Doesn't my BOP already cover cyber?

Maybe a token amount ($25K to $100K) but not nearly enough. The average ransomware claim is six figures. The average wire-transfer fraud claim is $50K to $200K. BOP cyber endorsements are NOT a substitute for a real cyber policy.

I'm a small business, am I really a target?

Yes. Small businesses are EASIER targets than enterprises (less mature security) and ransomware-as-a-service has made attacking them economical. Most actual claims we see come from businesses under 50 employees.

How much coverage do I need?

Common starting point is $1M for businesses under $5M revenue, scaling to $3M to $5M as revenue grows. Healthcare, retail, finance, and any business with significant customer data needs more.

What controls are required to qualify?

Carriers commonly require: MFA on email and remote access, current backups (tested and offline), EDR or comparable endpoint security, employee security training, and a documented incident response plan. Without MFA on email, most carriers will decline.

Are ransomware payments still insured?

Yes in most cases, but the carrier requires using their approved negotiation and payment processors, and OFAC sanction screening before any payment. Some carriers now exclude or sub-limit ransom payments to specific groups under sanctions.

What's social engineering coverage and why is it usually sub-limited?

Social engineering is when an employee is tricked into voluntarily sending money or data (different from a hacker breaching the network). Carriers limit it because the loss frequency is high. Confirm the sub-limit. We commonly increase this for any business that wires money regularly.

All business insurance

Business insurance · Coverage explainer

Cyber Liability

If your business takes credit cards, sends invoices over email, stores customer addresses, or uses cloud software, you have cyber exposure. The average breach response runs into six figures even for small businesses. Cyber insurance is what stops a single incident from being existential.

Get a cyber liability quote (203) 653-2212

01/ The basicsSection 01 of 05

What it is.

Cyber liability splits into two halves. First-party coverage pays for YOUR losses: the forensics bill, the ransom payment, the business income lost while you're shut down, the cost to notify affected customers. Third-party coverage pays for what you owe OTHERS: lawsuits from affected customers, regulatory fines, defense costs.

Most general liability and BOP policies exclude cyber entirely or include a small token endorsement (often $25K to $100K) that won't cover an actual incident. Standalone cyber policies range from $1M to $10M of coverage and are increasingly affordable for small businesses, especially those with basic cyber hygiene (MFA, backups, employee training).

Below is what each piece of a cyber policy actually pays for, the questions underwriters ask that determine whether you can even get coverage, and the things every small business should have in place before applying.

Who needs it

Any business that handles customer data, processes payments, runs operations through email and cloud apps, or relies on digital systems to operate. That's almost everyone now.

02/ CoveragesSection 02 of 05

What it covers.

Each policy is a stack of named coverages. Required parts are mandated by state law. Recommended parts are what we put on most policies. Optional parts depend on your situation.

Required01

Breach Response

Pays for the immediate response after a confirmed incident: forensic investigation, legal counsel, customer notification, credit monitoring offers, public relations. Typically the first dollars spent and often the most.

Required02

Ransomware and Cyber Extortion

Pays the ransom (where legal), the negotiation specialist's fee, and the decryption recovery. Includes coverage for ransom alternatives (rebuilding from backup) when paying isn't an option. Carriers vetted ransom-payment processors are usually required.

Required03

Business Income / Cyber Interruption

Pays your lost income and operating expenses while a cyber incident shuts you down. Critical for businesses where digital downtime equals lost revenue. Has a waiting period (usually 8 to 12 hours) before coverage kicks in.

Required04

Data Restoration

Cost to restore, rebuild, or recreate lost or corrupted data and software. Often the largest claim component for businesses with sophisticated data dependencies.

Required05

Network Security Liability

Defense and damages when your security failure causes harm to others (customers, partners, vendors). Includes failure to prevent a breach, malware transmission, denial of service against another network.

Required06

Privacy Liability

Defense and damages when sensitive personal information is disclosed. Customer lawsuits, class actions, regulatory complaints. Usually paired with regulatory defense.

