The Complete Cyber Insurance Guide 2026

What it covers: The end-to-end response to a confirmed or suspected data breach. That includes forensic investigation, breach counsel (legal guidance on notification obligations), customer notification costs, credit monitoring or identity theft protection for affected individuals, substitute notice publication where required, call center staffing, and public relations support during the incident. This is the first coverage part most cyber claims actually draw against — it responds from the first hour of the incident through the close-out period.

What it doesn't cover: Ransomware payments (that is cyber extortion), lost revenue during downtime (that is business interruption), lawsuits brought by affected customers (that is privacy liability), or regulatory fines (that is regulatory defense). Breach response is the trigger — the other coverage parts respond depending on what happens next.

Typical limit structure: Often shared with the policy aggregate, with internal sub-limits on notification (frequently expressed per affected individual), credit monitoring duration (12 or 24 months), and call center hours. For record-heavy businesses, notification sub-limits become the binding constraint.

What it covers: Ransom payments (where legally permissible), ransomware negotiation services, cryptocurrency procurement, decryption validation, dark-web monitoring for exfiltrated data, and extortion demand response regardless of whether a payment is ultimately made. The coverage also typically includes the costs of forensic firms specialized in ransomware containment and recovery.

What it doesn't cover: Ransoms paid to sanctioned entities (OFAC designations may make payment illegal), ransoms paid without carrier pre-approval on many policies, and business interruption loss during the ransomware outage (covered under cyber BI). Some policies also exclude payments to threat actors linked to state-sponsored groups.

Typical limit structure: Most commonly a sub-limit of the aggregate — often 25% to 100% of the policy limit depending on carrier. Nearly all carriers now condition full extortion coverage on documented security controls: MFA, EDR, tested backups, and an incident response plan.

What it covers: Lost net income and continuing operating expenses (payroll, rent, fixed costs) during a covered cyber event that renders your systems unusable. Most modern policies also include dependent business interruption — coverage when a critical third-party vendor (cloud provider, SaaS platform, payment processor) suffers an outage that stops your operation. Extra expense coverage pays for temporary workstations, third-party processing, and manual workarounds during the outage.

What it doesn't cover: Losses during the policy's waiting period (usually the first 6 to 24 hours), voluntary system shutdowns not tied to a covered event, or BI from causes not covered elsewhere on the policy (e.g., a power outage with no cyber element). Dependent BI typically requires the vendor outage to arise from a cyber event on the vendor's side, not just any unavailability.

Typical limit structure: Shared with the aggregate, with a stated waiting period (hours) and a maximum indemnity period (usually 90 to 180 days). Dependent BI is often a sub-limit of the main BI coverage.

What it covers: Third-party claims arising from a failure of your network security — transmission of malware to a customer, denial-of-service attacks launched from your compromised infrastructure, unauthorized access that damages a customer's system, or the failure to prevent the compromise of a connected partner network. This is the liability side of a security failure, as opposed to the liability side of a data privacy failure (that is privacy liability).

What it doesn't cover: Physical damage to third-party property arising from cyber events (many policies exclude cyber-physical bridge claims), claims arising from intentional acts, or claims arising from infrastructure operated by an excluded vendor. Pay attention to the “failure of security” definition — some policies require proof of specific control failures, which can complicate coverage.

Typical limit structure: Generally shares the aggregate with privacy liability as a combined “cyber liability” limit. For technology companies and SaaS vendors, higher limits and specific endorsements for media liability and professional services can be added.

What it covers: Third-party claims arising from the unauthorized access, disclosure, or misuse of personally identifiable information (PII), protected health information (PHI), or other protected data you hold. This includes class-action lawsuits under state privacy laws, individual consumer claims, and claims from business partners whose data you held as a custodian. Defense costs are typically included within or in addition to the limit depending on the policy form.

What it doesn't cover: Regulatory fines and penalties (that is regulatory defense coverage), claims arising from violations your business knowingly permitted, or BIPA-specific claims on policies with a biometric privacy exclusion. Pay close attention to the definition of “personal information” — narrow definitions can exclude biometric, behavioral, and inferred data elements.

Typical limit structure: Usually combined with network security liability under a single third-party limit equal to the aggregate. Defense-within-limits versus defense-outside-limits is a material term to check — defense-outside-limits preserves indemnity for settlements and judgments.

What it covers: Defense costs and, where insurable by law, fines and penalties assessed by regulators investigating a covered cyber or privacy incident. That includes HHS Office for Civil Rights investigations under HIPAA, state attorney general inquiries under consumer privacy statutes, FTC investigations, and PCI Security Standards Council assessments. Some policies also include defense for SEC cybersecurity disclosure matters for public companies and certain regulated entities.

