Cyber Insurance Built Around Your Data and Your Risk
Data breach response, ransomware coverage, and privacy liability — for healthcare practices, e-commerce brands, and tech/SaaS companies. We review your contracts and vendor exposures before binding.
Takes ~2 minutes · We review your contracts + vendors · Coverage matched to your data profile
What Our Cyber Clients Say
“They mapped our BAAs and vendor stack against the policy warranties before quoting and caught a ransomware sub-limit that was 25% of aggregate. Our old broker never walked through the warranty language with us at all.”
Dana M.
Practice Manager, Multi-Specialty Medical Group · Phoenix, AZ
“The video review walked our leadership through every endorsement. Patrick flagged that our social engineering coverage was missing and rewrote it before bind — saved us from a six-figure BEC gap.”
Rajiv P.
CTO, SaaS Startup · Austin, TX
“Our MSA with an enterprise customer required specific cyber coverage amounts and endorsements. They read the MSA, built the policy to match, and our COI cleared the customer's security review on the first submission.”
Emily R.
VP Security, B2B SaaS · Denver, CO
Your general liability policy does NOT cover data breaches. Your crime policy probably excludes social engineering. Your standard BI doesn't trigger for cyber events. If you haven't had a dedicated cyber policy reviewed in the last 12 months, there are almost certainly gaps.
Built for Healthcare, E-Commerce, and Tech
Patrick is appointed with cyber markets that specialize in the three verticals where cyber exposure is highest — and where policy language matters most.
Healthcare Practices
Medical, dental, and behavioral health practices handling PHI. HIPAA breach notification, OCR defense, telehealth risk, and EHR vendor exposure.
E-Commerce Brands
DTC brands, Shopify/BigCommerce stores, marketplace sellers. PCI exposure, Magecart-style skimming, card-not-present fraud, and BI during checkout outages.
Tech / SaaS Companies
SaaS, B2B software, fintech, and developer-tools companies. Customer data breach, IP exposure, SLA penalties, and acquisition due-diligence insurance requirements.
The 6 Core Cyber Policies
A complete cyber program combines first-party and third-party coverages. We review your data profile, vendor stack, and regulatory exposure before matching you to carriers.
Data Breach Response
Covers forensic investigation, breach coach, privacy counsel, notification production, call center, and credit monitoring — the full incident response toolkit triggered the moment a breach is confirmed.
- ✓Forensics to determine scope and root cause
- ✓Breach coach and privacy counsel
- ✓Notification mailing + call center + credit monitoring
Cyber Extortion & Ransomware
Covers ransom negotiation, payment (where lawful), decryption key purchase, and system restoration. Most policies now require MFA, EDR, and offline backups as preconditions — we review these warranties before binding.
- ✓Specialized ransom negotiation firms
- ✓Decryption & restoration
- ✓Security-control warranty review before bind
Business Interruption (Cyber)
Covers lost income and extra expense when a cyber event disrupts operations. Standard BI policies exclude cyber-triggered outages — cyber-specific BI is essential for e-commerce, SaaS, and healthcare practices where downtime = lost revenue.
- ✓Lost revenue during a cyber outage
- ✓Extra expense to restore operations
- ✓Waiting-period and retention review
Network Security Liability
Covers your liability to third parties when your network is compromised and used to harm others — customers whose data leaks, partners whose systems you infect, or downstream parties impacted by a breach originating in your environment.
- ✓Customer data leakage claims
- ✓Partner / vendor downstream liability
- ✓Malware transmission claims
Privacy Liability
Covers liability for unauthorized collection, use, or disclosure of personal data — including CCPA/CPRA, VCDPA, TDPSA, BIPA, HIPAA, and common-law privacy claims. Class-action defense costs alone can be substantial.
- ✓State privacy law violations
- ✓HIPAA privacy & security violations
- ✓Class-action defense
Regulatory Defense & Penalties
Covers legal defense and (where insurable) civil penalties from state AG investigations, HHS Office for Civil Rights actions for HIPAA matters, and FTC inquiries. State law determines what penalties are insurable.
- ✓State AG investigation response
- ✓HIPAA / OCR investigations
- ✓FTC and consumer-protection inquiries
What We Review Before Quoting Cyber
Cyber insurance is not a commodity. Policy language, endorsements, and warranties vary enormously between carriers — and your data profile determines which markets will write you at all.
8 Mistakes That Expose Your Business
These are the cyber policy gaps we find in almost every policy review. How many of them apply to yours?
Does your cyber policy actually cover ransomware — or is it sub-limited and conditioned on security controls you may not have?
Many cyber policies now sub-limit ransomware at 25%–50% of the aggregate, and several warrant MFA, EDR, and offline backups as preconditions for coverage. If your controls don't match the warranty, the claim can be denied entirely. When was the last time your agent walked through your ransomware endorsement with you on video?
What happens if your BEC loss is excluded because you didn't have the social engineering endorsement?
Standard crime policies exclude voluntary transfers based on deception. Cyber policies often sub-limit or exclude social engineering unless a specific endorsement is added. Business email compromise costs mid-six-figures on average — the endorsement is one of the most important we review. Is yours in place?
