Our CyberRisk policy covers both first- and third-party exposures, anywhere in the world. It responds to e-commerce extortion, network and information security incidents, business interruption arising from a covered event, and the legal expense of litigating any of it. Modern cyber insurance is no longer one product — it is a coordinated set of coverages handling the most pervasive operational risk of the digital economy.
Cyber is no longer a niche line. The Department of Health and Human Services, the FTC, state attorneys general, the SEC under the 2023 cybersecurity disclosure rules, and a private plaintiffs' bar that has grown sophisticated about class-action data-breach litigation have all converged on the same point: a cyber event today is a regulatory event, a litigation event, an operational event, a contractual event, and a reputation event simultaneously. The policy has to respond on every front, and the underwriting standard for accessing meaningful coverage has tightened materially in the past four years.
Cyber liability insurance — a multi-line policy combining first-party coverage (the insured's own losses, including ransom payments, forensic costs, business interruption, and data recovery) with third-party coverage (claims by others, including privacy claims, regulatory fines where insurable, network security liability, and PCI-related fines and assessments).
First-party coverages — the insured's own losses
First-party coverages reimburse the insured for its own losses. This is the most heavily used part of a modern cyber policy and is where the policy's response shows up first in any incident.
Incident response — forensic investigation by a panel firm (or, where permitted, the insured's choice), breach coach legal counsel, public relations and crisis communications, and the notification services required by state law
Ransomware and cyber-extortion — ransom payments where legal (subject to OFAC sanctions screening), plus professional negotiation and decryption services; sub-limits and co-insurance have tightened materially since 2021
Business interruption — lost income and extra expense during a covered system outage, including time-element coverage with a waiting period (typically 8 to 12 hours)
Contingent business interruption — losses from outages at critical third-party vendors (cloud providers, SaaS dependencies, managed service providers); requires specific endorsement on most forms
Data restoration — the cost to restore corrupted, destroyed, or encrypted data, including the cost of rebuilding databases from non-electronic sources where electronic backups have failed
Social engineering fraud — funds transfer fraud induced by deception (fake-vendor and impersonation fraud); typically by endorsement with separate sub-limits and warranties
Computer fraud — direct loss from unauthorized electronic transfer of funds (note overlap with crime / fidelity)
Reputational harm — revenue loss attributable to public disclosure of an event, where endorsed; quantification standards are still evolving
Hardware "bricking" — replacement cost of physical equipment rendered unusable by a covered event (firmware-level attacks)
Third-party coverages — claims by others
Privacy liability — defense and indemnity for claims arising from unauthorized disclosure of personally identifiable information (PII), protected health information (PHI), or payment card information (PCI); responds to class actions, individual suits, and state-AG civil enforcement
Network security liability — claims by third parties alleging the insured's network failed to prevent transmission of malware, denial-of-service attacks, or unauthorized access
Regulatory defense and fines — defense costs for regulatory inquiries (HHS, FTC, state AGs, GDPR DPAs); indemnity for fines and penalties where insurable by law
PCI fines, penalties, and assessments — costs assessed under merchant services agreements when payment-card data is compromised, including forensic-investigation costs assessed by card brands
Media liability — defamation, IP infringement, copyright, and similar claims arising from online content (where endorsed; standalone media policies cover more deeply)
Wrongful collection — increasingly litigated under state biometric privacy statutes (BIPA in Illinois, CCPA in California) and pixel-tracking class actions
The modern cyber underwriting standard
Cyber underwriting has shifted dramatically since 2021. The combination of catastrophic ransomware loss years (2020-2021) and several large insurer exits from the line forced a re-pricing and a re-disciplining of the underwriting submission. Underwriters now require demonstrated controls before quoting, not as a renewal aspiration:
Multi-factor authentication on all remote access, all privileged accounts, all administrative accounts, and all email — exceptions are heavily scrutinized
Endpoint detection and response (EDR) — modern EDR or extended detection and response (XDR) on every endpoint; legacy antivirus alone is no longer adequate
Tested backups — backups segregated from production (offline, immutable, or air-gapped), with documented restoration testing within the last 12 months
Incident response plan — a written plan, exercised within the last 12 months, with named decision-makers and pre-engaged external counsel
Security awareness training — ongoing program with phishing simulations and a measured click-rate trend
Vulnerability management — documented patching cadence for critical and high-severity vulnerabilities
Privileged access management — separate administrative accounts, just-in-time elevation, and credential vaulting for larger insureds
Email security — modern secure email gateway, advanced threat protection, and DMARC enforcement
Network segmentation — particularly between IT and OT (operational technology) for industrial and healthcare insureds
Submissions without these controls are not declined per se, but they price materially higher, carry significant ransomware coinsurance (commonly 20% to 50% on the ransomware sub-limit), and may exclude entire incident categories until the controls are in place.
