Standard business insurance wasn't designed for this. A general liability policy or BOP covers physical risks — slip-and-falls, property damage, bodily injury. Stolen customer data, encrypted systems, and regulatory investigations fall entirely outside those boundaries.
Cyber liability insurance fills that gap. This guide covers what it covers, what it excludes, who actually needs it, what it costs, and how to choose the right policy without spending weeks chasing quotes.
TL;DR
- Cyber liability insurance covers financial losses from cyberattacks, data breaches, and network failures that standard policies don't touch.
- Coverage splits into first-party (your own recovery costs) and third-party (claims brought against you by others).
- Covered costs typically include forensics, data recovery, ransomware payments, customer notifications, and legal defense.
- Common exclusions include prior breaches, intentional acts, insider attacks, and unaddressed known vulnerabilities.
- Most small businesses pay $123–$145/month, with final pricing driven by revenue, industry, data volume, and security posture.
What Is Cyber Liability Insurance and Why Does It Matter?
Cyber liability insurance is a specialized business policy covering financial losses from cyber incidents — data breaches, ransomware attacks, hacking, and network failures. You'll also see it called "cybersecurity insurance" or "cyber risk insurance." All three terms refer to the same product category.
The distinction from general business insurance matters. A Business Owners Policy (BOP) or commercial general liability policy is built around physical risks — not digital ones.
A standard cyber extension added to a BOP typically excludes all first-party coverages, meaning your own recovery costs aren't covered — only potential liability to others. Businesses with real data exposure usually need a standalone policy.
The Scale of the Problem
The 2025 Verizon Data Breach Investigations Report analyzed over 22,000 security incidents and 12,195 confirmed breaches. Ransomware involvement jumped 37% year-over-year. Third-party involvement in breaches doubled from 15% to 30% in a single year — meaning your vendors and cloud providers are increasingly part of your risk profile.
The financial exposure across industries is significant:
| Industry | Average Breach Cost (2025) |
|---|---|
| Healthcare | $7.42M |
| Financial Services | $5.56M |
| Technology | $4.79M |
| Retail | $3.54M |
Source: IBM Cost of a Data Breach Report 2025
Cyber insurance doesn't replace cybersecurity. Firewalls, multi-factor authentication, employee training, and endpoint protection reduce the likelihood of an incident. Insurance covers the financial fallout when those defenses aren't enough.
What Does Cyber Liability Insurance Cover?
Most cyber policies organize coverage into two buckets: first-party (what the policy pays for your own losses) and third-party (what it pays when outside parties bring claims against you). A single breach can trigger both: your systems go down, recovery costs pile up, and an affected customer files suit.
First-Party Coverage: Your Own Losses
First-party coverage pays for direct expenses your business incurs responding to an incident:
- Forensic investigation — covers expert fees to identify the attack vector, timeline, and what data was accessed
- Data recovery and restoration — funds the rebuild of encrypted or destroyed files and systems after an incident
- Breach notification — legally required in most US states after any exposure of personally identifiable information (PII)
- Credit monitoring services — typically offered to affected individuals as part of your post-breach obligations
- Business interruption — replaces lost revenue when a cyberattack takes your operations offline during recovery
- Ransomware extortion payments — covers ransom demands, which averaged $282,000 per incident in 2024 according to At-Bay's InsurSec Report
- Crisis communications and PR — funds reputation management and public messaging after a high-profile incident
Business interruption is one of the most underappreciated first-party benefits. If ransomware shuts down your operations for two weeks, that coverage replaces revenue lost during the recovery window — not just the technical remediation costs.
First-party coverage handles your internal recovery costs. Third-party coverage is what protects you once others come knocking.
Third-Party Coverage: External Claims
Third-party coverage applies when a customer, partner, or regulator holds your business responsible for a cyber incident.
