Cyber Liability Insurance for Businesses: The Coverage Your Property Policy Doesn’t Provide

A ransomware attack shuts down your operations for two weeks. A phishing email tricks your controller into wiring $180,000 to a fraudulent account. A data breach exposes the personal information of 50,000 customers. A rogue employee downloads your entire client database before leaving for a competitor. In every one of these scenarios, your commercial property policy and your CGL policy will almost certainly deny the claim.

Traditional insurance was designed for a physical world — buildings that burn, inventory that floods, people who slip and fall. The digital risks that now represent the fastest-growing exposure for American businesses exist in a coverage void that the insurance industry has been slow to fill and quick to exploit. Cyber liability insurance was created to address this void, but the coverage is still immature, inconsistently written, and riddled with sublimits, exclusions, and conditions that can leave a business owner believing they have protection they do not actually have.

Why Traditional Policies Do Not Cover Cyber Losses

The gap in traditional insurance coverage for cyber events is deliberate. Beginning in the early 2000s, the insurance industry recognized that property and liability policies were being exposed to cyber risks the premiums never contemplated. The industry’s response was to add exclusions — not to create affordable coverage alternatives.

• Commercial property policies. The ISO CP 00 10 (Building and Personal Property Coverage Form) defines Covered Property to include your building and business personal property, but electronic data is specifically excluded from the definition of personal property. ISO endorsement CP 04 37 (Exclusion of Loss Due to Virus or Bacteria) and the electronic data exclusion in the causes of loss forms eliminate most cyber-related property claims. For more on what property policies exclude, see our article on Silent Cyber and Property Insurance.
• Commercial General Liability (CGL) policies.The CGL covers “bodily injury” and “property damage” caused by an “occurrence.” Electronic data is not “tangible property,” so its loss or corruption does not constitute “property damage” under the CGL. The “personal and advertising injury” coverage (Coverage B) includes offenses like “oral or written publication of material that violates a person’s right of privacy,” which some policyholders have argued covers data breaches. Courts have largely rejected this argument, and ISO added exclusion CG 21 06(Exclusion — Access or Disclosure of Confidential or Personal Information) and CG 21 07(Exclusion — Recording and Distribution of Material or Information in Violation of Law) to eliminate any ambiguity.
• Business income coverage.Even if a network outage causes a complete shutdown of operations, the business income coverage under the commercial property policy requires “direct physical loss of or damage to” covered property. A cyberattack that encrypts your data does not cause physical damage to the server. For background on how business income coverage works, see our guide to Business Interruption Insurance Claims.

First-Party Cyber Coverage: Protecting Your Own Business

First-party cyber coverage pays for losses your business sustains directly as a result of a cyber event. This is the coverage that replaces what your property policy excludes. A comprehensive cyber policy should include:

• Business income from network outage.Replaces income lost when a cyberattack, system failure, or security breach disrupts your operations. Unlike property-based business income coverage, cyber BI does not require physical damage — it triggers when your network or computer systems are unavailable due to a covered cyber event.
• Data restoration costs. Pays to restore, recreate, or replace electronic data that is destroyed, corrupted, or encrypted by a cyberattack. This includes the cost of forensic specialists who recover data from compromised systems. See also our article on Accounts Receivable and Valuable Papers Coverage for the traditional property-policy equivalent.
• Ransomware/cyber extortion payments. Covers ransom payments made to threat actors who have encrypted your data or threatened to release sensitive information, as well as the costs of negotiating with the attackers (typically through specialized crisis firms). Some policies require carrier pre-approval before any ransom payment is made.
• Crisis management and public relations.Pays for professional PR and communications services to manage reputational damage following a breach. For businesses that depend on customer trust — healthcare, financial services, e-commerce — this coverage can be essential to survival.
• Forensic investigation costs. Covers the cost of hiring cybersecurity forensic experts to determine how the breach occurred, what data was compromised, and whether the threat has been contained. This is typically one of the largest first-party costs in any significant cyber event.
• Notification costs. Pays for legally required notifications to affected individuals, including printing, postage, call center services, and credit monitoring. In California, notification can be required for breaches as small as a single compromised record.

