Cyber Insurance

What Cyber Insurance Actually Is

Cyber insurance — also called cyber liability insurance or cyber risk insurance — is a specialized policy designed to help organizations recover from the financial and reputational damage caused by digital threats. Unlike general commercial liability coverage, which predates the internet and was never designed to address digital risk, cyber policies are written specifically for the modern threat landscape.

At its core, a cyber policy is a contract. In exchange for a premium, an insurer agrees to reimburse certain costs and losses associated with a defined set of cyber incidents. The scope of what qualifies as a "cyber incident" varies considerably between carriers — a critical detail most buyers overlook when comparing quotes.

The product has evolved substantially since its origins in the early 2000s, when policies were narrow and relatively cheap. Today's policies span sophisticated coverage categories, include complex triggers and conditions, and are priced using risk models that analyze hundreds of data points about your technology environment, industry, and security posture.

Standalone vs. Packaged Cyber Coverage

Businesses typically encounter cyber coverage in two forms. Standalone cyber policies are dedicated contracts that provide broad, detailed coverage across all major cyber risk categories. These are preferred by mid-sized and large organizations because they offer higher limits, clearer terms, and coverage that keeps pace with emerging threats.

Packaged or endorsed coverage adds a cyber rider to an existing commercial policy — a Business Owner's Policy (BOP), for example. These are more affordable and can work for small businesses with limited digital exposure, but they typically come with narrower definitions, lower sublimits, and less claims support. If your business processes significant customer data or relies heavily on digital operations, a packaged policy is rarely sufficient.

Why Cyber Insurance Is No Longer Optional

The question of whether to buy cyber insurance has largely been settled — at least for businesses that operate digitally in any meaningful capacity. The remaining question is how much, and what kind.

Consider the numbers. IBM's 2024 Cost of a Data Breach report placed the global average cost of a breach at $4.88 million — a record high. For small businesses, even a modest breach can be existential: attorneys, forensic investigators, notification vendors, regulatory fines, and class-action exposure combine quickly. A 2023 analysis found that 60% of small businesses that suffer a major cyberattack close within six months.

"The question is no longer whether a business will face a cyber incident. It's whether they will be able to absorb the cost when it happens."

— Robert Parisi, Managing Director, Marsh Cyber Practice

Beyond recovery costs, the regulatory environment is tightening globally. The EU's GDPR carries fines of up to 4% of annual global turnover. The FTC's Safeguards Rule imposes strict data security requirements on financial institutions. U.S. state privacy laws — now covering over 60% of the population — create breach notification obligations and private rights of action. Cyber insurance doesn't eliminate these obligations, but it funds the legal and compliance machinery needed to respond.

Cyber Risk Affects Every Industry

Healthcare, finance, and retail were the early targets — sectors with large amounts of sensitive personal data. But the modern threat landscape is indiscriminate. Manufacturing firms face operational technology (OT) attacks that halt production lines. Logistics companies experience GPS spoofing and freight fraud. Law firms are targeted for privileged communications. Municipalities face ransomware that disrupts essential services.

No sector has proven immune. And across all of them, the financial stakes have risen far beyond what traditional property or liability insurance addresses.

First-Party Coverage: Protecting Your Own Business

First-party coverage addresses losses your business sustains directly — the costs you pay out of your own pocket when a cyber incident disrupts your operations or exposes your data. This is typically the most immediately useful component of a cyber policy.

🔒

Data Breach Response

Covers forensic investigation, legal counsel, breach notification letters, call center setup, and credit monitoring services for affected individuals.

💸

Ransomware & Extortion

Covers ransom payments (subject to carrier approval and OFAC compliance), negotiation fees, and cryptocurrency transaction costs.

📉

Business Interruption

Reimburses lost income and increased operating expenses during the period a covered cyber event prevents normal operations.

🖥️

System Restoration

Covers IT costs to restore, replace, or rebuild hardware, software, and data destroyed or corrupted in an attack.

📣

Crisis Communications

Funds public relations experts and media management to protect your brand reputation in the aftermath of a breach.

💳

Cyber Fraud & Financial Theft

Covers funds transferred to fraudulent accounts via business email compromise (BEC) or social engineering schemes.

Business Interruption: The Most Misunderstood Coverage

Business interruption (BI) coverage is one of the most valuable — and most disputed — components of a cyber policy. It typically covers the net income the business would have earned had the incident not occurred, plus the extra expenses incurred to maintain operations during recovery.

