Security operations analyst reviewing threat-intelligence and incident dashboards
📚 Free Cyber Guide · No Email Required

The Complete Cyber Insurance Guide 2026

A consultative guide for healthcare practices, e-commerce brands, and tech/SaaS companies navigating cyber coverage, breach response, and the state privacy law patchwork. Written by Bobby Friel and the Direct Insurance Services team.

Reading time: 15 minutesLast updated: April 2026
Bobby Friel, Partner at Direct Insurance Services

Bobby Friel

Partner, Direct Insurance Services

Who This Guide Is For

  • Healthcare practices and medical groups handling protected health information (PHI) under HIPAA — primary care, dental, specialty, therapy, and telehealth — where a single breach triggers OCR inquiry, mandatory notification, and state-law exposure
  • E-commerce brands processing card data under PCI-DSS, running Shopify, WooCommerce, BigCommerce, or custom storefronts, where a Magecart skimmer or checkout-provider compromise can erase revenue for weeks
  • Tech and SaaS companies protecting source code, customer data, and uptime commitments, where a breach triggers SLA penalties, customer churn, and acquisition-blocking diligence findings
  • Businesses subject to overlapping state privacy laws — CCPA, VCDPA, TDPSA, CPA, BIPA, My Health My Data Act, CUPA, TIPA — where regulatory defense costs alone can exceed most businesses' first-party losses

$7.42 million

average cost of a healthcare data breach — the costliest industry for the 14th year running

IBM Cost of a Data Breach Report 2025

$4.44 million

global average cost of a data breach across all industries

IBM Cost of a Data Breach Report 2025

$2.77 billion

reported business email compromise losses in 2024 across 21,442 complaints

FBI IC3 2024 Internet Crime Report

Case Study: 12-Provider Healthcare Practice — Cyber Gaps Closed Before a Covered Loss

Healthcare practice leadership reviewing their cyber policy declarations and security controls with an advisor

Cyber Scenario

OPERATOR SCENARIO

OPERATOR

Scenario

12-provider healthcare practice with active patient records management had been on the same cyber policy for three renewal cycles. Patient record count had grown materially during that period. The current broker's renewal proposal was silent on the record growth, silent on the recently added cloud-based EHR vendor, silent on the practice's new payment processor that brought PCI exposure into scope.

The renewal proposal landed with the same sub-limits the prior broker had bound at original placement — including a notification cost sub-limit set against the original patient volume, a ransomware sub-limit that hadn't been re-evaluated against current ransom demand trends, a BEC sub-limit at the carrier's default, and dependent BI coverage that the broker hadn't even confirmed extended to the new EHR vendor.

What we did

Pulled the current declarations, the practice's security stack documentation, the vendor inventory, and the last three years of incident history. Identified the notification cost sub-limit gap against current patient volume — surfaced that a confirmed breach would exhaust notification coverage before the regulatory deadline was met. Re-rated the ransomware sub-limit against current ransom demand trends in the healthcare sector. Confirmed the new EHR vendor qualified as a dependent business under the policy form and verified the coverage trigger language. Re-sized the BEC sub-limit against the practice's vendor payment volume. Audited the security control schedule against the practice's actual MFA enforcement, EDR deployment, and backup posture — surfaced two coverage warranties the policy required that the practice's actual controls didn't meet.

🎯 The Outcome

Bound a rebuilt program matched to current records, current regulatory exposure, current vendor footprint, and current security controls. Closed the notification cost gap before a covered breach could expose it. Brought the security control schedule into alignment with the practice's actual MFA enforcement and EDR deployment so a confirmed claim wouldn't trigger a coverage warranty dispute. The practice approved a rebuilt program at renewal — not a rubber-stamp on the same sub-limits the prior broker had been auto-rolling for three cycles.

Core Coverage

The Eight Lines Every Cyber Program Carries

A modern cyber program isn't a single coverage — it's a stack of interlocking lines, each with its own triggers, sub-limits, and conditions. Here are the eight that carry most established cyber exposure, and the question each one answers when something goes wrong.

Diagram of the eight interlocking coverage lines in a modern cyber insurance program

01

🚨

Breach Response (First-Party)

What it covers: Forensic investigation, customer notification, credit monitoring, legal counsel, PR response, and recovery costs when a data breach is confirmed. Limits: Sub-limits typically apply within the policy aggregate; notification cost limits are frequently capped separately from forensic limits. The question this answers when something goes wrong: When 50,000 customer records get exposed and the regulatory notification deadline is 30 days, does your policy cover both forensic costs and notification costs — or do notification sub-limits run out before the deadline?

02

🔒

Cyber Extortion + Ransomware

What it covers: Ransom payments, negotiation costs, decryption assistance, and business interruption tied to ransomware events. Limits: Sub-limits frequently apply to ransom payments specifically; coverage for ransom payment varies by carrier and state. The question this answers: When a ransomware attack encrypts your systems and operations are down for two weeks, does your policy cover the ransom and the business interruption and the recovery costs — or does the sub-limit on ransomware leave the operator covering the gap?

