By Ryan Windt | Head of Growth Marketing | Updated June 2026
If you have a general liability (GL) policy, you might assume your business is protected if a cyberattack hits. It is a reasonable assumption. GL insurance is designed to cover unexpected losses, and a cyberattack is certainly unexpected. But here is the hard truth: in almost every case, your general liability policy will not cover a cyberattack. And by the time you find that out, it is too late.
This post breaks down exactly why GL policies fall short when cyber incidents occur, what the coverage gap actually looks like in practice, and what a purpose-built cyber insurance policy covers that your GL policy never will.
What General Liability Insurance Actually Covers
General liability insurance was designed for a physical world. It covers bodily injury, property damage, and personal or advertising injury that happens as a result of your business operations. Think slip-and-fall accidents, damage to a client’s property, or a lawsuit over a misleading advertisement.
GL policies are built around tangible, physical losses. A broken arm. A flooded office. A defamatory print ad. These are the risks GL was written to address.
Cyberattacks are none of those things.
Why GL Policies Do Not Cover Cyber Losses
Over the past decade, insurers have worked hard to make sure their GL policies do not pay out for cyber incidents. Most modern GL policies contain explicit cyber exclusions, which means cyber losses are not just uncovered by default, they are actively excluded by design.
Even in older policies without explicit cyber exclusions, courts have consistently ruled that standard GL language does not extend to cyber losses. Here is why, coverage component by coverage component.
Bodily injury and property damage: A cyberattack does not typically cause physical injury or destroy tangible property in the way GL policies define it. Encrypted data is not “property damage” under most GL definitions. Lost revenue from a ransomware attack is not a physical loss. Courts have ruled against businesses trying to apply these provisions to cyber events over and over again.
Personal and advertising injury: This coverage applies to things like libel, slander, and copyright infringement in your advertisements. It does not apply to a data breach that exposes your customers’ personal information, even though that breach may result in significant third-party liability.
Products and completed operations: If a cyberattack corrupts software your business delivered to a client, your GL policy is almost certainly not going to respond. That scenario is closer to a Technology E&O claim. For more on where Tech E&O fits, see our breakdown of What Is Technology E&O Insurance.
The ISO CGL Form and Why It Matters
Most commercial general liability policies in the United States are built on Insurance Services Office (ISO) standard form CG 00 01. This is the foundation language that the vast majority of carriers use, and it matters because courts interpret it consistently.
The ISO CGL form defines “property damage” as physical injury to tangible property or loss of use of tangible property. Electronic data is explicitly carved out. ISO form CG 00 01 states that “electronic data is not tangible property” and separately excludes loss or damage to electronic data from the property damage definition entirely.
Starting around 2014, ISO also introduced specific cyber exclusion endorsements, including form CG 21 06, which explicitly eliminates coverage for any loss arising from access to or disclosure of confidential information. Carriers began attaching these endorsements broadly across their GL books. If your GL policy was issued or renewed after roughly 2016, there is a high probability it contains this exclusion or an equivalent.
The practical result: the policy language that might theoretically have supported a cyber claim in older GL policies has been systematically removed. There is no ambiguity left to exploit.
What the Courts Have Said
The question of whether GL policies cover cyber losses has been tested in court repeatedly, and the pattern is consistent: GL carriers win.
The most widely cited case is Mondelez International v. Zurich American Insurance. Mondelez, the global food company, suffered roughly $100 million in losses from the NotPetya cyberattack in 2017. It filed a claim under its property and GL policies. Zurich denied the claim, citing a war exclusion that applied to hostile or warlike actions. The case settled in 2022 without a final ruling on the war exclusion, but it illustrated exactly what businesses face when they try to recover cyber losses through traditional insurance policies: a prolonged, expensive dispute with no guarantee of recovery.
In Travelers Indemnity Co. v. Portal Healthcare Solutions, a Virginia federal court found that a GL policy’s “electronic publication” language under personal and advertising injury could potentially cover a data breach. That ruling was the exception, not the rule, and it applied to an older policy form before ISO’s cyber exclusion endorsements became standard. Carriers responded by updating their forms specifically to close that gap.
The consistent takeaway across case law: GL policies were not designed to respond to cyber losses, courts interpret them narrowly, and carriers actively close any language gaps that litigation reveals. Betting on GL coverage for a cyber incident is not a strategy. It is a gamble with very long odds.
For a deeper look at how exclusions work across both GL and cyber policies, see Cyber Insurance Exclusions: What Most Policies Won’t Cover.
The Scenarios That Catch Businesses Off Guard
The gap between what business owners expect and what their GL policy actually does is where real financial damage happens. Here are the scenarios we see most often.
