By Ryan Windt | Head of Growth Marketing | Updated April 2026
Cyber insurance is a type of business insurance that covers the financial costs of a cyber incident. That includes the direct costs your business incurs responding to an attack, and the liability costs that arise when a breach affects your customers, clients, or business partners.
Most business owners encounter cyber insurance for the first time when a client contract requires it, when a broker mentions it at renewal, or after a breach that their existing coverage did not address. This post explains what cyber insurance actually is, what it covers, what it does not cover, and what you need to know before you buy a policy.
Why Standard Business Insurance Does Not Cover Cyber Incidents
The most important thing to understand about cyber insurance is why it exists as a separate product.
A standard general liability policy covers physical damage and bodily injury. A business owner’s policy covers your physical property and some liability exposure. Neither was designed for the costs that follow a data breach, a ransomware attack, or a funds transfer fraud. Most explicitly exclude cyber losses.
This means a business that experiences a ransomware attack and has only a general liability policy is on its own for the forensic investigation, the ransom negotiation, the system restoration, the breach notification, and any regulatory fines or third-party claims that follow. Those costs can reach six figures for a small business and well into seven figures for a mid-market company.
Cyber insurance was built to fill that gap. For more on exactly where general liability coverage ends and cyber coverage begins, see our dedicated post on whether general liability covers cyberattacks.
What Cyber Insurance Covers
Cyber insurance policies are organized around two categories of coverage: first-party coverage and third-party coverage.
First-party coverage pays for costs your business incurs directly as a result of a cyber incident. Third-party coverage pays for liability claims made against your business by customers, clients, regulators, or other parties harmed by the incident.
Most standalone cyber policies include both. Understanding the distinction matters because the two categories respond to very different types of losses and are often subject to different limits and conditions within the same policy.
For a deeper explanation of how these two coverage categories work, see our full guide to first-party vs. third-party cyber insurance.
First-Party Coverage
Forensic investigation
After a cyber incident, you need to know what happened. What systems were accessed? What data was taken? How did the attacker get in? Answering those questions requires a forensic investigation by a qualified cybersecurity firm. Cyber insurance covers the cost of that investigation, which can run from tens of thousands of dollars for a contained incident to several hundred thousand dollars for a complex breach.
Breach notification
Most states require businesses to notify individuals whose personal information was exposed in a data breach. Some states set notification deadlines as tight as 30 to 72 hours after discovery. The notification process involves legal review to determine who must be notified, preparation of notification letters, mailing costs, and often the provision of credit monitoring services to affected individuals. At $5 to $15 per affected record, notification costs can become significant quickly for businesses with large customer databases.
Business interruption
When a cyber incident takes your systems offline, you lose revenue. Business interruption coverage compensates for that lost income during the period your operations are disrupted. It can also cover the extra expenses you incur to keep operating during recovery, such as temporary systems, overtime labor, or alternative service providers.
Business interruption is now the single largest driver of cyber insurance claims. For a full breakdown of why operational downtime has overtaken data theft as the primary source of cyber losses, see our post on business interruption as the largest driver of cyber losses.
Ransomware and cyber extortion
Ransomware attacks encrypt your data and systems and demand payment for the decryption key. Extortion attacks threaten to publish stolen data unless a ransom is paid. Cyber insurance covers the ransom payment itself if payment is determined to be the appropriate response, as well as the negotiation costs, the forensic work required to assess the situation, and the system restoration costs that follow.
For a detailed look at how cyber insurance responds to ransomware specifically, see our post on ransomware and cyber insurance coverage.
Data recovery and system restoration
Beyond ransomware, any destructive attack or significant security incident can corrupt or destroy data and damage systems. Coverage for data recovery and system restoration pays for the technical work required to rebuild your environment after an incident.
Crisis communications and public relations
A significant breach can damage your reputation with customers and partners. Many cyber policies include coverage for crisis communications support, meaning the cost of a public relations firm to help manage the public response to an incident.
Third-Party Coverage
Privacy liability
If a breach at your business exposes personal information belonging to customers or employees and those individuals or their representatives bring a claim against you, privacy liability coverage pays for your legal defense and any resulting settlements or judgments. Class action lawsuits following large data breaches are increasingly common, and even small businesses can face individual claims from affected customers.
Regulatory defense and fines
A data breach can trigger regulatory investigations by state attorneys general, the FTC, and industry-specific regulators such as HHS for healthcare businesses or financial regulators for businesses subject to GLBA. Regulatory coverage pays for the legal defense costs of responding to those investigations. Many policies also cover the resulting fines and penalties, though some jurisdictions limit or prohibit the insurability of certain fines. This varies by carrier and policy form and is worth confirming explicitly before you buy.
Network security liability
If a security failure at your business results in harm to a third party, such as a client whose systems are infected through a connection to your network, network security liability coverage responds to claims arising from that harm.
