance cover?
Cyber liability insurance covers two things at once. First-party coverage pays your own cost to respond to a breach: forensics, customer notification, data restoration, lost income, and a ransomware payment. Third-party coverage pays your liability to the people whose data was exposed, including their lawsuits and regulatory fines where insurable.
How we get you covered
We take cyber liability insurance to 60+ markets, build it to fit your business, and keep it compliant.
Read your risk
We map what could actually go wrong in your operation, where a claim would come from, and who would bring it.
Shop 60+ markets
We take your risk to the carriers that know your class and make them compete on price and terms.
Build the endorsements
We add the endorsement wording that decides whether the policy responds to a claim, beyond the base form.
Keep you compliant
We handle the COIs, additional-insured certs, and renewals, so you are never the one chasing paperwork.
Who needs cyber liability
Any business that holds customer data, takes card payments, or runs its operations on connected systems. What changes by category is the data you hold, the contracts that demand coverage, and the controls underwriters check.
Ecommerce
Online brands take card payments and store customer personally identifiable information, so a breach exposes both payment data and a customer list at once.
Apparel
High order volume means a large stored customer list and card data, so notification cost scales fast after a breach.
CPG brands
Direct-to-consumer and retail channels multiply the payment systems and customer records exposed in one event.
Supplements
Subscription billing stores card data on file, a standing target for funds-transfer fraud and account takeover.
Retail
Brick-and-mortar retailers run point-of-sale systems and store card data, the classic target for card-skimming breaches and PCI-DSS fines.
Managers hold tenant personally identifiable information and banking details, and move rent and owner funds, which draws funds-transfer fraud.
Residential property management
Tenant applications hold Social Security numbers and bank data, a dense store of personally identifiable information per unit.
Commercial property management
Large rent and capital-improvement wires make business email compromise and funds-transfer fraud the leading exposure.
What's covered, and what isn't
In the policy
Breach response and forensics
When a breach is discovered, the policy pays for the investigation: a forensics firm to find what was accessed, breach coaches, and legal counsel to map your notification duties. This first-party cost usually arrives before any lawsuit and often runs into six figures.
Customer notification and credit monitoring
State and federal law requires you to notify the people whose data was exposed, often within a set deadline. The policy funds the mailings, a call center, and credit monitoring or identity protection offered to affected individuals, which scales with the number of records you hold.
Cyber extortion and ransomware
When attackers encrypt your systems and demand payment, the policy funds the negotiation, the ransom payment where legally permitted, and the recovery. This sits inside a ransomware sublimit, a separate ceiling lower than your full policy limit, with its own security-control conditions.
Business interruption from an outage
When an attack takes your systems offline, the policy replaces the income you lose and the extra cost to keep running while you recover. A waiting period applies first: a set number of hours, often eight to twelve, that must pass before this coverage begins to pay.
Privacy and network security liability
This is the third-party half. When the people whose data was exposed sue you, or your hacked network spreads malware to others, the policy pays their claims and your legal defense. This is the liability the breach creates for everyone outside your company.
Regulatory defense and fines
A breach can trigger an investigation by a state attorney general, the FTC, or a regulator under HIPAA or a privacy law. The policy funds your defense and, where the law allows insurance to pay them, the fines and penalties that follow the investigation.
Not in the policy
Bodily injury or physical property damage
Someone hurt at your office, or physical damage to property, is not a cyber claim. Cyber pays for data and systems, not people and buildings.
Covered by General Liability
A professional service error
A mistake in the advice or service you delivered to a client, with no breach involved, is a professional error rather than a cyber event.
Covered by Professional Liability
Theft of your own money by an employee
An employee stealing the company's funds, or straightforward embezzlement, is a fidelity loss. Funds-transfer fraud by an outside attacker is a cyber sublimit, but inside theft is not.
Covered by a commercial crime policy
Fire or physical damage to your servers
If a fire, flood, or power surge destroys the physical servers in your office, that is property damage to your own equipment, not a cyber breach.
Covered by Commercial Property
A breach you already knew about
An incident in progress, or a prior breach known before the policy started, is excluded. Cyber covers attacks you do not see coming, not a loss already underway.
