CYBER INSURANCE SPECIALISTS

Cyber Insurance Built Around Your Data and Your Risk

We're not sure we're the right fit yet — but if you handle PHI, payment data, or customer records, you've probably wondered whether your existing policies would actually respond when the breach hits. We review the policy language, warranties, and endorsements with you on video before binding. If it makes sense after that, we talk next steps.

See If Your Cyber Policy Would Actually Respond →

Takes ~2 minutes · We review your contracts + vendors · Coverage matched to your data profile

A-Rated Cyber CarriersEvery Policy Reviewed on Video Before BindingHealthcare / E-Commerce / Tech SpecialistsRansomware-Specific Underwriting
BBB Accredited Business Seal
A RatedBBB Accredited Business

Case Studies

Cyber Coverage Case Studies

Anonymized examples of policy reviews we've completed for healthcare, e-commerce, and tech/SaaS clients.

Abstract editorial illustration representing healthcare data security
Healthcare

Multi-Specialty Medical Group

The Situation

Practice carried a cyber policy with a ransomware sub-limit at 25% of aggregate — never disclosed in the prior broker's binder presentation. The warranty language conditioning ransomware coverage on specific security controls had also never been walked through.

What We Did

Mapped BAAs and the practice's vendor stack (EHR, billing, imaging, patient portal) against the existing policy's warranty schedule. Documented the sub-limit and the warranty gaps in writing.

🎯 The Outcome

Replaced coverage with a carrier writing full-aggregate ransomware coverage at comparable premium. Added matching social engineering endorsement and dependent-system extension before binding.

Abstract editorial illustration representing SaaS infrastructure security
Tech / SaaS

B2B SaaS Platform

The Situation

Existing cyber policy missing the social engineering endorsement entirely. Leadership had never been walked through endorsement language by the prior broker.

What We Did

Recorded a video review walking the leadership team through every endorsement, sub-limit, and warranty in the policy. Flagged the missing social engineering coverage and quoted the endorsement before bind.

🎯 The Outcome

Endorsement added in time to close a six-figure BEC exposure gap. Leadership signed off on the full coverage package after watching the review on their own time.

Abstract editorial illustration representing e-commerce data protection
E-Commerce / SaaS

B2B SaaS with Enterprise MSA Requirements

The Situation

Enterprise customer's MSA required specific cyber coverage limits and endorsement language. Existing broker said the language was unavailable in the cyber market.

What We Did

Read the MSA cyber requirements line by line. Built policy specifications matching the most demanding clauses. Sent to multiple specialty carriers for terms.

🎯 The Outcome

Coverage placed within the contract deadline. Issued COI cleared the customer's security review on first submission. Enterprise contract closed on schedule.

Bobby Friel, Partner at Direct Insurance Services

Bobby Friel

Partner, Direct Insurance Services

You know how it is — you're running the business, hitting your numbers, managing customers and vendors, and you don't have time to wonder if your broker has actually read your contracts and policies against each other. You assume the ransomware coverage isn't sub-limited. You assume social engineering is endorsed in. You assume the BI waiting period is short enough that a real outage would actually trigger it. And then an enterprise customer's security review finds a gap in your MSA, or a real incident hits and the carrier's response doesn't match what you expected, and suddenly you're learning what the policy actually does under pressure.

What we do is map your data profile, vendor stack, and contract requirements to the policy language — before you bind, before an MSA review fails, before a real claim shows you the sub-limit. On video. So you know exactly what your cyber policy will and won't do.

What's your current cyber policy doing for ransomware sub-limits and social engineering coverage right now?

Industry Profile

Industry-Specific Cyber Risk

Each industry has a distinct risk profile. The policy that works for a SaaS company is wrong for a medical practice, and vice versa.

Healthcare Practices Cyber Risk

Medical and dental practices face layered HIPAA and state privacy obligations. PHI breach notification, OCR defense costs, ransomware targeting EHR systems, and third-party vendor breaches (EHR, billing, imaging) are the most common claim types. Telehealth practices add video platform and patient-device exposure. Our cyber reviews for healthcare clients map HIPAA risk analysis documentation to policy warranty requirements.

🛡️ Coverage Breakdown

The 6 Core Cyber Policies

Six coverage types every cyber insurance program should address — and the specific places where prior brokers most often leave you exposed. Each card opens to the full breakdown of what it covers, the most common gap we find, and what we check against your data sensitivity, security controls, and regulatory exposure before any program gets bound.