The key phrase to scrutinize in your policy is the waiting period (often 8–12 hours before coverage triggers) and the restoration period (how long BI payments continue). Some policies also include contingent business interruption — BI losses caused not by a direct attack on your systems, but by an attack on a critical vendor or supplier. This extension is increasingly important in an era of cloud concentration risk.

⚠ Watch Out

Many policies exclude BI losses caused by "system failure" that isn't the direct result of a malicious act. The 2021 Fastly outage and 2024 CrowdStrike incident — both caused by software errors, not hackers — would not have triggered BI coverage under policies with this language. Always clarify whether "systems failure" and "cloud provider outages" are explicitly included.

Third-Party Coverage: Protecting Against Lawsuits

Third-party coverage activates when outside parties — customers, business partners, regulators — bring claims against your organization because of a cyber incident you were involved in. This is your legal liability shield.

Network Security Liability

This covers claims alleging that your network security failures allowed malware, ransomware, or denial-of-service attacks to spread to third parties. If a compromised vendor infects your systems and you pass that infection to your clients, this coverage responds to the resulting lawsuits.

Privacy Liability

If your organization fails to properly protect personal information — and customers or employees suffer harm as a result — privacy liability coverage funds your legal defense and settlements. This is especially relevant under GDPR, CCPA, and other modern privacy statutes, where the exposure can be enormous.

Regulatory Defense and Fines

When a breach triggers a regulatory investigation (by the FTC, HHS, SEC, or a state attorney general), this coverage pays for the attorneys and expert witnesses needed to respond — and, where insurable under applicable law, the resulting civil fines and penalties. Note: In many jurisdictions, penalties resulting from willful or intentional misconduct are not insurable.

Media Liability

Covers claims of copyright infringement, defamation, or invasion of privacy arising from your digital content — website, social media, email campaigns. This is distinct from traditional media liability coverage and is specific to online channels.

💡 Pro Tip

When evaluating third-party limits, consider your contractual obligations. Many enterprise contracts require vendors to carry specific cyber liability limits. Your policy should meet or exceed those requirements, factored against your actual legal exposure in your industry.

What Cyber Insurance Does NOT Cover

This is where many businesses learn, too late, that their coverage wasn't what they thought it was. Exclusions in cyber policies have tightened considerably since 2020, and understanding them before you buy is critical.

Exclusion	What It Means	Covered?
War & State-Sponsored Attacks	Attacks attributed to nation-state actors (e.g., Russia, North Korea) may be excluded as acts of war	✗ Often excluded
Infrastructure Attacks	Attacks on power grids, water systems, financial infrastructure that cause collateral damage	✗ Typically excluded
Prior Known Events	Incidents that began (or were reasonably discoverable) before the policy inception date	✗ Always excluded
Bodily Injury / Property Damage	Physical harm resulting from a cyber event (e.g., connected medical device failure)	✗ Usually excluded
Intellectual Property Theft	Loss of trade secrets or proprietary data — not the same as personal data	✗ Typically excluded
Voluntary Data Disclosure	When an employee legitimately shares data that later causes harm	✗ Often excluded
Future Lost Profits	Long-term revenue impact after the policy's restoration period ends	✗ Not covered
Unencrypted Device Loss	Laptops or drives lost that weren't encrypted may be excluded	✗ Conditional
Insider Threats	Intentional data theft by a rogue employee	✓ Some policies cover
Ransomware Payments	Payment to sanctioned entities (OFAC) may void coverage	✓ Covered if compliant

The War Exclusion: A Growing Battleground

The war exclusion has become one of the most contested issues in cyber insurance. The 2017 NotPetya malware attack — attributed by western governments to Russian military intelligence — caused over $10 billion in global losses. When Merck & Co. filed a claim under its property policy, insurers denied it under the war exclusion. A New Jersey court ultimately ruled in Merck's favor, but the case exposed a fundamental gap in coverage language.

In response, Lloyd's of London mandated that all standalone cyber policies explicitly exclude losses from nation-state attacks on critical infrastructure from 2023 onward. Other major markets followed. The practical problem: attribution is hard. Determining whether an attack was state-sponsored or criminal is difficult, contested, and politically charged — and yet the answer can determine whether a $50 million claim gets paid.

When reviewing a policy, look for how "hostile or warlike action" is defined, whether the exclusion is limited to attacks on critical infrastructure or is broader, and whether the carrier has a defined attribution process.

ℹ Information

Some markets now offer specific "hostile nation-state" endorsements that restore coverage for certain state-linked attacks at an additional premium. If your organization operates in sectors attractive to state-sponsored hackers — defense, energy, financial services, healthcare — this endorsement deserves serious consideration.

