Skip to content

Guide · Business · 6 min read

← All guides

What cyber insurance actually covers, and what your other policies quietly exclude

Your other business policies quietly exclude electronic data. What a cyber policy pays for, what it excludes, and why small businesses are the usual target.

Why this policy exists at all

Traditional business insurance was written for a physical world. General liability responds to bodily injury and property damage, and both courts and policy language have largely settled that stolen data is neither. Commercial property covers your equipment, not the information sitting on it. So the industry built a separate product for electronic risk, then wrote data exclusions into everything else to keep the separation clean.

The result: a business carrying general liability, property coverage, and a business owner's policy has roughly no coverage for a data breach, a ransomware attack, or a fraudulent wire transfer. Cyber insurance is the policy that fills that hole, and for a business that lives in its inbox, it has quietly become one of the most likely policies to actually pay a claim.

First-party coverage: your own losses

First-party coverage pays costs your business incurs directly. The first wave is incident response: forensic investigators to find out what happened, breach coaches (attorneys who specialize in this) to keep the response legally sound, legally required notification of affected customers, and credit monitoring for them afterward. These costs arrive in the first days after discovery, whether or not anyone ever sues you.

Then come the operational losses: restoring data and systems, and business interruption coverage that replaces income while you're down (the same idea as the lost-income coverage in a BOP, triggered by an outage instead of a fire). Cyber extortion coverage handles ransomware: negotiation help and, where lawful and as a last resort, payment.

Finally there's funds transfer fraud and social engineering coverage: the fake invoice, the spoofed email from the 'CEO' telling accounting to wire money. Read this section closely on any quote. It often carries a sublimit (a lower cap inside the policy) far below the headline limit, and for a small business it's frequently the single most likely loss on the list.

Third-party coverage: claims against you

Third-party coverage responds when other people hold you responsible for an incident: customers whose information leaked, business partners whose systems were infected through yours, and the lawyers representing all of them. It pays for your defense and any settlements or judgments.

It also covers regulatory proceedings (defense costs and, where the law allows them to be insured, fines under privacy statutes) and, if you accept card payments, PCI assessments: the contractual penalties card networks levy after a breach involving cardholder data. PCI stands for Payment Card Industry, the security standard every card-accepting merchant has agreed to, usually without reading it.

What it doesn't cover

The predictable exclusions: incidents you knew about before buying the policy, intentional acts by ownership, and lost future profits or reputational harm beyond the covered interruption period. Policies also exclude betterment, meaning they restore the systems you had rather than buying you the upgraded ones you should have had.

War and nation-state exclusions are actively evolving after several large attacks blurred the line between crime and warfare, and the wording now differs meaningfully between carriers. This is a genuine reason to have someone compare policy forms rather than just premiums.

Expect underwriting homework, too. Carriers now routinely require multi-factor authentication (the second login step on your accounts), tested backups, and email filtering before offering good terms. Those same controls make the incident less likely in the first place, which makes this the rare insurance paperwork that pays for itself either way.

Who actually needs it

If you store customer information, accept card payments, run on email, or move money based on instructions that arrive electronically (which is nearly every business now operating), you carry the exposure. Attackers automate their targeting. Small businesses get hit because their defenses are thinner, not spared because their revenue is smaller.

If you carry a BOP, check whether cyber coverage is present at all, and if it is, at what sublimit. The answer is usually humbling. Our cyber coverage page goes through the policy line by line, including what it deliberately leaves out, and a quote takes about three minutes, which is less time than the average phishing email spends in an inbox before someone clicks it.

Reviewed by a licensed property & casualty agent · Updated July 2026

Talk to a human

Guides get you oriented. A licensed agent gets you covered.

If this raised a question about your own policy, ask it. Reading your coverage is our job, and the answer costs nothing.

About three minutes. No obligation.

Get a QuoteCall