Examples of third-party scenarios:
- A class-action lawsuit from customers whose personally identifiable information was exposed in a breach
- A regulatory investigation and fine under HIPAA after a healthcare data incident
- A state privacy enforcement action under laws like the California Consumer Privacy Act
Some policies extend beyond these core scenarios. Two coverage types worth confirming with your broker:
- Media liability — covers IP or copyright infringement claims tied to your online content
- Technology errors and omissions (Tech E&O) — applies when a cyber incident disrupts services you deliver to clients
Neither is automatic. Both are policy-form-specific, so confirm what's included before you finalize coverage.
What Cyber Liability Insurance Does NOT Cover
Understanding exclusions is as important as understanding coverage. Common exclusions across most cyber policies:
- Prior breaches — incidents that occurred before your policy's retroactive date aren't covered. If you had a breach last year and buy a policy today, that event is out.
- Intentional or criminal acts — losses resulting from deliberate wrongdoing by the business or its principals are excluded.
- Insider attacks — policies vary here, but many limit or exclude claims arising from dishonest acts by employees or contractors.
- Pre-existing known vulnerabilities — if your IT team flagged an unpatched system and you ignored it, and that vulnerability enabled the breach, the claim may be denied.
- Third-party infrastructure failures — outages caused by your cloud provider or utility vendor may require specific contingent business interruption wording to be covered.
Security Hygiene Can Void Claims
Insurers may deny or rescind coverage if an attack succeeded because of negligent security practices. In one well-documented case, Travelers sought to rescind a policy after alleging the insured misrepresented its use of multi-factor authentication in the application.
Answer application questions accurately and address known security gaps before applying. Misrepresentation — intentional or not — creates real claims exposure.
If your business has prior incidents or gaps in security history, that doesn't have to disqualify you. Ask about prior acts coverage riders — some carriers will extend retroactive coverage with appropriate disclosure and underwriting.
Who Needs Cyber Liability Insurance?
The baseline rule: if your business collects, stores, sends, or receives sensitive data — credit cards, Social Security numbers, health records, financial account information, or any personally identifiable information — you have cyber exposure.
High-Priority Industries
Some sectors carry elevated exposure due to regulatory obligations, data volumes, or breach costs:
- Healthcare — HIPAA requires safeguards for electronic protected health information (ePHI), and breach costs average $7.42M per incident
- Financial services — payment data, account credentials, and fiduciary records create significant liability exposure
- Retail — payment card data and customer PII at scale
- Technology firms — SaaS companies, software developers, and IT consultants often hold client data and face tech E&O exposure alongside cyber risk
- Professional services — law firms, accountants, and consultants routinely handle confidential client information
- Any business with vendor contracts — government agencies and large enterprises increasingly require cyber coverage (some contracts mandate $2M–$5M in limits)
Small Businesses Are Not Safe
Industry concentration doesn't define risk. The "we're too small to be targeted" assumption is wrong. According to Verizon's 2025 DBIR, ransomware was involved in 88% of SMB breaches, compared to 39% for large organizations. Smaller businesses are often targeted precisely because their defenses are weaker and their incident response is slower.
If your business fits any of these profiles, getting the right coverage in place — and fast — matters. Soma works with carriers including Chubb, Hiscox, Kinsale, and Liberty Mutual to place cyber coverage across healthcare, fintech, retail, and technology businesses.
How Much Does Cyber Liability Insurance Cost?