How Cyber Insurance Premiums Are Calculated

Cyber insurance pricing is far more dynamic than most commercial lines. Unlike property insurance, which relies heavily on actuarial tables built over decades, cyber pricing is built on evolving threat intelligence, rapidly changing technology environments, and relatively limited historical loss data. This is why premiums can vary dramatically — and why underwriting questionnaires have grown from 5 pages to 40 or more in the past five years.

Primary Rating Factors

Revenue and company size. Larger revenue means larger potential loss exposure. Premium scales roughly — though not linearly — with revenue.
Industry classification. Healthcare, financial services, and education are considered high-risk due to the sensitivity of data handled and frequency of attacks. Manufacturing has grown riskier due to OT/IT convergence.
Data volume and type. How many records of personally identifiable information (PII), protected health information (PHI), or payment card data do you store? Each type carries different regulatory and legal exposure.
Security controls. This has become the dominant pricing variable. Carriers now adjust premiums significantly based on the presence or absence of specific controls (see the next section).
Prior loss history. Previous claims substantially affect pricing and can lead to coverage restrictions or non-renewal.
Technology environment. On-premise vs. cloud, legacy systems, software patch cadence, and email security infrastructure all factor in.
Geographic footprint. Operating in certain countries or jurisdictions with stricter data protection laws increases regulatory exposure.

What Premium Ranges Look Like

Broad averages in 2025, for reference:

Business Size	Coverage Limit	Typical Annual Premium
Small (< $5M revenue)	$1M	$1,500 – $6,000
Mid-Market ($5M–$50M)	$2M – $5M	$8,000 – $35,000
Mid-Enterprise ($50M–$250M)	$5M – $15M	$35,000 – $150,000
Enterprise (> $250M)	$15M – $100M+	$150,000 – $2M+

These ranges are illustrative. High-risk industries (healthcare, finance) will price at the upper end or beyond. Businesses with strong security controls can negotiate downward. Following a major breach event or claim, premiums can spike by 50–300%.

💡 Benchmark Tip

The "right" premium is not the cheapest one — it's the one that reflects actual risk transfer and adequate limits for your exposure profile. Under-insuring to save on premium is one of the most common and costly mistakes in this market.

Security Controls Insurers Now Require

The single biggest shift in cyber underwriting since 2020 has been the move toward controls-based pricing. Insurers no longer simply accept your attestation that you "take security seriously." They require specific controls, verify them, and in some cases mandate them as conditions of coverage.

Below are the controls that virtually every major carrier now treats as baseline requirements for any meaningful level of coverage.

Multi-Factor Authentication (MFA) — Required on all remote access, privileged accounts, and email. This is the single most frequently declined application factor. A lack of MFA can result in flat-out declination or extremely high premiums.
Endpoint Detection and Response (EDR) — Active EDR on all endpoints. Traditional antivirus is no longer sufficient. Carriers want behavioral detection, not just signature-matching.
Privileged Access Management (PAM) — Controlling and monitoring who has admin-level access to your systems. Unmanaged privileged accounts are a primary attack vector.
Immutable and Tested Backups — Backups that are isolated from the primary network, cannot be modified or deleted by ransomware, and are tested regularly for restoration. Many insurers specifically ask when backups were last restored.
Email Filtering and Anti-Phishing — Deployed email gateways with sandboxing, SPF/DKIM/DMARC configurations, and phishing simulation programs.
Patch and Vulnerability Management — Defined processes for patching critical vulnerabilities within specified timeframes. Many claims arise from unpatched known vulnerabilities.
Incident Response Planning — A documented, tested incident response plan with defined roles and external vendor contacts (forensics, legal, PR).
Security Awareness Training — Regular employee training including phishing simulations. Social engineering remains the #1 attack vector.
Network Segmentation — Separating critical systems so that a compromise in one area cannot spread laterally across the entire network.
Vendor/Third-Party Risk Management — Documented process for assessing and monitoring the security of key vendors and technology partners.

If your organization cannot attest to all of these controls, you should expect either declination, significantly reduced limits, coverage carve-outs for specific risks (like ransomware), or substantial premium loading. Working with a broker to identify and close control gaps before going to market can result in meaningfully better terms.

How to Choose the Right Cyber Insurance Policy

Choosing a cyber policy is not simply a price comparison exercise. The definitions, sublimits, retentions, and carrier-specific claims practices matter enormously — and they vary significantly across the market. Here's a structured framework.