ESSENTIAL

Data Breach Response

  • Forensics to determine scope and root cause
  • Breach coach and privacy counsel
  • Notification mailing + call center + credit monitoring

Covers forensic investigation, breach coach, privacy counsel, notification production, call center, and credit monitoring — the full incident response toolkit triggered the moment a breach is confirmed. For healthcare practices, this funds the HIPAA Security Rule investigation and the OCR notification timeline; for e-commerce brands, it pays for the card-brand forensics required after PCI exposure; for SaaS companies, it covers the customer-by-customer notification work your enterprise contracts already demand.

CRITICAL

Cyber Extortion & Ransomware

  • Specialized ransom negotiation firms
  • Decryption & restoration
  • Security-control warranty review before bind

Covers ransom negotiation, payment (where lawful), decryption key purchase, system restoration, and the lost-time cost of rebuilding from clean backups. Triggered by an actual extortion demand or a credible threat. Most carriers now require MFA on email and admin accounts, EDR on endpoints, and offline or immutable backups as preconditions for coverage — and warrant those controls in language strict enough that one missed service account can give the carrier a denial argument. We review the warranty conditions against your real environment before binding.

OFTEN OVERLOOKED

Business Interruption (Cyber)

  • Lost revenue during a cyber outage
  • Extra expense to restore operations
  • Waiting-period and retention review

Covers lost income and extra expense to restore operations when a cyber event takes systems down. Standard property BI excludes anything not triggered by physical damage — cyber-specific BI is the only line that responds to ransomware encryption, a vendor outage, or denial-of-service. For e-commerce, every hour of checkout downtime is measurable lost revenue. For SaaS, downtime triggers SLA penalties and customer churn. Waiting periods (8, 12, or 24 hours) and dependent-system extensions matter — we review both against your actual hourly revenue.

ESSENTIAL

Network Security Liability

  • Customer data leakage claims
  • Partner / vendor downstream liability
  • Malware transmission claims

Covers your liability to third parties when your network is compromised and used to harm others — customers whose data leaks, partners whose systems you infect through a shared integration, or downstream parties impacted by a breach originating in your environment. Triggered by a third-party demand or suit alleging your security failure caused their loss. For SaaS and tech, this is the line that responds when an enterprise customer claims your breach exposed their data; for e-commerce, it covers Magecart-style claims when injected JavaScript on your checkout harvested customer cards.

ESSENTIAL

Privacy Liability

  • State privacy law violations
  • HIPAA privacy & security violations
  • Class-action defense

Covers liability for unauthorized collection, use, or disclosure of personal data — including CCPA/CPRA, VCDPA, TDPSA, BIPA, HIPAA, and common-law privacy claims. Triggered by a regulatory action, class action, or individual demand alleging a privacy law violation. Class-action defense alone routinely runs mid-six-figures before any settlement. The wording matters: a policy that excludes BIPA in Illinois or carves back "wrongful collection" is meaningfully narrower than one that doesn't. We map your customer geography to the policy's privacy schedule before bind.

RECOMMENDED

Regulatory Defense & Penalties

  • State AG investigation response
  • HIPAA / OCR investigations
  • FTC and consumer-protection inquiries

Covers legal defense and (where insurable) civil penalties from state AG investigations, HHS Office for Civil Rights actions for HIPAA matters, and FTC inquiries. Triggered by formal notice of investigation. State law determines which penalties are insurable — California, Illinois, and Texas all treat them differently, and HIPAA civil monetary penalties have their own insurability rules by category. For healthcare, OCR defense alone can cost six figures before any resolution; for tech and e-com, multi-state AG actions stack quickly when an incident touches customers in 5+ states.

⚠️ Policy Gaps We Find

8 Mistakes That Expose Your Business

These are the cyber policy gaps we find in almost every policy review. How many of them apply to yours?

1

🔐 Does your cyber policy actually cover ransomware — or is it sub-limited and conditioned on security controls you may not have?

Many cyber policies now sub-limit ransomware at 25%–50% of the aggregate, and several warrant MFA, EDR, and offline backups as preconditions for coverage. If your controls don't match the warranty, the claim can be denied entirely. When was the last time your agent walked through your ransomware endorsement with you on video?