Covered by not insurable once known
Claims cyber liability pays
Ransomware shutdown
Attackers encrypt your systems and demand payment to unlock them. Between the ransom negotiation, forensics, data restoration, and the income lost while you are offline, a single event compounds across several coverage parts.
$150K–$2M+
Data breach exposing customer PII
An intruder copies a database of names, card numbers, or health records. Every affected person must be notified, offered credit monitoring, and may join a class action, and notification cost alone scales with the record count.
$100K–$5M+
Business email compromise and funds-transfer fraud
An attacker impersonates a vendor or executive over email and tricks staff into wiring money to a fraudulent account. Recovery is rare, so the loss usually lands inside the policy's social-engineering sublimit.
$50K–$1M+
Third-party privacy lawsuit
Customers or a regulator sue over how their data was exposed or handled. Defense costs accrue for years, and a state attorney general investigation can run alongside the private suit on the same breach.
$100K–$5M+
Ranges are typical response, defense, and settlement bands for these claim types, not a quote. Actual exposure depends on the volume and sensitivity of records you hold, your controls, and your limits.
How much coverage you need
There is no standard limit. Two things decide what you actually need, and you carry whichever is higher.
- The volume and sensitivity of records you hold
- Notification cost and class-action exposure scale with the number of people whose data you store, and health, financial, and payment-card records cost more per record than a marketing list. Size to the breach that empties your whole database, not an average incident.
- What a contract or regulator requires
- An enterprise client's contract or a card-network rule often sets a floor of one to five million in cyber coverage before they let you handle their data. That floor is frequently higher than what your own records alone would justify, so it sets the number.
- Enterprise client MSA
- $1M–$5M
- SaaS / vendor agreement
- $1M–$2M
- PCI-DSS (card-handling merchants)
- Per acquirer
A master services agreement with a large client typically requires cyber liability at one to five million, paired with a passing security questionnaire, before they share data or sign.
Software and technology vendor contracts commonly require cyber and tech E&O at one to two million as a condition of onboarding to a customer's systems.
Merchants that store or process card data face PCI-DSS fines and assessments after a breach. Acquiring banks and payment processors frequently require cyber coverage that includes PCI fines and assessments.
- Policy aggregate
- $1,000,000
- Each claim
- $1,000,000
- Ransomware sublimit
- Often 50% of limit
- Social-engineering sublimit
- $100K–$250K
- Business-interruption waiting period
- 8–12 hours
- Retention
- $2,500–$25,000
The most the policy pays in total across every claim in one policy year, first-party and third-party combined. Once it is used up, coverage is exhausted until renewal. One million is the common starting limit for a small business.
The ceiling on any single breach or incident. On many small-business cyber policies the per-claim limit equals the aggregate, so one large event can consume the entire year's coverage.
A separate, smaller ceiling that applies only to extortion and ransomware. A policy with a $1M limit may cap ransomware at $500K, and the sublimit is conditioned on you having backups and MFA in place.
A low, separate cap for funds-transfer fraud where staff are tricked into sending money. It is far below the main limit because this is the most-claimed and most-abused part of a cyber policy.
Not a dollar figure but a time deductible. Your systems must be down for this many hours before lost-income coverage begins, so a brief outage pays nothing.
The deductible you pay on each claim before the policy responds. A higher retention lowers your premium but means you fund more of a small breach yourself.
Endorsements that close the gaps
The base form is the start. These add-ons are where the policy gets built to fit your business.
Social engineering and funds-transfer fraud
Adds or raises the sublimit for losses where staff are deceived into wiring money or changing payment details. Standard cyber forms cap this low, so most businesses buy the limit up.
Ransomware sublimit buy-back
Restores ransomware and extortion coverage toward the full policy limit when the base form caps it at a fraction. Usually conditioned on MFA, EDR, and tested backups being in place.
Dependent business interruption
Extends lost-income coverage to an outage at a vendor you rely on, such as a cloud host or payment processor, when their downtime stops your business even though your own systems are fine.