03

📉

Cyber Business Interruption

What it covers: Lost revenue and continuing expenses when a covered cyber event takes operations offline, including both first-party network failure and extra expense to maintain operations. Limits: BI period typically 12 months with a waiting period before coverage triggers (often 8–12 hours). The question this answers: When a cyber incident takes the e-commerce site down for 48 hours during peak season, does your BI limit cover lost revenue and continuing payroll and emergency response costs — or does the waiting period eliminate the first day of the outage?

04

🛡️

Network Security Liability (Third-Party)

What it covers: Third-party claims arising from your network compromise — customers, vendors, and business partners whose data or operations were affected by your breach. Limits: Per-occurrence and aggregate limits matched to records held and customer base. The question this answers: When a downstream customer sues over data exposure from your breach and the claim exceeds primary network security limits, what's the layer above — umbrella, business assets, or both?

05

🕵️

Privacy Liability + Regulatory

What it covers: Regulatory investigation costs, fines, penalties, and consumer rights claims under HIPAA, PCI-DSS, GDPR, CCPA/CPRA, and state privacy laws. Limits: Regulatory coverage is typically sub-limited; coverage for fines and penalties varies by state (some states prohibit insurance for fines). The question this answers: When a state attorney general opens an investigation under the state's privacy law and the regulatory fine is in the seven figures, does your policy cover defense costs and the fine portion that's insurable in your state — or does the regulatory sub-limit cap exposure?

06

🎣

Social Engineering + BEC

What it covers: Wire transfer fraud, invoice manipulation, and business email compromise where employees were tricked into authorizing fraudulent transactions. Limits: Typically a separate sub-limit, often the lowest sub-limit in the policy. The question this answers: When a fraudulent vendor email tricks accounts payable into wiring six figures to a criminal account, does your BEC sub-limit cover the loss — or is BEC the gap that lands on the operator's GL where it gets denied?

07

🔗

Dependent Business Interruption

What it covers: Lost revenue when a vendor or cloud provider outage takes your operations offline through no cyber event of your own. Limits: Sub-limited within the BI aggregate; coverage triggers vary by carrier on what counts as a 'dependent' provider. The question this answers: When your primary cloud provider has a multi-day outage and your operations stop, does dependent BI respond — or does coverage require the outage to be caused by a covered cyber event on the provider's side?

08

💸

Cyber Crime + Funds Transfer Fraud

What it covers: Direct financial loss from unauthorized funds transfer, computer fraud, and theft of money or securities through cyber means. Limits: Separate sub-limits typically apply; coverage often distinguishes between social engineering and computer-direct fraud. The question this answers: When attackers gain network access and initiate fraudulent ACH transfers directly, does cyber crime coverage respond — and is the limit sized to your daily transfer volume?

Section summary

Eight lines carry most established cyber program exposure: breach response, cyber extortion + , cyber business interruption, liability, privacy + regulatory, social engineering + , , and cyber crime + . Which each one carries depends on what your current records, current vendor footprint, current regulatory exposure, and current security controls demand — not what the prior broker quoted.

Cyber buyers who don't get blindsided at claim time aren't the ones whose carrier said yes fastest — they're the ones whose agent read the sub-limits, the regulatory schedule, and the vendor list first.

Bobby Friel · Partner, Direct Insurance Services

What Most Insurance Agents Do for Cyber

  • ×Quote from a generic questionnaire (revenue, industry, records)
  • ×Never ask to see the security stack, vendor list, or prior incidents
  • ×Match limits to the prior policy, not to current records or current regulatory exposure
  • ×Treat sub-limits as boilerplate, not as the actual exposure caps they are
  • ×Find out about coverage gaps when a breach notification deadline hits or a BEC loss gets denied

What We Do

  • Read your security stack documentation, vendor list, prior incidents, and current declarations first
  • Match coverage to what your current records, current regulatory exposure, and current vendor footprint require
  • Verify sub-limits on ransomware, BEC, regulatory, and dependent BI before bind
  • Confirm waiting periods, retentions, and notification cost limits against realistic incident timelines
  • Audit the policy schedule against actual security controls (MFA enforcement, EDR coverage, backup posture)
  • Present findings to the operator on video, in plain English
Avoid These Pitfalls

8 Mistakes That Expose Your Business

These are the eight most common gaps we find in cyber policy reviews across healthcare, e-commerce, and tech. Each one is preventable. Each one, left unaddressed, can convert a manageable claim into an uninsured loss.

1

Does your cyber policy actually cover ransomware — or is it sub-limited and conditioned on security controls you may not have?

Over the past three renewal cycles, carriers have quietly rewritten their ransomware coverage. Many policies now carry a sub-limit on cyber extortion that is a fraction of the aggregate — sometimes 25% or less — and that sub-limit is often conditioned on specific security controls: multi-factor authentication everywhere, endpoint detection and response, air-gapped backups, and a tested incident response plan. If you attested to those controls on your application and you don't actually have them, the carrier can deny the ransomware portion of the claim even while paying the breach response. Most business owners never read the warranties on their cyber application. We do — line by line — before you sign.