Key Pricing Factors
Underwriters weigh several variables when pricing cyber coverage:
- Business revenue — higher revenue typically means higher limits and higher premiums
- Industry sector — healthcare and financial services face steeper rates than lower-risk industries
- Data volume and type — storing thousands of payment card or health records increases exposure
- Employee count with system access — more access points mean more risk
- Security controls in place — MFA, encryption, endpoint detection, and regular backups all factor into pricing
- Claims history — prior incidents increase premiums or trigger coverage limitations
What Small Businesses Typically Pay
Current benchmarks for US small businesses:
- ~$123/month — median premium for professional services customers (Insureon)
- ~$145/month — broader small business average (Coalition)
- Rates down ~5% — Marsh reported this decline in Q4 2024, with favorable conditions continuing into 2025
Policy Structure Options
- BOP endorsement — lower-risk businesses can sometimes add a cyber endorsement to an existing BOP, though first-party coverage is often limited or excluded
- Standalone policy — businesses with significant data exposure, regulated industries, or higher revenue need standalone cyber coverage with appropriate limits
A stronger security posture translates directly to better pricing. Insurers reward businesses that demonstrate solid defenses — it signals lower risk at the underwriting stage and shows up in your premium.
How to Choose the Right Cyber Liability Insurance Policy
What to Verify Before Binding
When evaluating a policy, confirm these specifics:
- First- and third-party coverage both present — don't assume; verify both are included
- Duty to defend language — note that many cyber policies are written on a non-duty-to-defend basis, meaning you control the defense. Understand which model your policy uses before a claim happens.
- Global coverage scope — confirm the policy responds to incidents originating outside the US if your operations or vendors span multiple countries
- Vendor and cloud provider breaches — third-party involvement in breaches doubled to 30% in 2025; check whether your policy includes dependent business interruption or contingent coverage for vendor failures
Matching Limits to Actual Exposure
Coverage limits should reflect how much data you hold, not just your revenue. Per IBM's 2025 data, remediation costs average:
- $160 per breached customer PII record
- $168 per breached employee PII record
- $178 per breached intellectual property record
A business holding 50,000 customer records faces a potential $8 million remediation exposure from PII alone — before legal fees, regulatory fines, or business interruption losses. Limits should be sized to match that reality, not just the smallest available option.
Working with a Specialized Broker
Sizing limits correctly is only half the challenge — cyber liability has no standard policy form. Terms, exclusions, and coverage triggers vary significantly across carriers, which makes comparison difficult without expertise. The Michigan Bar Journal recommends working with specialized brokers for this reason.
Soma's network spans hundreds of carrier partners — including Chubb, Markel, Liberty Mutual, and Nationwide — allowing businesses to receive cyber liability quotes through a single application rather than approaching carriers individually. For operations that standard markets decline, Soma accesses surplus lines and specialty markets to find coverage options that fit.
Frequently Asked Questions
What is cyber liability insurance?
Cyber liability insurance is a business policy covering financial losses from cyberattacks, data breaches, and network security failures. It pays for costs like data recovery, legal fees, ransomware payments, and regulatory fines that standard general liability or BOP policies don't cover.
Is cyber liability insurance worth it?
For any business handling sensitive customer or employee data, yes. The cost of a single breach — including legal defense, mandatory notification, forensics, and recovery — typically far exceeds annual premium costs. Investors, boards, and vendor contracts increasingly require it as well.
Who provides cyber liability insurance?
Many major commercial insurers offer cyber liability policies, including Chubb, Liberty Mutual, Nationwide, Hiscox, and Markel. A broker like Soma lets you compare options across multiple carriers with one application — faster than going to each insurer directly.
What does cyber liability insurance not cover?
Common exclusions include prior breaches (incidents before the policy retroactive date), intentional or criminal acts, insider attacks, and pre-existing known vulnerabilities the business failed to address. Insurers can also deny claims if negligent security practices — like no MFA or unpatched systems — enabled the breach.
What is the difference between first-party and third-party cyber coverage?
First-party coverage pays for the insured business's own losses: forensics, data recovery, customer notifications, lost income, and ransomware payments. Third-party coverage pays for legal defense and settlements when customers, partners, or regulators bring claims against your business following a cyber incident.
How much does cyber liability insurance cost?
Cost depends on revenue, industry, data volume, and security posture. Most small businesses pay roughly $123–$145 per month. Get quotes from multiple carriers through a broker for an accurate estimate — premiums vary significantly based on your risk profile.