A ransomware attack shuts down your operations. Your business goes offline for days or weeks. You lose revenue, pay for forensic investigation, and spend weeks recovering. Your GL policy pays nothing. There is no physical property damage. There is no bodily injury. The loss is entirely digital and operational. Business interruption coverage from a dedicated cyber policy is what responds here.
A data breach exposes customer information. You face breach notification obligations, credit monitoring costs for affected customers, regulatory inquiries, and potential lawsuits from the people whose data was compromised. Your GL policy will not cover notification costs, forensic investigation, or the legal defense that follows. A purpose-built cyber insurance policy covers all of it.
A business email compromise (BEC) attack results in a fraudulent wire transfer. An attacker impersonates your CFO or a vendor and tricks an employee into wiring funds to a fraudulent account. GL does not cover financial losses from social engineering. Cyber insurance with eCrime or social engineering coverage does.
A phishing attack leads to a client’s data being compromised. Your client sues you. Your GL policy’s personal and advertising injury provisions are not going to respond to a third-party data liability claim of this kind. Cyber liability coverage is what protects you.
What Cyber Insurance Covers That GL Never Will
A dedicated cyber insurance policy is built from the ground up for exactly these scenarios. At SeedPod Cyber, our coverage includes:
- Cyber extortion and ransomware response: Financial protection and expert support when attackers lock your systems or threaten to release your data.
- Business interruption: Reimbursement for lost income and extra expenses when an attack takes your operations offline, including attacks on critical third-party providers you rely on.
- Data breach response: Covers legal support, customer notification, credit monitoring, forensic investigation, and PR costs to restore trust after a breach.
- Third-party liability: Protection against legal claims from customers, partners, or regulators when their data is compromised in an incident affecting your business.
- eCrime and social engineering fraud: Covers losses from fraudulent wire transfers and funds transfer fraud initiated by attackers impersonating trusted parties.
None of these are available under a standard GL policy. Not even partially.
The “Silent Cyber” Problem in Older Policies
Before explicit cyber exclusions became standard, there was a period where cyber losses theoretically could have triggered GL coverage because the policies did not address cyber at all. This gray area became known as “silent cyber.”
Insurers responded aggressively. They added affirmative cyber exclusions across the board and began issuing clarifying endorsements to older policies. The insurance industry’s position today is clear: GL policies do not cover cyber losses, and carriers have structured their policies to make that unambiguous.
If you have an older GL policy and you think silent cyber provisions might protect you, talk to your broker and have them review the actual policy language. Do not assume coverage exists where it has not been explicitly granted. For a full explanation of how silent cyber works and where it still appears, see Silent Cyber: What It Is, Why It Matters, and How to Find It in Your Policies.
What About a Business Owner’s Policy (BOP)?
A Business Owner’s Policy bundles GL coverage with commercial property insurance. Some insurers offer optional cyber add-ons to BOP policies, and this is where businesses sometimes get confused.
Those cyber add-ons are almost always limited in scope. They may provide a small sublimit for breach response but typically exclude business interruption from cyber events, do not cover ransomware or extortion comprehensively, and cap coverage at levels far too low to address a real incident. A sublimit of $25,000 or $50,000 for a cyber event that costs six figures or more to resolve is not meaningful protection.
A purpose-built standalone cyber policy is a different product entirely. The coverage limits, the breadth of covered events, and the incident response resources that come with it are not comparable to a BOP add-on.
GL Cyber Endorsements: Better Than a BOP Add-On, Still Not Enough
Some carriers now offer standalone cyber endorsements that attach directly to a GL policy, separate from the BOP add-on product. These are more substantive than a BOP rider but still fall short of a dedicated cyber policy in several important ways.
GL cyber endorsements typically provide limited sublimits, often $100,000 to $250,000, against incidents that can easily reach seven figures for a mid-size business. They frequently exclude or heavily sublimit ransomware and extortion, which is the most common and costly cyber event type. They may provide breach response services but without the breadth of the panel vendors, legal counsel, and public relations support that comes standard with purpose-built cyber coverage.
More importantly, a GL cyber endorsement is not a standalone claims process. When you file, the carrier looks at both the GL policy and the endorsement language simultaneously, which creates ambiguity about what is and is not covered. A dedicated cyber policy has a single coverage form purpose-built for digital incidents, which means faster claims handling and fewer coverage disputes.
If a carrier or agent is recommending a GL cyber endorsement as a substitute for standalone cyber coverage, treat that as a red flag. The products are not equivalent.
Industry-Specific Gaps Worth Knowing
The GL coverage gap plays out differently depending on your industry, because the nature of your data and your regulatory exposure shapes exactly what is at stake.
Healthcare and medical practices. HIPAA requires breach notification and imposes civil monetary penalties for violations. None of those costs are recoverable under GL. A breach affecting 500 or more individuals triggers federal reporting requirements, state notification obligations, and often patient lawsuits. The regulatory and legal exposure alone dwarfs what any GL policy would ever pay for a physical-world claim of equivalent severity.