Required07

Regulatory Defense and Fines

Legal costs and (where insurable by law) fines from state Attorneys General, FTC, HIPAA, PCI compliance proceedings, GDPR. Critical for healthcare, retail, finance.

Recommended08

Social Engineering / Wire Fraud

Pays when an employee is tricked into sending money or data to a fraudulent recipient (the classic 'CEO wants me to wire $50K to this vendor' attack). Usually a SUB-LIMIT inside cyber, often $100K to $250K. Confirm the limit because this is one of the most frequent claim types.

Recommended09

Funds Transfer Fraud

Coverage for fraudulent electronic funds transfers from your bank account. Usually a sub-limit. Bank usually does NOT make small businesses whole on social engineering wire transfers.

Optional10

Reputational Harm

Lost income directly attributable to negative publicity from a cyber event. Available on better policies. Usually a sub-limit.

03/ In practiceSection 03 of 05

When it kicks in.

Real situations we see in the agency. The point is to show how each layer of coverage maps to actual life, not to scare you.

Scenario 01

Phishing wire transfer

Bookkeeper receives an email looking like it's from the CEO authorizing a $48,000 vendor payment. Money goes overseas. Bank can't recover. Social Engineering coverage (sub-limit) pays the loss minus retention. This is the most common small-business cyber claim we see.

Scenario 02

Ransomware encrypts the customer database

All systems locked, business shut down. Ransomware coverage pays the negotiation specialist, the ransom (if paid), AND the data restoration costs. Business Income picks up the revenue lost during the shutdown.

Scenario 03

Breach exposes customer credit cards

POS system compromised by malware. 8,000 cards exposed. Privacy Liability pays customer lawsuits, Regulatory Defense pays the state AG investigation, Breach Response pays the notification and credit monitoring offered to affected customers.

Scenario 04

Vendor breach exposes your customers

Third-party vendor (payroll provider, marketing platform) suffers a breach that includes your customer data. You may still have direct liability to your customers under privacy laws. Privacy Liability and Regulatory Defense respond.

Scenario 05

Email account compromise leads to invoice fraud

Attacker takes over employee email, sends fake invoices to customers redirecting payment. Customer pays the wrong account. The customer sues you for the loss. Network Security Liability and Privacy Liability respond.

04/ GlossarySection 04 of 05

Key terms.

Plain-English definitions. The vocabulary insurance carriers assume you already know.

01Retention (Deductible): What you pay before the policy pays. Cyber retentions usually $2,500 to $25,000 depending on policy size. Higher retentions can drop premium meaningfully.
02First-Party vs Third-Party: First-party covers YOUR losses (forensics, ransom, business income). Third-party covers what you owe OTHERS (lawsuits, fines). Both halves needed for full protection.
03Sub-Limit: A cap on a specific coverage section inside the overall policy limit. Social Engineering, Reputational Harm, Cyber Crime are commonly sub-limited. Always know the sub-limits, not just the policy limit.
04Multi-Factor Authentication (MFA): Carriers now require MFA on email, remote access, and admin accounts as a condition of coverage. No MFA = no policy or much higher rate. The single most impactful security control on premium.
05Backup and Recovery Plan: Tested, offsite backups are increasingly required by carriers. Important for ransomware recovery without paying the ransom.
06Endpoint Detection and Response (EDR): Modern security software monitoring all endpoints for malicious activity. Increasingly a required control on cyber applications, especially for businesses over $5M revenue.

05/ FAQSection 05 of 05

Common questions.

Questions clients ask before they get on the phone with AJ. If yours isn’t here, just call.

Maybe a token amount ($25K to $100K) but not nearly enough. The average ransomware claim is six figures. The average wire-transfer fraud claim is $50K to $200K. BOP cyber endorsements are NOT a substitute for a real cyber policy.

Ready when you are

Get a quote that takes minutes,
not days.

Tell us a bit about what you need to insure. We’ll come back with a real recommendation. No junk mail. No auto-dialer. No commitment.

Start your quote or call (203) 653-2212

Independent agencyEst. 2017Fairfield, Connecticut35+ A-rated carriersLicensed in 11+ states