How we fix this: Before your next renewal, we map every security control your carrier assumes you have against what your IT team or MSP can actually document. Where there's a gap, we either close it before binding or rewrite the application so the policy terms match reality. A policy you can actually collect on is worth more than one that quotes 10% cheaper on the surface.

When was the last time anyone compared the security controls your carrier assumes you have against what your IT team could actually document if a claim were investigated?

2

What happens if your BEC loss is excluded because you didn't have the social engineering endorsement?

Business email compromise is the most common cyber claim we see — an attacker impersonates a vendor or executive, convinces the accounting team to wire funds to a fraudulent account, and the money is gone before anyone notices. Here's the problem: most base cyber policies cover the breach, the forensics, and the notification costs, but not the wire transfer loss itself. Coverage for funds transferred voluntarily at the direction of an impostor requires a specific social engineering fraud endorsement, and that endorsement typically has its own sub-limit that is often a fraction of the cyber aggregate. Without it, a six-figure wire fraud loss is uninsured even though you carry a seven-figure cyber aggregate.

How we fix this: Add a social engineering fraud endorsement with a limit that matches your largest realistic wire exposure. Pair it with a documented payment verification protocol — callback verification for any wire change request — because most carriers will reduce or deny BEC claims where the client failed to follow a basic verification step.

When a fraudulent vendor email tricks accounts payable into wiring six figures to a criminal account tomorrow, does your BEC sub-limit cover the loss — or is BEC the smallest sub-limit on the policy, leaving the gap on the operator's GL where it gets denied?

3

Does your business interruption trigger for cyber events, or only for physical damage?

This is one of the most misunderstood coverage gaps in commercial insurance. Traditional business interruption coverage on a property policy is triggered by physical damage to covered property — a fire, a burst pipe, a windstorm. A ransomware attack that takes your network offline for a week does not involve physical damage, so the property BI does not respond. You need cyber business interruption — a separate coverage part on a cyber policy — to pay for lost revenue, extra expense, and dependent business interruption (where your cloud provider or key vendor suffers an outage). Many policies carry a waiting period of 8, 12, or even 24 hours before BI coverage begins, which meaningfully reduces the payout on short outages.

How we fix this: We review your cyber policy's business interruption coverage against a realistic downtime scenario for your operation. What does 48 hours offline actually cost you in revenue, payroll, and extra expense? What's the waiting period on your current policy? Does dependent business interruption cover your cloud and SaaS vendors by name? These questions get answered before you bind, not after an outage.

When was the last time anyone modeled what a single day offline actually costs the operation — and how many of those hours your cyber BI waiting period would leave uninsured?

4

If your third-party vendor breach leaks customer data, who's on the hook for notification costs?

You collect customer data. You hand it to a SaaS vendor — a CRM, an email marketing platform, a payroll provider, a billing processor. That vendor gets breached. Your customer data is exposed. Under almost every state privacy law in the United States, the obligation to notify affected customers falls on you — the data controller — not the vendor that suffered the breach. Most business owners assume the vendor's cyber policy will pay for notification, credit monitoring, and regulatory defense on your behalf. In practice, vendor policies cover the vendor's own obligations; your notification and regulatory costs come out of your cyber policy. If your policy's sub-limits on notification and credit monitoring are low, you discover the gap at the worst possible time.

How we fix this: We inventory every third-party vendor that touches customer data, confirm your cyber policy's dependent business interruption and vendor breach language covers each one, and verify your notification and credit monitoring sub-limits are sized for your full record count — not just your direct exposure.

If a SaaS vendor holding your customer data were breached, do you know whether the notification and credit-monitoring bill would land on their policy or yours?

5

Has anyone mapped your state privacy law exposures (CCPA, VCDPA, TDPSA, BIPA, etc.) to your policy language?

The state privacy law landscape in 2026 is a patchwork. California (CCPA/CPRA), Virginia (VCDPA), Texas (TDPSA), Colorado (CPA), Illinois (BIPA), Washington (My Health My Data Act), Utah (CUPA), Tennessee (TIPA), and a growing number of other states have enacted consumer privacy or biometric privacy statutes — each with its own definitions, private rights of action, statutory damages, and attorney general enforcement authority. Your cyber policy's regulatory defense coverage needs to extend to every state where you have customers, not just your headquarters state. BIPA in particular has generated massive class-action exposure for biometric data (facial recognition, fingerprints, voiceprints) — and some carriers have specifically excluded BIPA from their cyber policies.

How we fix this: Our review includes a state-by-state privacy law exposure map based on where your customers and employees actually are. We confirm your regulatory defense coverage extends to every applicable statute — including BIPA, CCPA private right of action, and the My Health My Data Act. Where exclusions exist, we negotiate removal or document the gap so you see it in writing.

Has anyone mapped the states where your customers and employees actually live against the privacy statutes your regulatory-defense coverage is required to answer for?

6

Does your policy's retroactive date cover claims from incidents that already happened but haven't surfaced?