What Cyber Insurance Does Not Cover
Understanding what cyber insurance excludes is just as important as understanding what it covers. The most common exclusions to know about are:
War and nation-state attacks
Most cyber policies exclude losses caused by acts of war or cyberattacks attributed to nation-state actors. This exclusion has become more significant as state-sponsored attacks have increased and carriers have tightened the language around it. For a current breakdown of how war exclusions apply and what they mean for businesses, see our post on the Iran conflict, cyber insurance, and the war exclusion.
Intentional acts
Coverage does not apply to cyber incidents that are deliberately caused by the insured or by employees acting with intent to cause harm. Insider threats that involve intentional data theft by an employee, for example, are typically covered under a crime or fidelity policy rather than a cyber policy.
Prior known incidents
A cyber policy covers incidents that occur during the policy period. If a breach happened before your coverage began, or if you knew about a vulnerability or an active attack at the time you applied for coverage, claims related to that incident will be excluded. This is why the retroactive date in your policy matters more than most buyers realize. Our post on the retroactive date in cyber insurance explains how this works and why a gap in coverage history creates real risk.
Infrastructure and physical damage
Cyber insurance covers digital losses. Physical damage to hardware, damage from power surges or natural disasters, and bodily injury are not covered. Those losses belong to your property and general liability policies.
Contractual penalties
SLA penalties and contractual damages you owe a client because your service was unavailable are generally not covered under a cyber policy. Technology Errors and Omissions insurance addresses those exposures.
Cyber Insurance and Technology E&O: Two Different Policies
Businesses that provide technology services or software products need to understand that cyber insurance and Technology Errors and Omissions insurance are distinct products that cover different things.
Cyber insurance covers security and privacy events: breaches, ransomware attacks, and the liability that follows.
Tech E&O covers professional failures: your software had a bug that caused a client financial harm, your platform went down and a client missed a contractual deadline, or your service failed to perform as specified. No attacker needed. No data taken. Just a platform failure and a client with a claim.
For technology companies, SaaS providers, MSPs, and MSSPs, both policies are usually necessary. A cyber policy without Tech E&O leaves professional liability exposure completely uncovered. For a scenario-by-scenario breakdown of which policy responds to what, see our guide to Tech E&O vs. cyber insurance.
Key Policy Terms You Need to Understand Before You Buy
Coverage limit
The maximum amount your insurer will pay under the policy. Most small business policies start at $1 million. Whether that is enough depends on your actual exposure, not the market standard. For guidance on how to size your limit, see our post on how much cyber insurance you actually need.
Sublimits
A sublimit is a cap on what the insurer will pay for a specific type of loss, set below the overall policy limit. Ransomware payments, funds transfer fraud, and regulatory fines are commonly sublimited. A $1 million policy with a $250,000 sublimit on ransomware will not pay more than $250,000 on a ransomware claim regardless of your total limit. For a full explanation, see Cyber Insurance Sublimits Explained.
Deductible
The amount you pay out of pocket before coverage kicks in. Higher deductibles lower your premium but increase your exposure when a claim occurs. For a full breakdown of how deductibles work in cyber insurance, including the difference between a deductible and a self-insured retention, see Cyber Insurance Deductibles Explained.
Retroactive date
The date from which covered incidents can originate. A breach that began before your retroactive date is not covered even if it is discovered after your policy is in force. This is one of the most consequential and least understood terms in a cyber policy.
Reporting requirements
Most cyber policies require you to report a known or suspected incident within a defined window, often 60 to 72 hours. Failing to report promptly is one of the most common reasons claims are denied.
What Cyber Insurance Costs
Cyber insurance premiums vary significantly based on your industry, your revenue, your security posture, and the limits and terms you select. Most small businesses pay between $1,200 and $7,500 per year for $1 million in coverage. Mid-market companies typically pay between $8,000 and $35,000.
For detailed pricing benchmarks by company size, industry, and security control profile, see our cyber insurance cost guide.
What Qualifies You for Coverage
Cyber insurance is not automatic. Carriers evaluate your application and assess your security posture before issuing a policy. The controls that most directly affect your eligibility are multi-factor authentication, endpoint detection and response, tested backups, and a documented incident response plan.
Businesses without these controls in place may be declined, offered coverage with significant exclusions, or quoted premiums that reflect the elevated risk they carry. For a full breakdown of what carriers require, see our cyber insurance requirements checklist.
Who Needs Cyber Insurance
Any business that stores personal information, processes payments, operates systems that could be disrupted by an attack, or holds data on behalf of clients has cyber exposure. That description applies to most businesses operating today regardless of size or industry.
The businesses that most commonly discover they needed cyber insurance after the fact are small and mid-sized businesses that assumed they were too small to be targeted, or that assumed their existing coverage handled it. Neither assumption is accurate.
If you are not sure whether your current coverage addresses your cyber exposure, or if you want to understand what a policy would cost for your specific situation, contact SeedPod Cyber or get a quote.
Frequently Asked Questions About Cyber Insurance
Is cyber insurance required by law?