2

💸 What happens if your BEC loss is excluded because you didn't have the social engineering endorsement?

Standard crime policies exclude voluntary transfers based on deception. Cyber policies often sub-limit or exclude social engineering unless a specific endorsement is added. Business email compromise costs mid-six-figures on average — the endorsement is one of the most important we review. Is yours in place?

3

⏸️ Does your business interruption trigger for cyber events, or only for physical damage?

Your standard BI policy almost certainly excludes cyber-triggered outages. Cyber-specific BI is a separate coverage — with its own waiting period, retention, and dependence-on-third-party extensions. For e-commerce, SaaS, and healthcare practices where downtime is the biggest loss, has anyone confirmed you have cyber BI with an appropriate waiting period?

4

🔗 If your third-party vendor breach leaks customer data, who's on the hook for notification costs?

Modern tech stacks depend on dozens of SaaS vendors. When one is compromised, the data-owner (you) typically bears the notification burden. Does your policy include dependent system coverage? And has your vendor contract allocated breach responsibility in writing?

5

⚖️ Has anyone mapped your state privacy law exposures to your policy language?

CCPA, VCDPA, TDPSA, CPA, BIPA, My Health My Data, TIPA — privacy statutes vary wildly by state. Your policy's privacy liability wording may or may not align with the specific state laws that apply to your customers. When was the last time someone mapped your customer geography to your regulatory coverage?

6

📅 Does your policy's retroactive date cover claims from incidents that already happened but haven't surfaced?

Cyber claims often surface months or years after the incident. Your retroactive date determines whether those latent claims are covered. Most businesses renewing their cyber policy never check this — and a reset retroactive date on renewal can strip away years of silent coverage.

7

👩‍⚖️ What happens when your panel-counsel clause prevents you from using your preferred breach lawyer?

Many cyber policies require you to use the carrier's panel counsel — meaning when a breach hits, you can't call your existing law firm. Panel counsel is often fine, but you should know the restriction exists. Has your agent even mentioned this to you?

8

⏱️ If your cyber BI waiting period is 12+ hours, what's your actual business continuity cost?

Many cyber BI coverages have a waiting period (like a deductible-hours concept). For a high-volume e-commerce brand or SaaS company, 12 hours of downtime is already six figures of lost revenue — revenue the policy won't touch. We review waiting periods against your actual hourly revenue before binding.

How many of those 8 apply to your current policy?

We review each one against your dec page before quoting — so you know what's actually covered before you bind.

Get a Cyber Policy Review →

Premium Drivers

What Drives Your Cyber Insurance Premium

Cyber pricing depends on factors specific to your data profile, vendor stack, and security controls. Here's what moves premium up or down — and why generic "starting at $X/month" quotes almost never match your actual risk.

Rating FactorImpact on Premium
Annual revenue tier
Critical2–3x swing
Record count (PII / PHI / payment card data)
Critical2–4x swing
Industry vertical (healthcare / e-com / SaaS / other)
Significant2–3x swing
Security controls maturity (MFA, EDR, backups, IR plan)
Critical30–100% swing — required for coverage at most carriers
Prior incident history (last 5 years)
Critical50–200% swing
Coverage limits selected ($1M to $10M+)
NotableLinear scaling
Ransomware sub-limit (% of aggregate)
SignificantDetermines policy eligibility
Vendor stack complexity
Notable15–40% swing
Regulatory exposure (CCPA / HIPAA / BIPA / PCI / state privacy acts)
Significant20–60% swing
Geographic customer footprint
Notable10–30% swing
Retention / deductible
Notable20–50% swing
Cyber BI waiting period
MinorAffects BI coverage usability

A complete cyber insurance program typically includes:

CoveragePurposeTypical Limits
Data Breach ResponseForensics, breach counsel, notification, credit monitoring$1M–$10M
Cyber Extortion & RansomwareNegotiation, ransom, decryption, restoration$1M–$5M (often sub-limited)
Cyber Business InterruptionLost revenue during cyber outage$1M–$5M with waiting period
Network Security LiabilityThird-party harm from your network compromise$1M–$10M
Privacy LiabilityState/federal privacy law violations, class actions$1M–$10M
Regulatory Defense & PenaltiesState AG, OCR, FTC investigation costs$1M–$5M (penalties insurable where lawful)
Social Engineering EndorsementBEC, voluntary transfer fraud$250K–$1M sub-limit typical
Dependent System CoverageVendor / SaaS breach exposureEmbedded in BI, varies

Every business is different. Rather than guess at your premium from a generic table, get a real review from a licensed agent who understands cyber risk and the specific endorsements your data profile requires.