Cyber insurance is written on a claims-made basis. That means the policy responds to claims first reported during the policy period, subject to a retroactive date that determines how far back into your operational history the coverage reaches. If a breach actually occurred six months ago but was not discovered until last week, the policy in force today must have a retroactive date that predates the breach — otherwise the claim is excluded. When clients switch carriers, we often see the new retroactive date default to the new policy's inception, which effectively wipes out coverage for any undiscovered breach from the prior policy period. IBM's cost of a data breach studies consistently find average dwell time — the time between compromise and discovery — of around 200 days.

How we fix this: We insist on full prior acts coverage at every cyber renewal, or at minimum a retroactive date matching your original cyber policy inception. Where the new carrier refuses full prior acts, we evaluate extended reporting period (tail) options on the expiring policy to avoid a gap.

If a breach that started months ago surfaced next week, would your policy's retroactive date reach back far enough to cover it — or did the retro date quietly reset to inception the last time the policy was rewritten?

7

What happens when your panel-counsel clause prevents you from using your preferred breach lawyer?

Every cyber policy contains a panel counsel clause — a list of pre-approved breach counsel, forensic firms, public relations vendors, and credit monitoring providers the carrier has negotiated rates with. When a claim hits, the carrier typically requires you to use a firm from their panel. That is not inherently bad — panel firms have experience and rates are capped — but if your business has an existing relationship with specific breach counsel (for example, healthcare clients who have worked with the same OCR-defense firm for years), forcing you onto a different firm at the worst possible moment creates real operational friction. Some policies allow off-panel counsel with carrier consent; others are strict.

How we fix this: During policy review, we ask whether you have a preferred breach lawyer or forensics firm. If yes, we either negotiate that firm onto the panel before binding, confirm off-panel consent language is flexible, or document the trade-off so you make an informed choice. This is not a deal-breaker for most clients — but it should be a known decision, not a surprise.

When a breach hits and you want to use the breach lawyer you already trust, would your policy let you keep them — or would the panel-counsel clause force you onto an unfamiliar firm at the worst possible moment?

8

If your cyber BI waiting period is 12+ hours, what's your actual business continuity cost?

Cyber business interruption coverage almost always includes a waiting period — a deductible expressed in hours, not dollars. The policy does not begin paying BI loss until after that waiting period expires. Common waiting periods are 6, 8, 12, or 24 hours. For an e-commerce brand doing $100,000 per day in revenue, a 12-hour waiting period means the first $50,000 of BI loss is your responsibility every time. For a medical practice running a full schedule, it might mean an entire day of visits is uninsured. Shorter waiting periods cost more in premium but can be worth it for operations where every hour of downtime hits revenue.

How we fix this: We run a downtime cost calculation specific to your operation — average hourly revenue, payroll continuing through the outage, extra expense to restore operations — and size the waiting period accordingly. Where it makes financial sense, we buy down the waiting period; where your operation can absorb the first several hours, we leave it longer and spend the premium elsewhere.

Do you know how many hours your cyber BI waiting period runs before coverage begins — and what those first uninsured hours would cost your operation?

Section summary

Most cyber coverage gaps trace back to the same handful of mistakes: notification cost never re-rated against current records, sub-limits under-sized against current vendor payment volume, security control mismatched to actual deployment, and renewals that auto-roll without anyone matching coverage to current records, vendors, regulatory exposure, or security posture.
By Industry

Healthcare, E-Commerce, & Tech-Specific Guidance

Cyber coverage is never one-size-fits-all. The risk profile of a 10-provider healthcare practice is fundamentally different from a direct-to-consumer e-commerce brand, which is fundamentally different from a B2B SaaS platform. Here is how we tailor cyber coverage by industry.

🏥 Healthcare Practices

Healthcare is the highest-exposure industry in cyber for three reasons: the data is the most valuable on the dark market, HIPAA creates mandatory notification obligations with short timelines, and OCR enforcement has grown materially more aggressive. A breach involving protected health information (PHI) triggers a cascade of obligations — individual notification within 60 days, HHS notification, media notice for breaches affecting 500 or more individuals in a state, state attorney general notification in most jurisdictions, and often a multi-year OCR corrective action plan.

Vendor risk. Most healthcare breaches we see now originate at a vendor — the EHR platform, the billing service, the transcription provider, the laboratory integration. Business associate agreements (BAAs) allocate some responsibility, but the covered entity (your practice) remains on the hook for notification under HIPAA. Your cyber policy must include dependent business interruption and vendor breach coverage sized to your full patient record count, not just your internal systems.

Telehealth and remote access. The expansion of telehealth since 2020 introduced new attack surface — home networks, personal devices, and video platforms integrated with EHRs. Carriers are increasingly asking about telehealth-specific controls: how you authenticate patients, how sessions are recorded and stored, and how you secure clinician access from non-office locations.

Ransomware in healthcare. Threat actors know healthcare practices cannot operate without access to records, so ransomware demands are higher and pressure to pay is stronger. Clean, tested, segregated backups are the single most important control — and the control carriers audit most closely during claims. Our team walks through your backup and restoration plan with your IT provider before the application goes to market.

