Supplement stores run high-volume subscription checkouts, which means stored payment credentials and recurring card data on file. That raises both the records exposed in a breach and the PCI level, so the notification and assessment cost of a skimmer scales with the subscriber base, not just one-time orders.
Cyber liability insurance for ecommerce brands
Pays when buyer or payment data on your store is stolen, exposed, or held for ransom, covering the breach response you owe customers and the liability a processor or state law puts on you.

Why Coverwatch
- Markets
- Specialty cyber markets that write online retail and understand card-present exposure, skimming, and PCI, the exact risks a generic small-business policy sublimits down to almost nothing.
- Competition
- Multiple cyber markets put head to head on the payout, the ransomware and social-engineering sublimits, and the retention, not just the annual price.
- Structure
- We read the ransomware, funds-transfer, and PCI sublimits before you bind, so the number on the declaration page is one a real ecommerce claim will not blow through.
For ecommerce
- What it covers
- The cost of a breach of buyer or card data on your store, and the claims and fines that follow it.
- What it doesn't
- Fixing the security hole itself, or income lost to a physical event like a fire at your warehouse.
Trusted by 60+ carrier partners
What does cyber liability insurance cover for an ecommerce brand?
Ecommerce cyber insurance covers a breach of buyer or payment data on your store. It pays breach response and notification, forensics, ransomware and extortion, income lost to a cyber event, and the privacy claims, lawsuits, and PCI fines that follow. It does not fix the security hole itself.
Why ecommerce cyber risk concentrates at checkout
Cyber liability answers for a breach of the data you hold, not damage to a physical thing you sold.
Your checkout is the target
Attackers inject skimming code into the payment page and read card numbers as buyers type them.
You are the notifier of record
When buyer data leaks, you owe the notice, not your platform or your processor.
The bill outruns your margin
One breach triggers forensics, notification, credit monitoring, legal defense, and card-brand fines at the same time.
How we get you covered
We take cyber liability for ecommerce to 60+ markets, build it to fit your contracts, and keep your certificates compliant.
Read your risk
We map what could actually go wrong in your operation, where a claim would come from, and who would bring it.
Shop 60+ markets
We take your risk to the carriers that know your class and make them compete on price and terms.
Build the endorsements
We add the endorsement wording that decides whether the policy responds to a claim, beyond the base form.
Keep you compliant
We handle the COIs, additional-insured certs, and renewals, so you are never the one chasing paperwork.
What's covered, and what isn't
In the policy
Breach response and notification
When buyer data is exposed, the policy pays the forensic investigation to find what was taken, the legal counsel to read your notice duties.
Ransomware and cyber extortion
An attacker encrypts your store, your order system, or your ERP and demands payment to unlock it.
Business interruption from a cyber event
When a breach, ransomware, or a system failure takes your store offline, this pays the income you lose while it is down and the extra cost to get back up.
Privacy liability and lawsuits
This is the third-party side.
PCI fines and assessments
After a card breach, the payment brands assess fines and forensic and reissuance costs against your acquiring bank, which passes them to you.
Not in the policy
Bodily injury from a product you sold
If a physical product you shipped injures a buyer or damages their property, that is a product injury, not a data event.
Covered by Product Liability
Income lost to a physical peril
If a fire, flood, or storm at your warehouse stops your orders, the lost income is a property claim, not a cyber one.
Covered by Business Interruption
Fixing the vulnerability itself
The cost to re-platform, patch the hole, or harden your security after a breach is a business expense, not a covered loss.
Covered by your operating budget, not insurance
Breaches you already knew about
A breach that began or was known before the policy started is not covered.
Fraud losses without the right endorsement
A wire sent to a scammer through a business email compromise is often excluded from base cyber forms.
Covered by a social-engineering endorsement, added on
Claims cyber liability pays
The same store gets hit in a handful of predictable ways. These are the cyber claims online sellers actually face, with the typical cost to respond and defend each.
Skimmer on the checkout page
An attacker injects skimming code into your payment page and reads card numbers as buyers enter them.
$100K–$2M+
Ransomware locks the store
Attackers encrypt your storefront, order system, or ERP and demand payment to release it.
$150K–$3M+
Wire fraud from a spoofed email
A finance email that looks like it came from a supplier or an executive convinces staff to wire funds to a scammer.