Before You Decide

Things You're Probably Wondering

We're mid-term on our cyber policy — do we have to wait for renewal?

Not always. If there's a meaningful coverage gap (missing social engineering, sub-limited ransomware, expired retroactive date), it can be worth canceling mid-term and rewriting. Patrick walks you through the math on whether the unearned premium refund and new policy cost make sense. If renewal's only 90 days out, usually wait. If it's 9 months out and a key endorsement is missing, often worth moving.

How fast can we have coverage in place?

Most reviews wrap in 2-7 business days from first conversation to bound coverage. The faster end of that range happens when your quote submission is thorough — dec page, security controls inventory, and the items in the checklist above ready upfront. The longer end is when we're chasing details one piece at a time. For enterprise customers waiting on your COI, we work to whatever date your contract requires. We don't rush a review, but we don't drag one either.

What happens if my business has a cyber incident after we're bound?

You call the breach hotline first (it's on your dec page) and Patrick second. The carrier's incident response team handles forensics, breach counsel, and notification. Patrick coordinates with you on the claim narrative and walks you through what's covered, what's reimbursable, and what the carrier needs from your team. You're not handling it alone.

Get a Cyber Policy Review →

🧮 Cyber Risk Calculator

Check Your Cyber Risk in 60 Seconds

10 questions, ~6 seconds each. Surfaces ransomware coverage gaps, vendor breach exposure, privacy law alignment, and business interruption waiting periods.

What it surfaces

Ransomware

Sub-limits, MFA warranty

Vendor breach

Dependent system coverage

Privacy law

CCPA, BIPA, statute exposure

Business interruption

Waiting periods, hourly cost

Sample question · 1 of 10~6 sec each

Does your cyber policy explicitly cover ransomware payments — and at what limit?

Yes, at full aggregate limit
Yes, but sub-limited (25–50%)
No / Not sure

Live calculator scores your answers and flags coverage gaps at the end — no email required.

Did you know? Cyber claims average mid-six-figures — often six-figure out-of-pocket when coverage is misaligned.

Check Your Cyber Risk
FreeNo email required60 seconds10 questions

Our Process

Bobby Friel, Partner at Direct Insurance Services

Bobby Friel

Partner, Direct Insurance Services

How We Work With You

Our process is designed to get you the right cyber coverage for your data profile, vendor stack, and contract requirements — not a generic small-business cyber policy. Watch a real policy review and see the 6 steps we walk through together.

Watch how we review a real policy

Sample review of a non-cyber policy. Cyber walkthrough video coming soon.

The 6 Steps We Walk Through Together

1

Review Your Current Cyber Policy

We review your existing dec page, endorsement schedule, and warranty conditions — flagging sub-limits, social engineering coverage, retroactive date, and panel-counsel language before recommending any changes.

2

Map Your Data and Vendor Profile

We document the data types you handle (PII, PHI, payment card, biometric), record counts, customer geography, and your critical vendor stack. Your data profile determines which carriers will write you.

3

Confirm Your Security Controls

We review your MFA, EDR, backup, email filtering, and incident response posture against carrier warranty requirements. Most cyber denials trace back to a control gap disclosed on the application.

4

Review Your Contract and Compliance Requirements

We read your enterprise customer MSAs, BAAs (for healthcare), and any vendor or partner contracts that specify cyber coverage terms. Your policy needs to meet the most demanding contract on your books.

5

Video Coverage Walkthrough

We walk you through every option on video — limits, sub-limits, warranties, retroactive date, panel counsel, dependent system coverage — in plain English. You see exactly what you're buying before you sign.

6

Bind Coverage and Issue Certificates

Once approved, we bind coverage and issue certificates to your enterprise customers and partners. Renewal review starts 90 days before your next expiration so the retroactive date and warranty schedule stay intact.

🏆 Multi-Market Cyber Access

We're appointed with specialty cyber carriers who write healthcare, e-commerce, and tech / SaaS risk at competitive terms — not generalists who treat cyber as an add-on to a BOP. We quote against multiple A-rated cyber markets to find the policy language that actually responds.