Retail and e-commerce. PCI DSS compliance requirements mean a payment card breach can trigger fines from card brands, mandatory forensic assessments, and potential loss of the ability to accept card payments. None of that is a GL-covered loss. The forensic assessment alone, required by card brand rules after any confirmed cardholder data compromise, typically costs $20,000 to $50,000 before any remediation work begins.
Professional services (law firms, accounting firms, consultants). Client confidentiality obligations mean a data breach creates third-party liability exposure that is direct and often contractual. GL personal and advertising injury coverage does not respond to a claim that your firm failed to protect a client’s confidential business information. Cyber liability coverage with technology errors and omissions does.
Contractors and construction. Operational technology and building management systems are increasingly networked, and a cyberattack that disrupts project management systems, delays delivery schedules, or exposes subcontractor payment data creates losses that fall entirely outside GL’s physical-loss framework. Construction firms with any digital project management, BIM software, or connected job-site equipment have cyber exposure that GL ignores entirely.
How to Know If You Have a Real Coverage Gap
Ask yourself these questions:
- Do you store any customer data, employee data, or payment information digitally?
- Does your business rely on internet-connected systems, software, or cloud platforms to operate?
- Would your business lose revenue if your systems were offline for a week or more?
- Do you have contractual obligations to clients that involve data handling or technology services?
- Are you subject to any regulatory requirements around data security or breach notification (HIPAA, PCI DSS, CCPA, state breach notification laws)?
If you answered yes to any of these, you almost certainly have a cyber exposure that your GL policy is not covering. The question is not whether you need cyber insurance. The question is whether you have it and whether the limits are right for your actual risk.
Frequently Asked Questions
Does general liability insurance cover data breaches?
No. Data breaches do not cause physical injury or property damage as GL policies define those terms. The costs associated with a breach, including notification, forensic investigation, regulatory response, and third-party liability, are not covered under a standard GL policy. A dedicated cyber insurance policy is what covers these losses.
Can I add cyber coverage to my general liability policy?
Some carriers offer cyber endorsements that attach to GL policies, but these provide materially less coverage than a standalone cyber policy. Sublimits are low, ransomware and extortion are often excluded or capped, and the claims process is more complex. For meaningful cyber protection, a standalone cyber insurance policy is the right product.
Does business interruption insurance cover cyberattacks?
Standard commercial property business interruption coverage requires a physical loss trigger, which a cyberattack does not satisfy. Cyber insurance policies include a separate cyber business interruption coverage that specifically responds to income loss and extra expenses caused by a network security failure or cyberattack. These are different products.
What insurance actually covers a cyberattack?
A standalone cyber liability insurance policy is the correct product. It covers first-party costs like forensic investigation, breach notification, business interruption, and ransomware response, as well as third-party liability from customer lawsuits and regulatory actions. Some businesses in technology-related fields also carry Technology E&O coverage, which addresses liability arising from failures in technology products or services. For a full breakdown of what cyber insurance covers, see What Is Cyber Insurance and What Does It Cover?
How much does cyber insurance cost compared to the potential loss?
For most small and mid-size businesses, standalone cyber coverage runs from a few hundred to a few thousand dollars annually. The average cost of a data breach for a small business exceeds $200,000 when you account for forensic investigation, legal fees, notification, and downtime. For most businesses, the math is straightforward. See How Much Does Cyber Insurance Cost? for a full pricing breakdown by company size and industry.
The Bottom Line
General liability insurance is not cyber insurance. It was not designed to be, and modern policy language, ISO form updates, and a decade of case law make sure it is not. Businesses that rely on their GL policy as a backstop for cyber losses are exposed, often without realizing it until a claim is denied.
Cyber incidents are now the leading cause of business disruption for small and mid-size companies. The costs involved, from forensic investigation to breach notification to business interruption to third-party liability, require dedicated coverage that responds to how modern attacks actually work.
If you want to understand exactly what your current policies cover in a cyber incident and where a standalone cyber policy would fill the gaps, contact SeedPod Cyber for a coverage review. We work with businesses across every industry and can typically turn around a quote in under 24 hours.
Related Resources
- What Is Cyber Insurance and What Does It Cover?
- Cyber Liability Insurance: Coverage, Costs, and How to Buy the Right Policy
- Why Every Business Needs Standalone Cyber Insurance
- Cyber Insurance Exclusions: What Most Policies Won’t Cover
- Silent Cyber: What It Is, Why It Matters, and How to Find It in Your Policies
- How Much Does Cyber Insurance Cost?
- How to Get Cyber Insurance
- Cyber Insurance for Construction