Does your business interruption trigger for cyber events, or only for physical damage?
Your standard BI policy almost certainly excludes cyber-triggered outages. Cyber-specific BI is a separate coverage — with its own waiting period, retention, and dependence-on-third-party extensions. For e-commerce, SaaS, and healthcare practices where downtime is the biggest loss, has anyone confirmed you have cyber BI with an appropriate waiting period?
If your third-party vendor breach leaks customer data, who's on the hook for notification costs?
Modern tech stacks depend on dozens of SaaS vendors. When one is compromised, the data-owner (you) typically bears the notification burden. Does your policy include dependent system coverage? And has your vendor contract allocated breach responsibility in writing?
Has anyone mapped your state privacy law exposures to your policy language?
CCPA, VCDPA, TDPSA, CPA, BIPA, My Health My Data, TIPA — privacy statutes vary wildly by state. Your policy's privacy liability wording may or may not align with the specific state laws that apply to your customers. When was the last time someone mapped your customer geography to your regulatory coverage?
Does your policy's retroactive date cover claims from incidents that already happened but haven't surfaced?
Cyber claims often surface months or years after the incident. Your retroactive date determines whether those latent claims are covered. Most businesses renewing their cyber policy never check this — and a reset retroactive date on renewal can strip away years of silent coverage.
What happens when your panel-counsel clause prevents you from using your preferred breach lawyer?
Many cyber policies require you to use the carrier's panel counsel — meaning when a breach hits, you can't call your existing law firm. Panel counsel is often fine, but you should know the restriction exists. Has your agent even mentioned this to you?
If your cyber BI waiting period is 12+ hours, what's your actual business continuity cost?
Many cyber BI coverages have a waiting period (like a deductible-hours concept). For a high-volume e-commerce brand or SaaS company, 12 hours of downtime is already six figures of lost revenue — revenue the policy won't touch. We review waiting periods against your actual hourly revenue before binding.
Industry-Specific Cyber Risk
Each avatar has a distinct risk profile. The policy that works for a SaaS company is wrong for a medical practice, and vice versa.
Healthcare Practices
Medical and dental practices face layered HIPAA and state privacy obligations. PHI breach notification, OCR defense costs, ransomware targeting EHR systems, and third-party vendor breaches (EHR, billing, imaging) are the most common claim types. Telehealth practices add video platform and patient-device exposure. Our cyber reviews for healthcare clients map HIPAA risk analysis documentation to policy warranty requirements.
E-Commerce Brands
E-commerce operations face PCI-DSS exposure, Magecart-style skimming, card-not-present fraud, and credential stuffing. Business interruption during a checkout outage or payment processor breach is often the biggest dollar exposure. Third-party payment providers, tag managers, and review apps all introduce breach vectors. We review your data flow, PCI scope, and third-party integrations before quoting.
Tech / SaaS Companies
SaaS and tech companies face customer data breach liability, SLA penalties, IP theft, and acquisition due-diligence cyber requirements. Enterprise customers increasingly require specific cyber coverage limits and endorsements in MSAs. Source code exposure, API abuse, and credential stuffing against customer accounts are the leading claim types. We review MSA cyber requirements and align your policy to the most demanding customer contract.
Want to Know Your Cyber Risk Profile?
Our Risk Calculator surfaces the biggest gaps in 60 seconds — no email required.
Free Cyber Insurance Risk Calculator
Find the cyber gaps exposing your data and your revenue
Most cyber policies have sub-limits, warranty exclusions, or missing endorsements the buyer didn't know about. Take 60 seconds to check your ransomware, BI, vendor, and privacy exposures.
Did you know? Cyber claims average mid-six-figures — often six-figure out-of-pocket when coverage is misaligned
Bobby Friel
Partner, Direct Insurance Services
Why Healthcare, E-Commerce, and Tech Clients Choose Us
Data & Vendor Profile Review
We map your data types, vendor stack, and regulatory exposure to policy language before quoting.
Video Coverage Walkthrough
Patrick walks through warranty language, sub-limits, and endorsements on video so you understand what you're buying.
Multi-Market Cyber Access
Appointed with specialty cyber carriers who write healthcare, e-commerce, and tech risk at competitive terms.
Contract & Security Control Review
We review MSAs, BAAs, vendor contracts, and your security controls against policy warranty requirements.
The Complete Cyber Insurance Guide 2026
5,000+ words covering the 6 core cyber policies, 8 mistakes we see in every review, state privacy law overview, and a real incident case study. No email required.
Read the Guide →Cyber Insurance FAQs
Why Cyber Insurance Is No Longer Optional
Cyber exposure isn't a future problem for a handful of businesses. It's a present-tense cost of doing business for every organization that handles customer data, runs digital operations, or depends on cloud or SaaS infrastructure. Data breaches now happen faster than most organizations can detect them, and the regulatory environment has turned routine data handling into active compliance obligation. If your business handles customer data — and in 2026, every business does — cyber insurance is infrastructure, not a nice-to-have.