Sector-specific exposures
The form is broadly similar across industries, but the exposure profile varies dramatically and the underwriting attention shifts accordingly.
Healthcare — PHI exposure under HIPAA, OCR enforcement, business associate liability, and the high frequency of ransomware targeting healthcare networks. Required notification under the HITECH Act creates a per-record cost driver that other sectors do not face.
Financial services — SEC and state-DFS regulatory exposure, NY DFS 23 NYCRR 500 compliance, wire fraud frequency, and the regulatory penalty exposure under Reg S-P and the SEC's 2024 amendments.
Manufacturing and industrial — operational technology (OT) exposure, business interruption is the dominant loss driver, contingent BI through supply-chain dependencies is severe.
Retail and hospitality — PCI exposure, point-of-sale malware, and the historically high volume of card-present data breaches; California, Illinois, and Washington state privacy litigation drives the third-party exposure.
Technology and SaaS — contractual liability under enterprise customer agreements often substantially exceeds general tort exposure; tech E&O combined with cyber is the standard structure.
Education — FERPA exposure, the historical underinvestment in IT security at K-12 and higher-ed creating high ransomware frequency, and the data-classification difficulty of student records.
Coverage application
The CyberRisk application is a structured underwriting submission covering the controls and exposures that drive pricing: prior coverage and prior loss history (including any past data breaches, ransomware events, regulatory inquiries, or business interruption losses), the categories and volume of personal and corporate data the organization stores (PII, PHI, payment card data, financial records, government IDs, biometrics), HIPAA or GLBA covered-entity status, PCI DSS merchant level and compliance posture, the storage and access pattern for sensitive data (employee-owned devices, paper files, mobile devices, cloud services), the modern control stack (network security assessments, intrusion detection, penetration testing, firewall coverage, patching cadence, anti-virus, password policy, MFA, SPF), business continuity posture (fault tolerance, backup frequency, disaster recovery plan, incident response plan, breach procedures), data governance (records management policy, background check practice, security awareness training, departure procedures, published privacy policy), third-party vendor inventory and cloud provider relationships, and media exposures (advertising scope, trademark use, user-generated content, third-party content licensing).
For deeper analysis of cyber exposures, sector-specific structures, and to compare carriers, visit our specialty cyber site CyberRiskPolicy.com.
Common questions
Does cyber overlap with crime / fidelity?
Yes, and the overlap is the source of most coverage disputes. Funds transfer fraud induced by deception — a "fake CEO" wire request, a vendor-impersonation invoice, an account-change request — can be claimed under either policy. We routinely structure the two policies to avoid both gaps and overlap: typically the cyber policy carries primary social engineering coverage with a meaningful sub-limit, and the crime policy responds for direct employee dishonesty and for losses outside the social engineering definition. Both policies sit in the same overall risk transfer plan; neither is a substitute for the other.
Are regulatory fines covered?
Defense costs for regulatory proceedings are widely covered. The fines themselves are covered only where insurable as a matter of public policy in the jurisdiction at issue — this varies significantly by state, by the nature of the violation, and by the identity of the regulator. GDPR fines, for example, are generally not insurable in EU member states; many U.S. data breach fines under state UDAP statutes are insurable; HHS OCR settlements under HIPAA are insurable in most jurisdictions; punitive damages and criminal fines are universally non-insurable.
What about state breach notification laws?
All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have data breach notification statutes, each with different definitions of "personal information," different triggers, different timelines, and different requirements for AG notification, credit reporting agency notification, and substitute notice. Cyber policies routinely cover the cost of complying — legal review, notification letters, call center support, and credit monitoring offerings — typically without eroding the limit available for liability claims.
Does the policy cover supply-chain attacks?
Increasingly, yes — but the structure varies. Contingent business interruption covers losses caused by outages at named or non-named third-party vendors. Some policies cover losses caused by a software supply-chain compromise (such as the SolarWinds or 3CX events) under their dependent-systems language; others require specific endorsement. Reviewing the dependent-systems definition in the form is one of the highest-leverage items in any cyber renewal.
What is the difference between standalone cyber and packaged cyber?
Standalone cyber is written by carriers that specialize in the line — typically with broader form language, higher available limits, more developed claims handling, and access to a robust panel of vendors. Packaged cyber is a cyber endorsement on a broader management liability or BOP package — efficient pricing, simpler administration, but typically narrower limits and form language. For organizations with material cyber exposure, standalone is the answer; for small businesses with modest exposure, packaged cyber can be entirely adequate.
The right question about cyber is no longer "do we need a policy" — it is "is our policy keeping pace with how the threat actors operate." That answer changes every renewal.
Speak to an underwriter
Cyber placement is now a structured underwriting conversation, not a transactional quote. Call (800) 373-2804 and we will walk through your controls, your dependencies, your sector exposures, and the carriers most likely to write your risk on the best terms.