What it doesn't cover: Fines deemed uninsurable in the applicable state (punitive fines are sometimes excluded), fines arising from willful violations, and criminal penalties. The insurability of privacy fines varies by state — most states permit coverage, but a handful restrict it.

Typical limit structure: Commonly a sub-limit of the aggregate, with a separate retention. For multi-state operations, confirm the coverage extends to each applicable statute — CCPA/CPRA, VCDPA, TDPSA, CPA, BIPA, My Health My Data Act, CUPA, TIPA, HIPAA, and PCI.

🏥 Healthcare Practices

Healthcare is the highest-exposure industry in cyber for three reasons: the data is the most valuable on the dark market, HIPAA creates mandatory notification obligations with short timelines, and OCR enforcement has grown materially more aggressive. A breach involving protected health information (PHI) triggers a cascade of obligations — individual notification within 60 days, HHS notification, media notice for breaches affecting 500 or more individuals in a state, state attorney general notification in most jurisdictions, and often a multi-year OCR corrective action plan.

Vendor risk. Most healthcare breaches we see now originate at a vendor — the EHR platform, the billing service, the transcription provider, the laboratory integration. Business associate agreements (BAAs) allocate some responsibility, but the covered entity (your practice) remains on the hook for notification under HIPAA. Your cyber policy must include dependent business interruption and vendor breach coverage sized to your full patient record count, not just your internal systems.

Telehealth and remote access. The expansion of telehealth since 2020 introduced new attack surface — home networks, personal devices, and video platforms integrated with EHRs. Carriers are increasingly asking about telehealth-specific controls: how you authenticate patients, how sessions are recorded and stored, and how you secure clinician access from non-office locations.

Ransomware in healthcare. Threat actors know healthcare practices cannot operate without access to records, so ransomware demands are higher and pressure to pay is stronger. Clean, tested, segregated backups are the single most important control — and the control carriers audit most closely during claims. Our team walks through your backup and restoration plan with your IT provider before the application goes to market.

Biometric data. Practices using biometric patient identification, voice analysis, or AI-assisted diagnostics should verify their policy does not exclude BIPA or biometric privacy claims. Illinois plaintiffs have extended BIPA theories into the healthcare space, and coverage for biometric claims is not uniform across carriers.

🛒 E-Commerce Brands

E-commerce cyber risk is dominated by three patterns: card data compromise via checkout-page skimmers (Magecart and its successors), customer data exfiltration from e-commerce platforms, and revenue loss during outages or payment processor disruptions. A brand processing cards has obligations under PCI-DSS that run alongside — and often in conflict with — state consumer privacy obligations.

PCI-DSS exposure. A confirmed card data breach triggers mandatory forensic investigation by a PCI Forensic Investigator (PFI), card brand assessments (Visa, Mastercard, and others), potential card brand fines, mandatory notification to acquirers, and often a mandatory upgrade to PCI compliance level. Your cyber policy should include PCI DSS assessments as a named covered cost — and the sub-limit should reflect your realistic card volume, not a token amount.

Checkout-provider risk. Most e-commerce brands do not operate their own card processing — they integrate with a payment provider, a checkout page, or a hosted payment form. When the provider is compromised, the brand still owns the customer relationship and still has notification obligations. Dependent business interruption and vendor breach coverage must be structured for this dependency.

Peak-season downtime. An e-commerce brand doing a meaningful share of annual revenue in November and December cannot tolerate a 12-hour BI waiting period during that window. We model your hourly revenue across the year and right-size the waiting period for your peak exposure — often buying down the waiting period during high-revenue quarters.

Customer data exfiltration. Beyond cards, e-commerce brands hold email addresses, shipping addresses, purchase history, and sometimes behavioral and biometric data (for fraud detection). A pure customer data breach — no cards involved — still triggers state privacy law notification obligations in nearly every state. Your privacy liability and regulatory defense coverage should extend to every state where your customers reside.

• HIPAA. Governs protected health information for covered entities and business associates. Breach notification obligations, OCR enforcement, and corrective action plans flow from HIPAA. Every healthcare practice needs regulatory defense sized to multi-year OCR exposure.
• GLBA. Governs nonpublic personal information at financial institutions and their service providers. Safeguards Rule obligations have tightened materially over the past three years.
• FTC Act Section 5. The FTC has brought dozens of cybersecurity enforcement actions under its unfair-and-deceptive-practices authority. Defense coverage for FTC investigations is a named coverage on most modern cyber policies.
• SEC cybersecurity disclosure rules. Public companies and certain regulated entities now face specific cybersecurity disclosure obligations. Cyber coverage for SEC investigation defense is increasingly available as an endorsement.