Click to toggle navigation menu.

Does Your General Liability Policy Cover a Cyberattack?

< BACK

By Ryan Windt | Head of Growth Marketing | Updated April 2026

If you have a general liability (GL) policy, you might assume your business is protected if a cyberattack hits. It is a reasonable assumption. GL insurance is designed to cover unexpected losses, and a cyberattack is certainly unexpected. But here is the hard truth: in almost every case, your general liability policy will not cover a cyberattack. And by the time you find that out, it is too late.

This post breaks down exactly why GL policies fall short when cyber incidents occur, what the coverage gap actually looks like in practice, and what a purpose-built cyber insurance policy covers that your GL policy never will.

What General Liability Insurance Actually Covers

General liability insurance was designed for a physical world. It covers bodily injury, property damage, and personal or advertising injury that happens as a result of your business operations. Think slip-and-fall accidents, damage to a client’s property, or a lawsuit over a misleading advertisement.

GL policies are built around tangible, physical losses. A broken arm. A flooded office. A defamatory print ad. These are the risks GL was written to address.

Cyberattacks are none of those things.

Why GL Policies Do Not Cover Cyber Losses

Over the past decade, insurers have worked hard to make sure their GL policies do not pay out for cyber incidents. Most modern GL policies contain explicit cyber exclusions, which means cyber losses are not just uncovered by default — they are actively excluded by design.

Even in older policies without explicit cyber exclusions, courts have consistently ruled that standard GL language does not extend to cyber losses. Here is why, coverage component by coverage component.

Bodily injury and property damage: A cyberattack does not typically cause physical injury or destroy tangible property in the way GL policies define it. Encrypted data is not “property damage” under most GL definitions. Lost revenue from a ransomware attack is not a physical loss. Courts have ruled against businesses trying to apply these provisions to cyber events over and over again.

Personal and advertising injury: This coverage applies to things like libel, slander, and copyright infringement in your advertisements. It does not apply to a data breach that exposes your customers’ personal information, even though that breach may result in significant third-party liability.

Products and completed operations: If a cyberattack corrupts software your business delivered to a client, your GL policy is almost certainly not going to respond. That scenario is closer to a Technology E&O claim. For more on where Tech E&O fits, see our breakdown of What Is Technology E&O Insurance.

The Scenarios That Catch Businesses Off Guard

The gap between what business owners expect and what their GL policy actually does is where real financial damage happens. Here are the scenarios we see most often.

A ransomware attack shuts down your operations. Your business goes offline for days or weeks. You lose revenue, pay for forensic investigation, and spend weeks recovering. Your GL policy pays nothing. There is no physical property damage. There is no bodily injury. The loss is entirely digital and operational.  Business interruption coverage from a dedicated cyber policy is what responds here.

A data breach exposes customer information. You face breach notification obligations, credit monitoring costs for affected customers, regulatory inquiries, and potential lawsuits from the people whose data was compromised. Your GL policy will not cover notification costs, forensic investigation, or the legal defense that follows. A purpose-built cyber insurance policy covers all of it.

A business email compromise (BEC) attack results in a fraudulent wire transfer. An attacker impersonates your CFO or a vendor and tricks an employee into wiring funds to a fraudulent account. GL does not cover financial losses from social engineering. Cyber insurance with eCrime or social engineering coverage does.

A phishing attack leads to a client’s data being compromised. Your client sues you. Your GL policy’s personal and advertising injury provisions are not going to respond to a third-party data liability claim of this kind. Cyber liability coverage is what protects you.

What Cyber Insurance Covers That GL Never Will

A dedicated cyber insurance policy is built from the ground up for exactly these scenarios. At SeedPod Cyber, our coverage includes:

  • Cyber extortion and ransomware response: Financial protection and expert support when attackers lock your systems or threaten to release your data.
  • Business interruption: Reimbursement for lost income and extra expenses when an attack takes your operations offline, including attacks on critical third-party providers you rely on.
  • Data breach response: Covers legal support, customer notification, credit monitoring, forensic investigation, and PR costs to restore trust after a breach.
  • Third-party liability: Protection against legal claims from customers, partners, or regulators when their data is compromised in an incident affecting your business.
  • eCrime and social engineering fraud: Covers losses from fraudulent wire transfers and funds transfer fraud initiated by attackers impersonating trusted parties.

None of these are available under a standard GL policy. Not even partially.

The “Silent Cyber” Problem in Older Policies

Before explicit cyber exclusions became standard, there was a period where cyber losses theoretically could have triggered GL coverage because the policies did not address cyber at all. This gray area became known as “silent cyber.”

Insurers responded aggressively. They added affirmative cyber exclusions across the board and began issuing clarifying endorsements to older policies. The insurance industry’s position today is clear: GL policies do not cover cyber losses, and carriers have structured their policies to make that unambiguous.

If you have an older GL policy and you think silent cyber provisions might protect you, talk to your broker and have them review the actual policy language. Do not assume coverage exists where it has not been explicitly granted.

What About a Business Owner’s Policy (BOP)?

A Business Owner’s Policy bundles GL coverage with commercial property insurance. Some insurers offer optional cyber add-ons to BOP policies, and this is where businesses sometimes get confused.

Those cyber add-ons are almost always limited in scope. They may provide a small sublimit for breach response but typically exclude business interruption from cyber events, do not cover ransomware or extortion comprehensively, and cap coverage at levels far too low to address a real incident. A sublimit of $25,000 or $50,000 for a cyber event that costs six figures or more to resolve is not meaningful protection.

A purpose-built standalone cyber policy is a different product entirely. The coverage limits, the breadth of covered events, and the incident response resources that come with it are not comparable to a BOP add-on.

How to Know If You Have a Real Coverage Gap

Ask yourself these questions:

  1. Do you store any customer data, employee data, or payment information digitally?
  2. Does your business rely on internet-connected systems, software, or cloud platforms to operate?
  3. Would your business lose revenue if your systems were offline for a week or more?
  4. Do you have contractual obligations to clients that involve data handling or technology services?

If you answered yes to any of these, you almost certainly have a cyber exposure that your GL policy is not covering. The question is not whether you need cyber insurance. The question is whether you have it and whether the limits are right for your actual risk.

The Bottom Line

General liability insurance is not cyber insurance. It was not designed to be, and modern policy language makes sure it is not. Businesses that rely on their GL policy as a backstop for cyber losses are exposed — often without realizing it until a claim is denied.

Cyber incidents are now the leading cause of business disruption for small and mid-size companies. The costs involved, from forensic investigation to breach notification to business interruption to third-party liability, require dedicated coverage that responds to how modern attacks actually work.

If you want to see what a real cyber insurance policy looks like for your business, we can typically turn around a quote in under 24 hours.  Get a quote from SeedPod Cyber and find out exactly where you stand.

Coverage & Policy Education
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.