Step 1: Understand Your Own Risk Profile

Before approaching the market, conduct an internal risk assessment. Ask:

What data do we collect, store, and transmit? How much, and how sensitive?
What would happen if our systems were unavailable for 24 hours? 72 hours? One week?
What are our regulatory obligations — GDPR, HIPAA, PCI DSS, CCPA?
What is our annual revenue? What percentage comes from digital channels?
Who are our critical technology vendors? What would happen if they were compromised?

This baseline shapes how much coverage you need and which coverage components matter most.

Step 2: Define Adequate Limits

A common approach is to start with a maximum probable loss (MPL) estimate — what would a realistic worst-case incident actually cost? Consider forensic investigation ($150–$300/hr), legal fees, notification costs ($5–$50 per affected individual), regulatory fines, and business interruption. An MPL analysis, even a rough one, typically reveals that standard "$1 million policies" are materially underinsured for most businesses processing significant personal data.

Step 3: Compare Coverage Components, Not Just Price

When evaluating competing proposals, create a coverage matrix. For each proposal, document:

Sublimits for key coverages (business interruption, ransomware, social engineering)
Retention/deductible amounts — and whether they differ by coverage type
Definition of "computer system" — does it include cloud environments? OT/SCADA? Employee-owned devices?
Trigger language for business interruption — does it require a named attack, or just a system failure?
War and nation-state exclusion language and breadth
Panel vendors (forensics, legal, PR) — are they mandatory or advisory?
Retroactive date — how far back does coverage extend for claims-made policies?

Step 4: Evaluate the Carrier's Claims Capability

The best-written policy is worthless if the carrier can't execute when you file a claim. Research:

Does the carrier have a dedicated cyber claims team with 24/7 availability?
Do they have pre-approved, experienced IR firms, forensic vendors, and legal counsel?
What is their average time from first notice to payment authorization?
Have they denied claims in your industry? What were the grounds?

Step 5: Work With a Specialist Broker

Cyber is one of the most specialized lines in commercial insurance. A general commercial lines broker may not have the market access, underwriting relationships, or technical expertise to navigate it effectively. Look for brokers with demonstrated cyber practice teams who can:

Provide access to specialty markets (Lloyd's syndicates, specialist U.S. carriers)
Assist with application preparation and security narrative
Benchmark your proposed terms against the market
Advise on coverage gaps before a claim, not after

⚠ Red Flags in a Policy

Watch for these warning signs: vague or undefined terms like "security breach" or "cyber event" without specific definitions; sublimits dramatically lower than your overall policy limit (e.g., ransomware capped at 25% of your policy limit); consent clauses requiring insurer approval before any response expenditure; and "voluntary" payment exclusions that may void coverage for ransom paid without prior carrier approval.

How the Claims Process Actually Works

Understanding the claims process before you experience an incident is one of the most practical things a policyholder can do. The decisions made in the first 24 hours of an incident have a profound effect on both the outcome of the event and the success of the subsequent claim.

Contain and preserve. Before anything else, your IT team should focus on containment — isolating affected systems to prevent spread. Crucially, avoid deleting or modifying logs and files, as these are essential to the forensic investigation that follows.
Notify your carrier immediately. Most policies have a "prompt notice" requirement. Delayed notification — days or weeks after discovery — is one of the most common grounds for claim complications. Your broker should have an emergency line. Call it.
Engage carrier-approved vendors. Most policies require (or strongly incentivize) use of the carrier's pre-approved panel vendors for forensic investigation, legal counsel, and crisis communications. Using non-panel vendors without authorization can jeopardize reimbursement. Get approval before you engage anyone outside your organization.
Document every cost. From the first hour of the incident, track every cost: staff overtime, vendor invoices, temporary system costs, lost transaction records. Claims are reimbursed against documented, substantiated costs. Undocumented expenses are often disputed.
Cooperate with the investigation. The insurer's appointed forensic team will conduct a root cause analysis. Your cooperation — access to systems, logs, personnel — is a policy condition. Obstruction or misrepresentation can void coverage.
Follow the regulatory notification process. Your legal counsel will advise on breach notification obligations — which regulators to notify, by when, and how. Cyber policies typically cover these notification costs, but the process must be handled carefully to preserve coverage.
Submit a proof of loss. Your carrier will provide a proof of loss form to be completed within a specified timeframe (often 60–90 days). This summarizes the incident, the covered losses, and the supporting documentation.

The full claims cycle — from first notice to final payment — often takes 6 to 18 months for significant incidents. Complex claims involving business interruption disputes or coverage interpretation questions can take longer and may involve appraisal or litigation.

Common Mistakes Businesses Make With Cyber Insurance

Most cyber insurance mistakes are preventable. They cluster around the same failure patterns, year after year.