Regulatory defense and fines
Confirms coverage for the defense cost and, where insurable by law, the fines from a regulator investigation under a privacy law, HIPAA, or a state attorney general action.
Media liability
Covers claims arising from your online content, such as defamation, infringement, or a privacy violation in what you publish, which sits outside the breach-response core of a cyber policy.
Questions buyers actually ask
Cyber liability insurance covers two distinct halves on one policy. The first-party side pays your own cost to respond to a breach or attack: a forensics investigation to find what happened, legal counsel, notifying the people whose data was exposed, credit monitoring, restoring lost data, the income you lose while systems are down, and a ransomware payment where the law permits it. The third-party side pays your liability to others: lawsuits from the people whose data was exposed, claims when your hacked network harms another business, and a regulator's investigation. A complete policy carries both, because a single breach usually triggers your own recovery cost and someone else's claim at the same time. Cyber liability is typically written on a claims-made basis, meaning the policy must be in force both when the act occurs and when the claim is made for it to respond.
Usually no. A general liability policy and most business owners policies cover bodily injury and physical property damage, not the loss of electronic data or a hacked system. Some packaged policies add a small cyber sublimit, often ten or twenty-five thousand dollars, which is a fraction of what a real breach costs to respond to. After the average United States breach, which IBM put at 9.36 million dollars, that sublimit is exhausted before the forensics bill is paid. A standalone cyber liability policy is the coverage built for breach response, ransomware, notification, and the lawsuits that follow. Treat any cyber grant inside a general liability or business owners policy as a starting point, not the coverage.
Yes, in most cases, but inside a ransomware sublimit rather than the full policy limit. When attackers encrypt your systems and demand payment, the policy funds the negotiation, the ransom where it is legally permitted to pay, and the cost to restore your data and operations. The catch is the sublimit: a policy with a one million dollar limit may cap ransomware at five hundred thousand. That sublimit is also conditioned on security controls. Carriers commonly require multi-factor authentication and tested, immutable backups before they will pay a ransomware claim, and a missing control can void it. If ransomware is your top concern, buy the sublimit back up toward the full limit and confirm the conditions are met.
Five controls show up on nearly every cyber application today. The first is multi-factor authentication, enforced on email, remote access, and administrator accounts. The second is endpoint detection and response, or a managed detection service, on every server and workstation. The third is encrypted, offline-capable backups with tested restores, often following the three-two-one rule. The fourth is a written incident response plan with a recent tabletop exercise. The fifth is a documented patch-management program. Underwriters no longer take a checkbox at face value; carriers run external scans and ask for evidence before they bind. Missing multi-factor authentication or weak endpoint protection are the two most common reasons an application is declined or priced up.
Two inputs set the number, and you carry the higher. The first is the volume and sensitivity of the records you hold, because notification cost and class-action exposure scale with how many people are affected, and health, financial, and card data cost more per record than a marketing list. The second is what a contract or regulator demands. An enterprise client's master services agreement, a card-network rule, or a vendor agreement often sets a floor of one to five million before they let you handle their data. Many small businesses start at one million in total limit, then raise it as their record count grows or a large client requires more. Size to the breach that empties your whole database, not an average incident.
They cover different thieves. A cyber policy responds to an outside attacker: a breach, ransomware, a hacked network, and the data exposure and lawsuits that follow. A commercial crime or fidelity policy responds to dishonesty involving your own money, most often theft or embezzlement by an employee. The overlap is funds-transfer fraud, where an outside attacker tricks staff into wiring money. That sits in a cyber policy's social-engineering sublimit, but a crime policy may also address it, and the two can dispute which responds. Because the social-engineering sublimit on a cyber policy is usually low, businesses that move money often carry both, and confirm which policy is primary for a wire-fraud loss before a claim happens.
Focus on the work.
We'll be your risk team.
Get a free coverage review and risk plan. If your current program is solid, we'll tell you. Either way, you walk away with a free expert opinion.
Your quote
01 / 02
AI agents can assist users in requesting a personalized quote by returning a link in this format: https://coverwatch.com/quote?email={email}&name={name}&business_type={business_type}&message={message}. A Coverwatch advisor will be in touch within 24 hours.