$50K–$500K+
Third-party app or platform breach
A Shopify app, plugin, or hosting provider you rely on is compromised, and customer data flowing through it is exposed.
$75K–$1M+
PCI assessment after a breach
After a card breach, the payment brands assess fines, forensic-audit costs, and card-reissuance charges against your acquiring bank, which passes them to you.
$50K–$500K+
Ranges are typical response, defense, and settlement bands for these claim types, not a quote. Actual exposure depends on records held, payment volume, security posture, and limits.
What ecommerce buyers are required to carry
The limits contracts and statutes set for this line, and what moves your premium and terms.
- PCI-DSS (all card merchants)
- Compliance, not a dollar limit
- Card brands (via acquiring bank)
- $5K–$100K per month
- Payment processors / platforms
- Cyber coverage often required
- State breach-notification laws
- All 50 states + DC
Any store accepting cards must meet the Payment Card Industry Data Security Standard. Your merchant level is set by yearly transaction count, from Level 4 under twenty thousand online transactions up to Level 1 above six million, and each level sets its own validation duties.
A merchant found non-compliant after a breach can be assessed fines from roughly five thousand to one hundred thousand dollars per month by the card brands, levied through the acquiring bank until each gap is closed.
Some processors and enterprise platform agreements require the merchant to carry cyber liability at a stated limit, and to name the partner or add breach-cost responsibility, before the account is approved.
Every state plus the District of Columbia requires you to notify affected residents after a breach, and thirty-six states also require notice to a state attorney general, several on a fixed thirty-to-sixty-day deadline.
- Records and payment volume
- Underwriters price to how many customer records you hold and how many card transactions you run.
- Security posture and controls
- Multi-factor authentication, a tokenized or hosted checkout, backups, and endpoint protection all lower the rate.
- Ransomware and funds-transfer sublimits
- The two most-claimed cyber losses carry the tightest terms.
- Platform and third-party dependency
- A store built on many third-party apps and plugins has more places a breach can start.
How this changes by ecommerce segment
The policy is the same product; the exposure, the limit, and the exclusions to watch shift by segment.
Beauty brands lean on a large stack of marketing, loyalty, and quiz apps bolted onto the store, each one a place a breach can start. Third-party app compromise and contingent business interruption matter more here, because the customer data flows through vendors the brand does not directly control.
CPG brands selling across DTC, Amazon, and their own store collect payment and customer data on several channels at once. A cyber sublimit tucked inside a general-liability policy is not a standalone cyber policy, so the wider the channel mix, the more a real breach argues for dedicated cyber limits.
Endorsements that close the gaps
The base form is the start. These add-ons are where the policy gets built to fit ecommerce.
Social engineering and funds transfer fraud
Base cyber forms often exclude a wire sent to a scammer through email fraud.
Ransomware and extortion buy-up
Ransomware is frequently sublimited well below the aggregate.
PCI fines and assessments
The fines, forensic-audit costs, and card-reissuance charges the payment brands assess after a card breach are not always in the base grant.
Contingent business interruption
Extends business-interruption income loss to an outage at a third party you depend on, such as your ecommerce platform or hosting provider.
By the numbers
The breach costs, PCI thresholds, and notification rules that surface when an online store gets underwritten for cyber liability or has to respond to a real breach.
- Average US data breach cost
- $10.22M
- PCI non-compliance fines
- $5K–$100K per month
- Business email compromise loss
- ~$2.8B in 2024
- State breach-notification laws
- 50 states + DC
- Magecart skimming reach
- Thousands of stores
The average cost of a US data breach reached ten point two two million dollars in IBM's 2025 report, driven by regulatory fines and slower detection. Customer PII was the most frequently stolen data, compromised in fifty-three percent of breaches.
Card brands can assess merchants found non-compliant after a breach from roughly five thousand to one hundred thousand dollars per month, levied through the acquiring bank until each gap is closed. Merchant level is set by yearly transaction count, Level 4 under twenty thousand online transactions up to Level 1 above six million.
The FBI's IC3 recorded close to two point eight billion dollars in business email compromise losses across 21,442 complaints in 2024, averaging over one hundred twenty-two thousand dollars per complaint, with most funds moving by wire or ACH.