Get a Cyber Policy Review →
5-Star Rated on Google — Policies Serviced by Direct Insurance Services

I run a snow plow removal business and my old insurance provider dropped my coverage!! They got everything sorted out and I was insured the same day. These guys know how to help, use them!!

Jessica K., Google Review

📝 Helpful to Have

What Helps Us Build the Right Cyber Policy For You

The more we know about your data, vendors, and contracts, the more precisely we can match coverage to your actual risk. Here's what helps — but if you don't have it all, we'll work through it together.

Current cyber declaration pageShows your existing limits, endorsements, and warranty schedule
Security controls inventoryMFA, EDR, backup, IR plan, email filtering status
Data inventoryPII, PHI, payment card, biometric record counts
Annual revenue and employee countFor carrier rating and market eligibility
Vendor / SaaS inventoryCritical vendors handling your data
MSA cyber requirementsContract obligations from your largest customers
Prior incident historyAny breach, ransomware, or BEC in the last 5 years (yes/no — full disclosure required)
Contact info to send optionsEmail and best phone for the video walkthrough

Future Pacing

What Happens After You Have The Right Coverage

When your cyber policy actually matches your data profile and contract requirements, the wins look like this:

  • The forensics call has a clear playbook
  • The notification timeline doesn't surprise you
  • Enterprise security questionnaires get answered in days, not weeks
  • The social engineering endorsement is in place when you need it
Get a Cyber Policy Review →

The Complete Cyber Insurance Guide

Insurance Service 365

Reading List

Read The Complete Cyber Insurance Guide

A comprehensive 5,000-word guide covering the 6 core cyber policies, 8 mistakes we find in every review, state privacy law overview (CCPA, BIPA, MHMD), and a real incident case study.

  • The 6 core cyber policies — when each one triggers
  • 8 mistakes we find in nearly every cyber policy review
  • State privacy law overview (CCPA, BIPA, MHMD, more)
  • Real incident case study — start to bind
Read the Guide →

5,000 words · No email required · Free

Frequently Asked

Cyber Insurance FAQs

If your business handles customer data, processes payments, or depends on digital systems to operate — you need cyber insurance. That includes healthcare practices with PHI, e-commerce brands processing card-not-present transactions, SaaS and tech companies holding customer data, and any professional services firm storing client records. The threshold is data sensitivity and operational dependence, not company size.

They cover completely different things. General liability covers bodily injury and property damage — someone slips in your office, a customer's laptop gets damaged. Cyber covers the digital side: breach response, ransomware, business interruption from outages, privacy law violations, and the downstream liability when your network is used to harm others. Most GL policies explicitly exclude cyber events. The two policies aren't substitutes — they cover different risks.

There's no honest one-size answer. Premium depends on your industry, revenue, record count, security controls, vendor stack, and prior incident history. A 50-person dental practice and a 50-person SaaS company can have premiums that differ by 4–5x for the same coverage limits. The Risk Calculator on this page walks through the factors. From there, Patrick reviews your specific operation against multiple A-rated carriers and quotes you directly.

It's getting harder every renewal cycle. Most cyber carriers now require multi-factor authentication on email, remote access, and admin accounts as a baseline — and several treat it as a warranty condition for ransomware coverage specifically. If MFA isn't deployed yet, a few markets will still write you, but options narrow and rates climb. We tell you up front what's available based on your current security stack.

Defense costs almost always. Civil penalties — sometimes, depending on the state and the statute. HIPAA/OCR defense costs are commonly covered. CCPA, BIPA, VCDPA, and similar state-law defense is typically covered. Whether the actual penalty dollars are insurable varies by state law and the underlying violation. This is exactly the kind of language we walk through before bind — so you know what's covered before you need it, not after.

The baseline most carriers want to see: MFA on email, remote access, and admin accounts; endpoint detection and response (EDR) on workstations and servers; offline or immutable backups; email filtering for phishing; an incident response plan with documented contacts; and basic security awareness training. Healthcare practices add documented HIPAA risk assessments. Patrick reviews your environment before quoting so the application is filed clean — not bounced back for missing controls.

Your vendor's breach is your problem when their breach exposes your customers' data — you're the data owner, you carry the notification and downstream liability. The right cyber policy includes "dependent system" or "contingent BI" coverage that responds when a vendor outage or breach affects you. We review both your policy language and your vendor contracts to confirm breach responsibility is clearly allocated before something goes wrong.