The Regulatory Landscape Has Changed
California's CCPA/CPRA grants consumers a private right of action for certain breaches with statutory damages of $100–$750 per incident. Illinois's BIPA has produced nine-figure class-action settlements over biometric data handling, with $1,000–$5,000 in damages per violation. Virginia's VCDPA, Texas's TDPSA, Colorado's CPA, Utah's UCPA, and a growing list of other state privacy statutes each carry their own thresholds, enforcement authorities, and notification timelines. HIPAA governs every healthcare practice handling PHI. State breach notification statutes apply across all 50 states, with windows as tight as 30 days in Colorado.
Compliance isn't optional for any business that handles customer data. The statutes don't care whether you're a Fortune 500 or a three-person dental practice — threshold triggers apply based on record counts, revenue, or consumer-data sales. We map your customer geography to your regulatory surface before quoting, because the same incident in one state can trigger dramatically different notification obligations, enforcement exposure, and class-action risk than in another.
These regulations drive both claim frequency and severity. A breach affecting customers in California, Illinois, and Virginia layers obligations under each state's framework. We've seen single incidents trigger notifications under five or more distinct privacy statutes simultaneously, each with its own timeline and content requirements — every one of them billable defense work before a single claim reaches settlement.
Your Existing Policies Don't Cover This
General liability policies specifically exclude cyber events. Your standard crime coverage typically excludes social engineering fraud — meaning when a threat actor spoofs wire instructions and your accounting team sends money voluntarily, the policy that should respond doesn't. Professional liability has narrow cyber carve-outs that exclude most breach response costs. Standard business interruption coverage triggers on physical damage, not on a cyber event that shuts down your operations. If any of that is new information, your exposure is bigger than you think.
A dedicated cyber policy is the only way to actually transfer these risks. Cyber covers the forensic investigation, breach counsel, notification production, credit monitoring, and regulatory defense. Cyber business interruption covers the revenue you lose while systems are down. Cyber extortion and ransomware coverage funds negotiation, payment (where lawful), and system restoration. Network security liability covers downstream third-party claims when your network is used to harm others. Privacy liability covers your statutory and common-law privacy obligations. No other policy in your commercial program provides any of that.
We've reviewed cyber policies where the ransomware coverage was sub-limited to 25% of the aggregate and the insured had no idea. We've reviewed policies where the social engineering endorsement was missing entirely. We've reviewed policies whose retroactive date was silently reset at renewal, stripping away years of coverage for incidents that had already happened but hadn't yet surfaced. Policy language, warranty requirements, and endorsements vary enormously between carriers. The question isn't whether you'll face a cyber incident. The question is whether your policy language will respond when it happens.
The Most Common Cyber Incidents We See
Ransomware targeting healthcare EHR systems and SaaS infrastructure remains the most operationally disruptive incident type. Attackers have moved beyond simple encryption to double-extortion — encrypt data and also exfiltrate it, then threaten publication unless the ransom is paid. Healthcare practices face uniquely high stakes because patient care depends on uptime. SaaS companies face customer-facing SLA penalties and reputation damage in addition to the direct response costs.
Business email compromise (BEC) against e-commerce finance teams, real estate closings, and accounting operations has become routine. An attacker compromises an inbox or spoofs a vendor, sends wire instructions that look legitimate, and the target sends money voluntarily. Without a social engineering endorsement, neither cyber nor crime policies respond — and the median loss sits in six figures before recovery.
Third-party vendor breaches create downstream obligations most businesses don't see coming. Your SaaS vendor gets breached, but you — as the data owner — are the one on the hook for notifying your customers. Your vendor inventory has grown every year, and each new integration is a potential breach vector. Credential stuffing and account takeover on DTC brands drive meaningful claim volume, particularly where stored payment methods make account compromise monetizable. Magecart-style skimming attacks inject malicious JavaScript into checkout pages and harvest card data in transit — bypassing the merchant's PCI-scoped systems entirely. Each of these has a different response playbook. Each has different policy language that needs to be in place before the incident, not after.
Cyber exposure is specific to your data profile, vendor stack, and regulatory surface — not something a generic policy can address. A 10-minute conversation reveals gaps that template-based quoting misses. Run our Cyber Risk Calculator to see your exposures in 60 seconds, or read our complete cyber insurance guide for the full breakdown of the 6 core coverages and 8 policy mistakes we see in every review.
Other Commercial Insurance We Write
Contractor Insurance
General liability, workers' comp, and COIs for contractors.
Learn More →Restaurant Insurance
Liquor liability, property, and workers' comp for food service.
Learn More →HOA Insurance
Master policies for homeowners associations and condo boards.
Learn More →Lessors Risk Insurance
Property and liability coverage for commercial landlords.
Learn More →Ready When You Are
We review your data profile, vendor stack, and regulatory exposure, and walk you through every option for cyber coverage on video.
Takes ~2 minutes · We review your requirements · Coverage matched to your contracts
No obligation · Free quotes · Licensed in 29 States