Third-Party Cyber Coverage: Claims Others Bring Against You

Third-party cyber coverage responds when others — customers, clients, regulators, business partners — bring claims against your business arising from a cyber event. This is the liability side of the cyber policy:

• Data breach liability. Covers defense costs and damages when individuals or entities sue you for failing to protect their personal information. Class action lawsuits following large data breaches can generate defense costs in the millions even before any judgment or settlement.
• Regulatory defense and penalties. Pays for legal defense against regulatory investigations and proceedings by agencies such as the California Attorney General, the FTC, HHS (for HIPAA violations), or state insurance regulators. Some policies also cover regulatory fines and penalties, though coverage for penalties varies by jurisdiction and policy language.
• PCI fines and assessments.If your business processes credit cards and a breach compromises cardholder data, the payment card brands (Visa, Mastercard, etc.) impose fines and assessments through your acquiring bank. PCI-DSS compliance failures can generate six- and seven-figure fines. Cyber policies may cover these assessments, but look for a specific PCI coverage grant — not all policies include it.
• Media liability.Some cyber policies include coverage for claims arising from content published on your website or digital media — defamation, copyright infringement, invasion of privacy. This coverage overlaps with Coverage B of the CGL but can fill gaps created by the CGL’s cyber exclusions.
• Network security liability.Covers claims brought by third parties whose systems or data are harmed because a cyberattack propagated through your network. If malware on your system spreads to a client’s system and causes damage, this coverage responds.

Social Engineering Fraud: The Biggest Growing Claims Area

Social engineering fraud — where a criminal manipulates an employee into voluntarily transferring funds or sensitive data — is now the single largest source of cyber-related insurance claims by frequency. Common schemes include:

• Business email compromise (BEC). The attacker spoofs or compromises the email of an executive, vendor, or client and instructs an employee to wire funds to a new account. The email looks legitimate, references real transactions, and creates urgency.
• Invoice manipulation. The attacker intercepts legitimate vendor invoices (often through a compromised email account) and changes the payment routing to a fraudulent account. The business pays the fake invoice, and the vendor never receives payment.
• Impersonation fraud.The attacker impersonates a person in authority — a CEO, CFO, attorney, or government official — and directs an employee to take immediate action involving money or data.

The coverage gap for social engineering fraud is notorious. Traditional crime/fidelity policies (ISO CR 00 21 and similar forms) cover losses caused by “employee dishonesty” or “computer fraud.” But social engineering losses are caused by an employee following instructions— the employee is not dishonest, and the computer is not “hacked” in the traditional sense. Courts have split on whether computer fraud coverage applies when the employee voluntarily initiates the transfer. For more on the crime policy gap, see our article on Employee Dishonesty and the Crime Policy Gap.

Standalone social engineering coverage is now available as an endorsement to either the crime policy or the cyber policy. However, sublimits are common — typically $100,000 to $250,000 — which may be inadequate for a business that regularly makes large wire transfers. Negotiate the highest sublimit available and implement dual-authorization controls for all wire transfers regardless of the coverage amount.

The CGL vs. Cyber Policy Boundary

The boundary between the CGL and the cyber policy is one of the most actively litigated areas in insurance coverage law. The core issue: does a data breach or privacy violation constitute “personal and advertising injury” under the CGL?

CGL Coverage B includes coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Policyholders have argued that a data breach — which results in the unauthorized “publication” of personal data — triggers this coverage. The argument has had limited success:

• Some courts have found that a data breach does not constitute “publication” because the insured did not intentionally or voluntarily make the data public — a criminal third party stole it.
• ISO responded by adding exclusions CG 21 06 and CG 21 07, which specifically exclude access to or disclosure of confidential or personal information and distribution of material in violation of law. If your CGL includes these exclusions, the CGL/cyber boundary question is moot for most data breach claims.
• Even without these exclusions, the CGL’s “occurrence” requirement creates a barrier. A data breach caused by criminal hacking is arguably not an “occurrence” (an accident) from the insured’s perspective, and it is certainly an intentional act from the hacker’s perspective.

The practical takeaway: do not rely on the CGL to cover cyber losses. Even if you believe your CGL provides some coverage, the carrier will dispute it aggressively, and the litigation will be expensive and uncertain. A standalone cyber policy provides dedicated, unambiguous coverage that the CGL was never designed to provide.