Biometric data. Practices using biometric patient identification, voice analysis, or AI-assisted diagnostics should verify their policy does not exclude BIPA or biometric privacy claims. Illinois plaintiffs have extended BIPA theories into the healthcare space, and coverage for biometric claims is not uniform across carriers.

🛒 E-Commerce Brands

E-commerce cyber risk is dominated by three patterns: card data compromise via checkout-page skimmers (Magecart and its successors), customer data exfiltration from e-commerce platforms, and revenue loss during outages or payment processor disruptions. A brand processing cards has obligations under PCI-DSS that run alongside — and often in conflict with — state consumer privacy obligations.

PCI-DSS exposure. A confirmed card data breach triggers mandatory forensic investigation by a PCI Forensic Investigator (PFI), card brand assessments (Visa, Mastercard, and others), potential card brand fines, mandatory notification to acquirers, and often a mandatory upgrade to PCI compliance level. Your cyber policy should include PCI DSS assessments as a named covered cost — and the sub-limit should reflect your realistic card volume, not a token amount.

Checkout-provider risk. Most e-commerce brands do not operate their own card processing — they integrate with a payment provider, a checkout page, or a hosted payment form. When the provider is compromised, the brand still owns the customer relationship and still has notification obligations. Dependent business interruption and vendor breach coverage must be structured for this dependency.

Peak-season downtime. An e-commerce brand doing a meaningful share of annual revenue in November and December cannot tolerate a 12-hour BI waiting period during that window. We model your hourly revenue across the year and right-size the waiting period for your peak exposure — often buying down the waiting period during high-revenue quarters.

Customer data exfiltration. Beyond cards, e-commerce brands hold email addresses, shipping addresses, purchase history, and sometimes behavioral and biometric data (for fraud detection). A pure customer data breach — no cards involved — still triggers state privacy law notification obligations in nearly every state. Your privacy liability and regulatory defense coverage should extend to every state where your customers reside.

💻 Tech & SaaS Companies

Tech and SaaS companies carry a different cyber risk profile: the assets at risk are not just customer records but source code, internal intellectual property, and the operational uptime you have contractually committed to customers via service-level agreements. A cyber incident at a SaaS company is simultaneously a first-party problem (your data, your systems) and a third-party problem (your customers' data, your customers' uptime).

Intellectual property and source code exposure. A breach that exfiltrates source code, pre-release roadmap data, or proprietary algorithms creates competitive and valuation harm that cyber policies often handle unevenly. Some policies include IP restoration and recovery; others carve it out. We ask this question explicitly during review.

Customer data breach as a SaaS vendor. When your customers use your platform, they hand you their data. A breach of your platform exposes their data, which triggers their notification obligations, which triggers their claims against you. Your network security liability and privacy liability limits should reflect the aggregate downstream exposure — not just your own.

SLA penalties and downtime commitments. SaaS SLAs typically promise 99.9% uptime or better, with service credits or contractual damages for missed availability. A cyber incident that blows through your SLA window creates direct contractual exposure. Some cyber policies explicitly exclude contractual liability, which can strip SLA-related losses from coverage. We read the contractual liability exclusion carefully and, where needed, negotiate carve-backs.

Acquisition and diligence readiness. Tech companies anticipating an acquisition, a funding round, or a strategic investment face an increasingly thorough cyber diligence process. Buyers now expect evidence of a live, well-structured cyber policy, documented incident response plan, and clean incident history. Our team pre-stages cyber coverage for clients preparing for a transaction — both to meet buyer expectations and to avoid surprise exclusions in the final deal.

Tech E&O integration. Most tech companies should carry a combined Tech E&O and Cyber policy — one integrated form that covers both professional services failures and cyber events, eliminating coverage gaps between two separate policies. We evaluate stand-alone vs. integrated structures based on your customer contracts and risk profile.

Section summary

Healthcare practices, e-commerce brands, and tech-SaaS companies each carry different cyber exposure profiles: healthcare on and , e-commerce on and payment processing, tech-SaaS on customer data and dependent vendor risk. The cyber coverage that works for one vertical isn’t necessarily the cyber coverage that works for another.
Factor-driven visualization of what moves cyber insurance premium across established operators

Premium Drivers

What Drives Your Cyber Insurance Premium

The question worth asking before every renewal isn't what your cyber premium is. It's which of these factors is moving your specific quote — and which ones your current broker isn't even checking against your actual records, vendor exposure, and security controls.