Treating It As a Compliance Checkbox

Buying the minimum required by a client contract — and no more — is a remarkably common approach. It leaves businesses with limits that bear no relationship to their actual exposure. Compliance requirements reflect minimums, not financial adequacy.

Misrepresenting Security Controls

Underwriting questionnaires ask detailed questions about security controls. Attesting to controls that don't exist — whether deliberately or through internal miscommunication between the person answering and the people actually running IT — constitutes material misrepresentation. Carriers investigate claims thoroughly, and discrepancies between attested controls and actual security posture are a primary basis for claim denial.

Assuming Property or Liability Policies Cover Cyber

Traditional property policies typically cover physical damage — not digital assets. Traditional commercial general liability (CGL) policies often have explicit cyber exclusions. The assumption that existing policies "probably cover" a breach is incorrect and has led to enormous, unexpected losses.

Never Reviewing the Policy After Purchase

Technology environments change rapidly. A policy that reflected your risk two years ago may be poorly aligned with your current cloud footprint, vendor relationships, or data volume. Annual reviews — ideally before renewal — should include a reassessment of coverage adequacy.

Choosing Insufficient Sublimits

A $5 million policy sounds substantial — until you discover the ransomware sublimit is $500,000, and the threat actor is demanding $2 million. Sublimits are one of the most consequential fine-print details in any cyber policy, and they require specific attention during placement.

Not Testing the Incident Response Plan

Many businesses have an IR plan sitting in a binder on a shelf. An untested plan is an unreliable plan. Tabletop exercises — simulated incident scenarios that test decision-making and coordination — are increasingly expected by insurers and are correlated with better claims outcomes in practice.

The Future of Cyber Insurance

The cyber insurance market is in a period of structural evolution. Several forces are reshaping it in ways that will affect buyers significantly in the coming years.

The Rise of Silent Cyber and Policy Clarity

Silent cyber — the risk that traditional policies (property, marine, workers' comp) might pay cyber claims without having been priced for them — has pushed regulators and rating agencies to demand explicit clarification. The result is a market-wide effort to either explicitly include or exclude cyber in every commercial policy. For buyers, this generally means better transparency but also reduced incidental coverage from non-cyber lines.

Parametric Cyber Products

Traditional cyber insurance pays based on documented losses — a process that can be slow and disputed. Emerging parametric cyber products pay a defined amount upon the occurrence of a measurable trigger (e.g., a named vulnerability is exploited, a government agency declares a cyber emergency), regardless of actual loss. These products offer faster payouts and predictable recovery, though they require careful calibration between trigger and actual exposure.

Tighter Underwriting, Not Looser

After a soft market through 2019 and a hard market spike from 2020 to 2022, the market has stabilized somewhat. But underwriting discipline remains high. Security control requirements will only expand — expect questions about zero-trust architecture, software bill of materials (SBOM) management, and third-party risk programs to become standard in the next two to three years.

Systemic Risk and Capacity Limits

The reinsurance community has grown concerned about correlated cyber losses — scenarios where a single event (like a major cloud provider outage or a software supply chain attack) triggers claims across thousands of policyholders simultaneously. This systemic risk is unlike anything in traditional insurance lines. It may ultimately constrain capacity, push up pricing for high limits, or lead to government backstop programs similar to terrorism reinsurance pools.

Regulatory Mandates

Several jurisdictions are exploring requirements for certain regulated entities to carry minimum levels of cyber insurance. The SEC's 2023 cybersecurity disclosure rules for public companies and the FTC's Safeguards Rule are early precursors. Expect insurance-adjacent cyber regulation to intensify at both the state and federal level in the U.S. and across the EU.

Final Takeaway

Cyber insurance is not a silver bullet, and it is not a substitute for good security. It is a financial risk transfer mechanism — a way of converting unpredictable, potentially catastrophic losses into manageable, predictable premium payments. Used correctly, it is one of the most important tools in an organization's risk management toolkit.

The businesses that benefit most from cyber insurance are those that approach it deliberately:

They understand their own risk profile before going to market.
They work with specialist brokers who know the nuances of cyber policy language.
They invest in the security controls that make them more insurable — and more secure.
They review and update coverage annually as their business and threat landscape evolves.
They have tested incident response plans so that when an incident occurs, they can execute quickly and confidently.

The cost of preparation — a strong policy, good security hygiene, and a tested IR plan — is a fraction of the cost of an unplanned, uninsured cyber event. In a landscape where the question is when, not if, that preparation is not a luxury. It is a basic obligation to your business, your employees, and everyone who trusts you with their data.

The best time to buy cyber insurance is before you need it. The second best time is right now.