Cyber claims often surface months or years after the actual incident — a forensics report finds an attacker had been in the network long before discovery. The retroactive date on your policy determines whether those older incidents are covered. If the date gets reset on renewal, you can lose years of silent coverage in a single signature. This is one of the most common quiet mistakes we find in policy reviews.

Carrier Partners

Carriers We Work With

We work with specialty cyber carriers who understand healthcare, e-commerce, and tech/SaaS risk — not generalists who treat cyber as an add-on to a BOP.

Travelers cyber insurance carrier logo
Chubb cyber insurance carrier logo
The Hartford cyber insurance carrier logo
Liberty Mutual cyber insurance carrier logo
AIG cyber insurance carrier logo
CNA cyber insurance carrier logo
Nationwide cyber insurance carrier logo
RLI cyber insurance carrier logo
Amwins cyber insurance carrier logo
Travelers cyber insurance carrier logo
Chubb cyber insurance carrier logo
The Hartford cyber insurance carrier logo
Liberty Mutual cyber insurance carrier logo
AIG cyber insurance carrier logo
CNA cyber insurance carrier logo
Nationwide cyber insurance carrier logo
RLI cyber insurance carrier logo
Amwins cyber insurance carrier logo

Plus additional specialty cyber carriers we're appointed with for healthcare, e-commerce, and tech-specific risk. Licensed and writing in 29 states · BBB Accredited.

🗺️ Multi-Market Reach

Every cyber carrier underwrites ransomware and social-engineering exposure differently — multi-market shopping matches paper to your stack.

Single-carrier appointments don't capture that variance. We shop your specific risk profile — your data exposure, your vendor stack, your incident-response posture — across multiple cyber markets to find the paper that actually responds at claim time, not the paper that happened to be the only one available.

The Coverage

What Is Cyber Insurance?

Cyber insurance is a dedicated policy that covers the financial fallout of a data breach, ransomware event, business email compromise, regulatory action, or vendor-driven incident — exposures your other policies almost certainly exclude.

What Cyber Insurance Is

Cyber insurance is a dedicated policy that covers the financial fallout of a data breach, ransomware event, business email compromise, regulatory action, or vendor-driven incident. The wording matters more than almost any other commercial policy. Sub-limits, warranty conditions, retroactive dates, panel-counsel restrictions, and dependent-system extensions can each change a six-figure claim outcome. We read all of it with you on video before you sign.

Get Cyber-Ready Coverage

Explore More

Other Commercial Insurance We Specialize In

Contractor Insurance

General liability, workers' comp, and COIs for contractors.

Learn More →

Restaurant Insurance

Liquor liability, property, and workers' comp for food service.

Learn More →

HOA Insurance

Master policies for homeowners associations and condo boards.

Learn More →

Commercial Landlord Insurance

Property and liability coverage for commercial landlords.

Learn More →

Commercial Insurance

Full-service commercial coverage for businesses that don't fit a single named vertical.

Learn More →

🗺️ By State

Get Cyber Insurance by State

Cyber regulatory landscapes vary significantly by state — CCPA in California, BIPA in Illinois, MHMD in Washington, and a growing list of others. We're licensed in 29 states.

ArizonaCaliforniaColoradoDelawareGeorgiaIdahoIllinoisIowaMarylandMichiganMinnesotaMissouriMontanaNevadaNew JerseyNorth CarolinaOhioOklahomaOregonPennsylvaniaSouth CarolinaSouth DakotaTennesseeTexasUtahVirginiaWashingtonWisconsinWyoming

Long-Form

Why Cyber Insurance Is No Longer Optional

Cyber exposure isn't a future problem for a handful of businesses. It's a present-tense cost of doing business for every organization that handles customer data, runs digital operations, or depends on cloud or SaaS infrastructure. Data breaches now happen faster than most organizations can detect them, and the regulatory environment has turned routine data handling into active compliance obligation. If your business handles customer data — and in 2026, every business does — cyber insurance is infrastructure, not a nice-to-have.

The Regulatory Landscape Has Changed

California's CCPA/CPRA grants consumers a private right of action for certain breaches with statutory damages of $100– $750 per incident. Illinois's BIPA has produced nine-figure class-action settlements over biometric data handling, with $1,000–$5,000 in damages per violation. Virginia's VCDPA, Texas's TDPSA, Colorado's CPA, Utah's UCPA, and a growing list of other state privacy statutes each carry their own thresholds, enforcement authorities, and notification timelines. HIPAA governs every healthcare practice handling PHI. State breach notification statutes apply across all 50 states, with windows as tight as 30 days in Colorado.