Rating FactorImpact on Premium
Annual revenue + records held
CriticalThe baseline driver — notification and business-interruption exposure scale with both.
Industry vertical (healthcare/PHI vs e-commerce/PCI vs tech-SaaS vs professional services)
CriticalClass of business can be a multiple swing on identical revenue.
Number of records + sensitivity (PII vs PHI vs PCI vs combined)
CriticalRecord count and data type drive notification cost exposure per affected individual.
Claims history (last 5 years)
CriticalA prior cyber claim triggers tighter terms and specific underwriting questions at renewal.
Security controls (MFA, EDR, SIEM deployment)
CriticalMissing controls can disqualify a quote; documented controls unlock ransomware terms.
Employee count + payroll
SignificantHeadcount sizes the social-engineering attack surface and continuing-expense load.
Vendor management + third-party risk
SignificantEach vendor handling your data is aggregated risk carriers probe at quote.
Backup + business continuity posture
SignificantTested, segregated backups are the single most-audited control for ransomware terms.
Regulatory exposure (HIPAA, PCI-DSS, GDPR, state privacy laws)
SignificantMulti-statute exposure raises the regulatory defense load.
Cloud architecture + dependencies
NotableProvider dependencies shape dependent-BI exposure and coverage trigger language.
Incident response plan + tabletop testing
NotableA documented, tested IR plan signals lower severity to underwriters.
Deductible + retention selection
NotableRetention choice trades premium against out-of-pocket on frequency claims.
Sub-limits selection (ransomware, BEC, regulatory)
NotableSub-limit choices set the real exposure caps at claim time.
Waiting period (BI coverage)
NotableThe waiting period determines how much of an outage is uninsured before coverage triggers.

There's no rate card for cyber. The number that matters is the one mapped to your actual records, vendor footprint, security controls, and regulatory exposure — which is exactly what our team reviews before quoting.

Section summary

Cyber premiums move on revenue, records held, industry vertical, claims history, security control posture, vendor exposure, and regulatory landscape. The factors that move your specific program are business-specific operational details no generic quote can know.

Before the next renewal

Most cyber programs are renewed against last year's declarations — without anyone matching coverage to current records, current vendors, or current security controls.

We pull your declarations, your security stack documentation, your vendor list, and your prior incidents, match coverage line-by-line, and surface the gaps before bind — not after a breach, a BEC loss, or a regulatory notification deadline.

Have us review your current cyber program →
By State

Privacy Laws by State

Cyber coverage does not exist in a vacuum — it responds to the legal obligations created by federal and state law. Here is the framework our team walks clients through, with the laws that most commonly drive claim activity.

Federal Framework

  • HIPAA. Governs protected health information for covered entities and business associates. Breach notification obligations, OCR enforcement, and corrective action plans flow from HIPAA. Every healthcare practice needs regulatory defense sized to multi-year OCR exposure.
  • GLBA. Governs nonpublic personal information at financial institutions and their service providers. Safeguards Rule obligations have tightened materially over the past three years.
  • FTC Act Section 5. The FTC has brought dozens of cybersecurity enforcement actions under its unfair-and-deceptive-practices authority. Defense coverage for FTC investigations is a named coverage on most modern cyber policies.
  • SEC cybersecurity disclosure rules. Public companies and certain regulated entities now face specific cybersecurity disclosure obligations. Cyber coverage for SEC investigation defense is increasingly available as an endorsement.

Key State Privacy & Breach Notification Laws

StateStatuteKey Feature
CaliforniaCCPA / CPRAPrivate right of action for reasonable-security failures; AG enforcement; broad consumer data definition.
VirginiaVCDPAController/processor model; AG enforcement only; consumer rights including access, correction, deletion.
TexasTDPSAAG enforcement; consumer rights modeled on VCDPA; applies broadly to businesses doing business in Texas.
ColoradoCPARulemaking authority; universal opt-out mechanism recognition; sensitive data consent requirements.
IllinoisBIPABiometric data statute with private right of action and statutory damages per violation — the most-litigated privacy statute in the country.
WashingtonMy Health My Data ActBroad definition of consumer health data with a private right of action — impacts wellness apps, fitness trackers, and telehealth.
UtahCUPAAG enforcement; narrower scope than CCPA; consumer rights including access and deletion.
TennesseeTIPAAG enforcement with NIST Privacy Framework affirmative defense for conforming businesses.
All 50 statesBreach notification lawsEvery state has its own breach notification statute with varying triggers, timelines, and AG notification thresholds.

The state privacy patchwork is growing. As privacy-law regulatory context — not a statement of where coverage is offered — newer statutes in states such as Connecticut, Oregon, Montana, Delaware, Iowa, Indiana, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, and Rhode Island have either been enacted or are in active rulemaking. Cyber policy wording must keep pace — which is why the regulatory defense language and the definition of “privacy regulation” matter every time our team reviews terms.

We write cyber coverage for clients across the 29 states we serve. Our team confirms — before binding — that your regulatory defense coverage extends to every statute applicable to your customer and employee footprint. See all 29 states we serve.

Evaluation Criteria

How to Choose the Right Cyber Coverage

When we evaluate cyber policies side-by-side for a client, we work through six criteria in order. A policy that wins on premium but fails on these criteria is not the right policy.

1. Breadth and definition of “covered event”

Does the policy cover a full range of cyber incidents — unauthorized access, malware, ransomware, denial of service, social engineering, human error, insider events, vendor events, system failure — or does it define “cyber incident” narrowly? Broader definitions cost more but avoid the painful discovery, mid-claim, that your event doesn't trigger coverage.

2. Limit structure and sub-limits

What is the aggregate limit? Which coverage parts share the aggregate vs. carry stand-alone limits? Which pieces are sub-limited — cyber extortion, social engineering, regulatory defense, reputational harm, bricking? Two policies with the same headline limit can behave very differently at claim time based on sub-limit design.