Sublimits and Coinsurance in Cyber Policies

One of the most dangerous features of cyber insurance is the prevalence of sublimits. A policy may carry a $5 million aggregate limit, but individual coverage components are often subject to much lower sublimits:

• Ransomware/cyber extortion: $500,000 sublimit
• Social engineering fraud: $100,000 sublimit
• PCI fines and assessments: $250,000 sublimit
• Crisis management/PR: $100,000 sublimit
• Regulatory fines: $500,000 sublimit
• Business income: subject to a per-day or per-hour cap

These sublimits can make a $5 million policy respond like a $500,000 policy for the most common and most expensive cyber events. Read every sublimit in your policy and compare it to your actual exposure. A ransomware demand of $2 million against a $500,000 sublimit is a $1.5 million problem your insurance does not solve.

Some cyber policies also impose coinsurance on certain coverages — particularly business income — requiring the insured to bear a percentage (typically 10% to 20%) of losses above the waiting period. Coinsurance provisions reduce the effective coverage and increase the insured’s out-of-pocket exposure.

California-Specific Requirements and Exposure

California imposes some of the most stringent data privacy and breach notification requirements in the nation. Businesses operating in California face unique cyber exposure:

• California Consumer Privacy Act (CCPA) / CPRA.The CCPA (Civil Code §1798.100 et seq.) and its successor, the California Privacy Rights Act (CPRA), grant California consumers extensive rights over their personal information and create a private right of action for certain data breaches. Statutory damages under CCPA range from $100 to $750 per consumer per incident — which, for a breach affecting 100,000 consumers, represents exposure of $10 million to $75 million in statutory damages alone, before actual damages and attorney fees.
• Data breach notification (Civil Code §1798.82).California requires notification to affected individuals “in the most expedient time possible and without unreasonable delay.” Notification must include specific information about the breach, the types of data compromised, and steps the individual can take. The notification costs for large breaches routinely exceed $1 million.
• California Attorney General enforcement.The California Attorney General has active enforcement authority under both the CCPA and California’s general consumer protection statutes. Investigations and civil penalties can be devastating for businesses without regulatory defense coverage.
• Healthcare and financial data.Businesses handling protected health information (PHI) face additional exposure under California’s Confidentiality of Medical Information Act (CMIA, Civil Code §56 et seq.), and those handling financial data face exposure under the California Financial Information Privacy Act. These California-specific statutes create liability beyond what federal laws like HIPAA and GLBA impose.

Incident Response Requirements: The Condition That Can Kill Your Claim

Most cyber policies impose strict incident response requirements as conditions of coverage. Failure to comply can result in a denial:

• Use of panel vendors. Many cyber carriers require you to use their pre-approved panel of forensic investigators, breach coaches (attorneys), notification vendors, and crisis management firms. If you hire your own vendor without carrier approval, the carrier may refuse to reimburse those costs.
• Immediate notification.Cyber policies typically require notice “as soon as practicable” or within a specified number of hours (24 to 72) after discovering a breach. The discovery trigger is important: the clock starts when any employee with responsibility for IT or security becomes aware of the event, not when the C-suite is informed.
• Preservation of evidence. The carrier will require that you preserve all forensic evidence, including system logs, network traffic data, and affected hardware. Rebuilding or reimaging servers before the forensic investigation is complete can be grounds for a coverage defense.
• Cooperation with the investigation.You must cooperate fully with the carrier’s investigation, provide access to systems and personnel, and not take remedial action that could compromise the forensic analysis without carrier approval.

Practical Coverage Checklist for Businesses

When evaluating or renewing a cyber liability policy, verify that the following coverages are included with adequate limits and without crippling sublimits:

• Business income from network outage (with the shortest available waiting period)
• Data restoration and forensic investigation costs
• Ransomware/cyber extortion (with a sublimit that matches your actual exposure)
• Social engineering fraud (with a sublimit adequate for your typical wire amounts)
• Breach notification costs (including credit monitoring for affected individuals)
• Regulatory defense and penalties (critical for California businesses)
• PCI fines and assessments (if you process credit cards)
• Crisis management and public relations
• Third-party liability for data breaches and network security failures
• Media liability (if your online content creates defamation or IP exposure)
• Dependent business income (when a vendor’s breach disrupts your operations)

Also verify the policy’s retroactive date. Most cyber policies are written on a claims-made basis with a retroactive date. Claims arising from breaches that occurred before the retroactive date are excluded, even if the breach is not discovered until after the policy inception. If you are switching carriers, ensure the new policy’s retroactive date matches or predates the original policy’s inception.