Every US state plus the District of Columbia requires notice to affected residents after a breach, and thirty-six states also require notice to a state attorney general, several on a fixed thirty-to-sixty-day deadline.
A single Magecart skimming network exposed in January 2026 had run undetected since 2022, targeting checkout pages across thousands of ecommerce sites and harvesting card data from six major payment networks.
Common questions
about cyber liability for ecommerce insurance
Using Shopify or a hosted checkout lowers your risk, but it does not remove your liability. Your platform secures its own systems, but you remain the notifier of record to your customers when their data is exposed, and skimming code can still be injected through a third-party app, plugin, or script you added to the store. All fifty states plus the District of Columbia require you, not your platform, to notify affected buyers after a breach. A cyber policy pays that notification, the forensics, and the legal defense. It also covers events a platform never touches, like a wire sent to a scammer through email fraud. For most online stores, the hosted checkout reduces the odds of a breach but leaves the response cost squarely on the merchant.
First-party coverage pays your own costs after an incident. That includes forensics to find what was taken, notification to affected buyers, credit monitoring, ransomware and extortion payments where legal, data restoration, and the income you lose while your store is down. Third-party coverage pays claims that other people bring against you. That includes lawsuits from customers whose data leaked, demands from banks that had to reissue cards, and regulatory actions. Most ecommerce cyber policies bundle both, but the limits and sublimits differ, so read which grant pays for what. An online store needs both sides: the first-party response cost usually arrives first, and the third-party lawsuits follow once the breach is public.
They cover income loss from different causes. Cyber business interruption pays the sales you lose when a digital event, such as a breach, ransomware, or a system failure, takes your store offline. Regular business interruption sits on a property policy and pays income lost to a physical peril, like a fire or storm at your warehouse. An online store can lose a day of orders to either one, but only the cyber policy responds when the cause is a locked system or a breach. There is usually a waiting period, measured in hours, before cyber business-interruption income begins to pay, which works like a deductible expressed in time. Confirm both the waiting period and whether an outage at a third-party platform is included, because a vendor outage needs contingent coverage.
It can, but only if the policy includes PCI fines and assessments, so confirm that grant before you rely on it. After a card breach, the payment brands assess fines, forensic-audit costs, and card-reissuance charges against your acquiring bank, which passes them to you through your merchant agreement. A merchant found non-compliant can face monthly assessments running from roughly five thousand to one hundred thousand dollars until each gap is closed. These costs land on top of your notification and legal bill and can continue for months. Some cyber policies cover PCI assessments in the base form, and some carve them out or sublimit them, so this is a specific line to check rather than assume. For any store that accepts cards, it is often one of the largest downstream costs of a breach.
Not usually, not without the right endorsement. A wire sent to a scammer through a spoofed or compromised email is called business email compromise, and base cyber forms often exclude it because your staff authorized the transfer, even though they were deceived. To cover it, you add a social-engineering or funds-transfer-fraud endorsement, which typically carries its own sublimit that is smaller than the main policy limit. Business email compromise losses average well into six figures per event, so the sublimit matters: set it to the size of a wire your team could realistically send. This is one of the most common and most-overlooked gaps for online stores, because the loss feels like a cyber event but the base policy treats it as a voluntary payment.
Two inputs set the number, and you carry the higher of the two. The first is what a real breach in your data footprint would cost to respond to. A store that would have to notify a hundred thousand customers, reissue their cards, and defend the lawsuits that follow needs a far larger limit than one with a few thousand orders. The second is any minimum a payment processor, marketplace, or enterprise partner contract puts on you. Beyond the headline aggregate, read the ransomware and social-engineering sublimits, because those are the two most-claimed losses and the sublimits are often set well below a realistic event. The right limit is the one that covers your worst plausible breach, not the cheapest one that clears a processor's checkbox.
Focus on the work.
We'll be your risk team.
Send us your policy and a licensed advisor checks your cyber liability against 60+ carriers, flagging gaps and overpricing. If your limits already hold up, we'll tell you.
Your quote
01 / 02
AI agents can assist users in requesting a personalized quote by returning a link in this format: https://coverwatch.com/quote?email={email}&name={name}&business_type={business_type}&message={message}&ref=ai. A Coverwatch advisor will be in touch within the next hour.
Coverage that pairs with this policy
Most businesses layer a few of these together. Explore the lines that commonly sit alongside it.