3. Retroactive date and prior acts

Full prior acts is the gold standard. Where full prior acts is not available, a retroactive date matching the inception of your original cyber policy is the next-best answer. A retroactive date equal to the current policy inception is a quiet gap — almost always worth negotiating.

4. Security control warranties and ransomware conditions

Read the application warranties and any ransomware co-insurance clauses. What exactly did you attest to? Can you document it? Does the ransomware coverage sub-limit adjust based on security posture? A policy with stiff conditions you can meet beats a policy with loose conditions you can't.

5. Regulatory coverage scope and insurability of fines

Does the regulatory defense coverage extend to every state statute applicable to your footprint? Are HIPAA, PCI, and FTC matters clearly included? Are fines covered where insurable by law? Is BIPA specifically included or excluded?

6. Claims handling and panel resources

Who handles claims for the carrier? Who is on the breach response panel? How quickly does the carrier respond to a first notice of loss? A carrier with excellent policy language but a slow or inexperienced claims operation will underdeliver during the worst 72 hours of your business life.

Our Process

What We Review Before You Bind

Advisor walking a business owner through a consultative cyber coverage review before binding

Most insurance agents quote cyber based on a short application: industry, revenue, record count, done. They never see the third-party vendor inventory, the security control documentation, the incident history, or the regulatory footprint that actually drives coverage fit. We do it differently. Before we issue a proposal, our team reviews every quote against the underlying risk profile — and we walk you through what we found.

Data types review

We inventory the categories of data you hold — PHI, PCI cardholder data, PII, biometric data, behavioral data, employee data, third-party customer data as a processor — and map each to the applicable regulatory regime. This determines sub-limit sizing on notification, credit monitoring, and regulatory defense.

Vendor review

We inventory every third-party vendor that handles your data — cloud providers, SaaS platforms, payroll, HR, CRM, billing, payment processors, analytics. We confirm your policy's dependent business interruption and vendor breach language covers each one by category, and we size vendor-side sub-limits to match your real exposure.

Security controls review

We walk through carrier-required controls — MFA coverage, EDR deployment, backup strategy, email security, patching cadence, network segmentation, privileged access management — with your IT team or MSP. Gaps get addressed before the application goes to market, so your policy responds as expected.

IR plan review

We review your incident response plan — or help you document one if you don't have a written plan. Carriers increasingly require a documented, tested IR plan as a condition of quoting, and a well-designed plan meaningfully improves claim outcomes.

Prior incident review

We disclose prior incidents with remediation language that protects your renewal pricing. An event with clear remediation documented beats a bare disclosure every time, and our team helps you present prior events in a way that reflects the controls you have added since.

Then we present our findings to you on a video call, in plain English. No jargon, no pressure — just a clear explanation of where your coverage stands, where the gaps are, and what your options are. This is what we call a consultative review, and it is included at no cost for every cyber client.

This consultative approach is the same process we bring to restaurant insurance for operators with POS and loyalty data, HOA insurance for associations managing homeowner data, and commercial property insurance for landlords with tenant and payment records.

Exploring growth capital alongside cyber coverage? Working capital and equipment financing can fund the security controls carriers now require.