Cyber insurance is not required by federal law for most businesses. However, many businesses are effectively required to carry it through contractual obligations. Enterprise clients increasingly require vendors to maintain cyber insurance as a condition of doing business, and the requirement is written directly into Master Service Agreements. Some state and industry regulations also require or strongly encourage it for businesses handling certain categories of sensitive data. Healthcare organizations, financial services firms, and defense contractors are among the industries where coverage expectations are highest.
Does cyber insurance cover employee mistakes?
Yes, in most cases. The majority of cyber incidents involve some element of human error, and carriers know this. If an employee clicks a phishing link that leads to a ransomware infection, or accidentally sends sensitive data to the wrong recipient, a standard cyber policy will respond. What coverage typically does not extend to is intentional misconduct by an employee who deliberately steals or destroys data. Those scenarios fall under crime or fidelity coverage rather than cyber insurance.
Does cyber insurance cover social engineering and wire fraud?
It depends on the policy. Social engineering coverage and funds transfer fraud coverage are not automatically included in every cyber policy. Many policies offer them as endorsements, meaning you have to specifically elect and pay for them. The trigger language also matters: some policies require that a fraudulent instruction be received through a compromised email account, while others cover losses from any deceptive communication including spoofed emails that never touched your actual systems. If your business handles wire transfers or payment instructions of any kind, this is one of the most important coverage questions to ask before you buy. See our post on social engineering and funds transfer fraud coveragefor a full breakdown.
Does cyber insurance cover ransomware payments?
Generally yes, though the specifics depend on the policy and the circumstances. Most cyber policies cover the ransom payment itself, the cost of a professional negotiator, forensic investigation costs, and system restoration costs following a ransomware attack. Ransomware coverage is also one of the most commonly sublimited coverage lines, meaning the amount available for a ransom payment may be set below your overall policy limit. Some policies also include conditions around the payment process, such as requiring insurer approval before a ransom is paid. For a detailed look at how coverage responds to ransomware, see our post on ransomware and cyber insurance.
Can small businesses get cyber insurance?
Yes. Cyber insurance is available to businesses of virtually any size, including sole proprietors and micro businesses. Small businesses with limited sensitive data and strong basic security controls can often obtain $1 million in coverage for well under $2,000 per year. Small businesses in higher-risk industries such as healthcare or financial services will pay more, but coverage is still accessible. For pricing benchmarks by company size, see our cyber insurance cost guide.
How is cyber insurance different from cybersecurity?
Cybersecurity refers to the tools, processes, and practices that prevent attacks from succeeding: firewalls, endpoint detection and response software, multi-factor authentication, security training, and so on. Cyber insurance is financial protection for when an attack succeeds despite those defenses. The two are complementary, not interchangeable. Strong cybersecurity reduces the likelihood and severity of an incident and is required to qualify for coverage. Cyber insurance transfers the financial risk that remains after your security controls are in place. One does not replace the other.
What happens if I had a breach before buying a policy?
A cyber policy covers incidents that occur after your retroactive date, which is typically the date your first cyber policy went into effect. If a breach occurred before that date, or if you had knowledge of an ongoing incident at the time you applied, claims related to that incident will not be covered. This is one of the most important reasons to buy cyber insurance before an incident occurs rather than after. A business that has already experienced a breach may find coverage harder to obtain and more expensive, and prior incidents will be excluded from any new policy. For a full explanation of how the retroactive date works, see our post on the retroactive date in cyber insurance.
What is the difference between cyber insurance and Technology E&O?
Cyber insurance covers losses from security and privacy events: data breaches, ransomware attacks, and the liability that follows. Technology Errors and Omissions insurance covers losses from professional failures: your software had a bug, your platform went down and a client lost revenue, or your service did not perform as specified. Technology companies and SaaS providers typically need both. A cyber policy without Tech E&O leaves the professional liability exposure from platform failures and service errors completely uncovered. See our guide to Tech E&O vs. cyber insurance for a scenario-by-scenario breakdown.
Does my industry affect what cyber insurance covers?
Your industry affects your premium, your eligibility requirements, and the specific coverage terms carriers will offer you, but the fundamental structure of what a cyber policy covers remains consistent across industries. What changes is the regulatory exposure baked into your risk profile. A healthcare organization faces HIPAA-specific requirements around breach notification and regulatory defense. A financial services firm carries exposure under GLBA and state financial privacy laws. A business that handles payment card data has PCI DSS exposure. Carriers price and structure coverage to reflect those differences. For industry-specific guidance, see our vertical posts covering healthcare, financial services, law firms, tech companies, and many others.
How do I file a cyber insurance claim?
The first step is notifying your insurer as quickly as possible after discovering a potential incident. Most policies require notification within 60 to 72 hours. From there, the carrier will assign a response team that typically includes forensic investigators, legal counsel, and breach coaches depending on the nature of the incident. You generally cannot select your own vendors without carrier approval without risking coverage issues. For a step-by-step walkthrough of what the claims process looks like from first notification through resolution, see our post on what happens after you file a cyber insurance claim.