Compliance isn't optional for any business that handles customer data. The statutes don't care whether you're a Fortune 500 or a three-person dental practice — threshold triggers apply based on record counts, revenue, or consumer-data sales. We map your customer geography to your regulatory surface before quoting, because the same incident in one state can trigger dramatically different notification obligations, enforcement exposure, and class-action risk than in another.

These regulations drive both claim frequency and severity. A breach affecting customers in California, Illinois, and Virginia layers obligations under each state's framework. We've seen single incidents trigger notifications under five or more distinct privacy statutes simultaneously, each with its own timeline and content requirements — every one of them billable defense work before a single claim reaches settlement.

Your Existing Policies Don't Cover This

General liability policies specifically exclude cyber events. Your standard crime coverage typically excludes social engineering fraud — meaning when a threat actor spoofs wire instructions and your accounting team sends money voluntarily, the policy that should respond doesn't. Professional liability has narrow cyber carve-outs that exclude most breach response costs. Standard business interruption coverage triggers on physical damage, not on a cyber event that shuts down your operations. If any of that is new information, your exposure is bigger than you think.

A dedicated cyber policy is the only way to actually transfer these risks. Cyber covers the forensic investigation, breach counsel, notification production, credit monitoring, and regulatory defense. Cyber business interruption covers the revenue you lose while systems are down. Cyber extortion and ransomware coverage funds negotiation, payment (where lawful), and system restoration. Network security liability covers downstream third-party claims when your network is used to harm others. Privacy liability covers your statutory and common-law privacy obligations. No other policy in your commercial program provides any of that.

We've reviewed cyber policies where the ransomware coverage was sub-limited to 25% of the aggregate and the insured had no idea. We've reviewed policies where the social engineering endorsement was missing entirely. We've reviewed policies whose retroactive date was silently reset at renewal, stripping away years of coverage for incidents that had already happened but hadn't yet surfaced. Policy language, warranty requirements, and endorsements vary enormously between carriers. The question isn't whether you'll face a cyber incident. The question is whether your policy language will respond when it happens.

The Most Common Cyber Incidents We See

Ransomware targeting healthcare EHR systems and SaaS infrastructure remains the most operationally disruptive incident type. Attackers have moved beyond simple encryption to double-extortion — encrypt data and also exfiltrate it, then threaten publication unless the ransom is paid. Healthcare practices face uniquely high stakes because patient care depends on uptime. SaaS companies face customer-facing SLA penalties and reputation damage in addition to the direct response costs.

Business email compromise (BEC) against e-commerce finance teams, real estate closings, and accounting operations has become routine. An attacker compromises an inbox or spoofs a vendor, sends wire instructions that look legitimate, and the target sends money voluntarily. Without a social engineering endorsement, neither cyber nor crime policies respond — and the median loss sits in six figures before recovery.

Third-party vendor breaches create downstream obligations most businesses don't see coming. Your SaaS vendor gets breached, but you — as the data owner — are the one on the hook for notifying your customers. Your vendor inventory has grown every year, and each new integration is a potential breach vector. Credential stuffing and account takeover on DTC brands drive meaningful claim volume, particularly where stored payment methods make account compromise monetizable. Magecart-style skimming attacks inject malicious JavaScript into checkout pages and harvest card data in transit — bypassing the merchant's PCI-scoped systems entirely. Each of these has a different response playbook. Each has different policy language that needs to be in place before the incident, not after.

Cyber exposure is specific to your data profile, vendor stack, and regulatory surface — not something a generic policy can address. A 10-minute conversation reveals gaps that template-based quoting misses. Run our Cyber Risk Calculator to see your exposures in 60 seconds, or read our complete cyber insurance guide for the full breakdown of the 6 core coverages and 8 policy mistakes we see in every review.

Two professionals in modern business setting reviewing cyber coverage documents

Ready When You Are

Ready When You Are

We review your data profile, vendor stack, and regulatory exposure, and walk you through every option for cyber coverage on video.

Get Cyber-Ready Coverage →

Is now a bad time to start a policy review and get cyber coverage that actually responds?