Common Questions

Frequently Asked Questions

What is cyber insurance and who needs it?
Cyber insurance — sometimes called cyber liability or data breach insurance — is a specialized commercial policy that responds when your business experiences a cyber incident. That includes data breaches, ransomware attacks, business email compromise, wire transfer fraud, denial-of-service attacks, and regulatory investigations tied to privacy laws. If your business stores customer data, processes payments, relies on cloud applications, or depends on continuous operations to generate revenue, you need cyber coverage. That covers nearly every healthcare practice, every e-commerce brand, every SaaS company, and most professional services firms in 2026. The question is not whether you are exposed — the question is whether your current policy language matches your actual risk profile.
How is cyber different from general liability?
General liability covers third-party bodily injury and property damage — someone trips in your lobby, you break a customer's laptop during a service call, your completed work causes physical damage. Cyber covers digital harm: data loss, privacy violations, system downtime, ransomware extortion, regulatory penalties, and the notification and forensics costs that follow a breach. Standard general liability policies contain broad electronic data exclusions. Courts have repeatedly ruled that data is not "property" in the traditional GL sense, so GL will not respond to a breach. You need a dedicated cyber policy — or a commercial package with a true cyber endorsement, not just a token sub-limit bolted onto a package policy.
Does my general liability policy cover a data breach?
Almost certainly not — and even where older GL wordings had ambiguity, insurers have systematically added cyber and data exclusions over the past decade. Most modern GL policies specifically exclude losses arising from the unauthorized access, disclosure, or corruption of electronic data. Some commercial package policies include a token cyber sub-limit, which sounds reassuring until you realize that the forensics and notification costs from a single healthcare breach can dwarf it many times over. If cyber risk is real for your business, buy a real cyber policy with proper first-party and third-party limits.
What's the difference between first-party and third-party cyber coverage?
First-party coverage pays for your losses: forensic investigation, breach response, notification, credit monitoring, ransomware payments, cyber extortion, business interruption, dependent business interruption, data restoration, and reputation management. Third-party coverage pays when others sue you: customers whose data was exposed, regulators investigating your breach, payment processors assessing PCI fines, and clients whose networks were infected through your systems. A complete cyber policy covers both. When we review a policy, we look at the sub-limits on each first-party category and the aggregate limits on the third-party side — and we flag any policy where one side dwarfs the other, because that usually signals a mismatched coverage design.
Do I need cyber insurance if I use a cloud provider like AWS?
Yes. Cloud providers operate under a shared responsibility model: they secure the underlying infrastructure, but you remain responsible for securing your data, identities, configurations, and application-layer controls. If your team misconfigures a storage bucket, if an employee falls for a phishing attack, if credentials are stolen, or if a third-party integration leaks customer records, the cloud provider is not on the hook — you are. Most cloud breaches happen at the customer configuration layer, not the provider layer. Your cyber policy responds to your exposure; the cloud provider's liability waivers in their terms of service typically eliminate any recovery against them.
How does cyber insurance respond to ransomware?
A well-designed cyber policy responds to ransomware across several coverage parts: the extortion coverage pays the ransom itself (where legally permissible), the breach response coverage pays forensic investigators and breach counsel, the business interruption coverage pays for lost revenue during the downtime, and the data restoration coverage pays to rebuild systems and recover data. The catch: most carriers now require documented security controls before they will pay a ransomware claim. That typically includes multi-factor authentication on privileged accounts, endpoint detection and response, segregated and tested backups, and a documented incident response plan. If you attested to these controls on your application and you don't actually have them, your ransomware claim may be denied. Our team reviews your security posture against the policy's conditions before you bind.
What is a retroactive date and why does it matter?
Cyber policies are written on a claims-made basis, which means the policy only responds to claims first reported during the policy period. The retroactive date determines how far back into your history the policy will reach — incidents that occurred before the retroactive date are excluded, even if you did not discover them until today. This matters because breaches often go undetected for months or years. If you switch carriers and your new policy's retroactive date is the inception date of the new policy, you have effectively wiped out coverage for any breach that occurred under your prior carrier. When we review your policy, we insist on full prior acts coverage — or at a minimum, a retroactive date matching your original cyber policy inception.
Can cyber insurance cover HIPAA or state privacy law fines?
It can, but only if the policy is written to include regulatory defense and penalties where insurable by law. Most modern cyber policies include some level of regulatory coverage — paying defense costs when HHS Office for Civil Rights investigates a HIPAA breach, when state attorneys general open an investigation under CCPA or similar state privacy laws, or when PCI assessments are levied after a card breach. Fines themselves are only covered to the extent insurable under the applicable state's law. Some states prohibit insurance coverage of punitive fines; others allow it. Our team maps your regulatory exposure by state — particularly in California, Virginia, Texas, Colorado, Illinois, and Washington — and confirms that your policy language matches.
How much cyber insurance should I carry?
The right limit depends on your record count, industry, revenue, regulatory exposure, and the cost profile of a worst-case breach in your vertical. A healthcare practice with 10,000 patient records faces a different worst-case than a SaaS company with 500,000 user accounts or an e-commerce brand processing card data. Our team models the expected response cost based on forensic rates, per-record notification costs, credit monitoring, legal defense, BI downtime, and regulatory exposure, then compares that against your current policy. Most established mid-market businesses carry aggregate limits scaled to their record count and regulatory exposure — with higher limits for those handling protected health information, large card volumes, or subject to multiple state privacy laws. The right limit isn't a number off a chart; it's the one your worst-case response cost actually requires.
What security controls do cyber carriers now require?
Over the past three renewal cycles, A-rated carriers have tightened their underwriting requirements significantly. Most now require — as a condition of quoting — multi-factor authentication on email, remote access, and privileged accounts; endpoint detection and response (EDR) on all servers and endpoints; immutable or air-gapped backups tested within the last 90 days; a documented and tested incident response plan; email filtering with anti-phishing and impersonation controls; timely patching of critical vulnerabilities; and network segmentation between production and general-purpose systems. Missing any of these can either disqualify you from coverage, force sub-limits on ransomware, or add significant premium load. Our team helps you document what you actually have before the application goes to market — so the policy you buy responds the way you expect.

Bottom line

Cyber insurance isn’t built from a questionnaire. It’s built from your security stack, your vendor list, your records held, and your regulatory exposure. The right program is the one matched to what your current records, current vendor footprint, current security controls, and current regulatory landscape actually demand — not the program your last broker copied from last year. The questions worth asking your current broker before the next renewal: when did you last verify our security control schedule against our actual MFA enforcement and EDR deployment, when did you last re-rate our notification cost sub-limit against current records, and when did you last audit our BEC sub-limit against current vendor payment volume?

Ready to Take the Next Step?

Whether you're reviewing current cyber coverage, preparing for a renewal, or buying cyber for the first time, these tools will help you move forward with clarity.

Assess Your Cyber Risk Profile →See Cyber Insurance in Your State

Get Cyber-Ready Coverage →