Commercial · coverage line
Cyber liability.
Breach response, business interruption, ransomware, customer notification. Most general liability and BOP policies exclude data losses entirely.
What it is.
Two halves: first-party (your costs — forensic investigation, notification, ransomware payment, lost income) and third-party (claims by people whose data was exposed). Modern policies bundle both. Sublimits are everywhere — ransomware sublimit, regulatory fine sublimit, social-engineering sublimit. The headline limit is rarely the available limit for the loss you actually have.
The lines in your policy.
Each one is its own knob. The carrier's default rarely fits a real life.
What a claim looks like.
Three anonymized files. Numbers are illustrative.
Manufacturer hit with ransomware, production halted for 6 days. Ransom + forensic investigation + business interruption: $480K. Cyber pays in full minus the retention. Plant resumes operation; backup hardening implemented as part of post-event work.
Accounting team receives a spoofed email from 'CEO' authorizing $94K wire to a vendor. Funds gone before discovery. Social engineering sublimit pays $50K (the sublimit). Without coverage or with no sublimit endorsement, full $94K is a loss.
Retailer's POS system compromised, 4,200 customer records exposed. Breach response (forensics + notification + credit monitoring) totals $180K. PCI fines another $90K. Cyber pays both.
How to read a cyber policy.
The four things worth looking for on the dec page, in the order we read them.
The first page tells you who's actually covered, on what address, and under whose legal entity. A surprising number of policies have the wrong name, the wrong address, or a missing additional insured, and you don't find out until you file a claim. Cross-check it against your driver's license, your title or lease, and any contract that requires you to be insured.
Policy limits are abstract until you stack them against the assets they protect. A $300k liability limit feels generous in isolation; against a $1.2M home and a college fund, it isn't. Walk down each numbered line on your dec page and ask: if this were the cap on the worst day, would I be okay?
Page one shows you the base form. Pages four through twelve show you what the endorsements added, and, more importantly, what they took away. Water-damage exclusions, roof-payment schedules, named-storm deductibles, scheduled-valuables caps. These small numbered forms decide more claims than the headline limits do.
Carriers re-rate, re-form, and re-endorse policies at every renewal. If you keep last year's dec page, a side-by-side read takes ten minutes and tells you which limits drifted, which sublimits got cut, and which endorsements quietly disappeared. It's the single most useful habit in personal insurance.
Frequently asked questions.
Do I need cyber if I don't store credit card data?
Yes if you store any customer data — names, emails, phone, health info. Breach notification laws apply broadly. Even pure operations exposure (ransomware locks you out) is a cyber claim.
Why is the social-engineering sublimit so low?
Wire fraud claims are high-frequency. Carriers cap them to keep premium reasonable. Higher sublimits are available — worth buying up if your operation processes meaningful wire volume.
What about acts-of-war exclusions?
Post-2022, many cyber policies expanded war exclusions to cover state-sponsored attacks. The line between criminal ransomware and state-sponsored cyber is blurry — read your policy's war exclusion carefully.
How does this interact with my GL?
GL almost always excludes data losses entirely — explicit cyber exclusions on most forms since 2014. Cyber is a standalone coverage, not an endorsement on GL.
Want a second read on your cyber policy?
Send us your declarations page. You'll get it back marked up, in plain language, with the gaps and the over-coverage flagged, yours to keep, no obligation to switch.
or phone (913) 408-7280
We're an independent broker. We represent you, not the carrier , paid by the carrier we ultimately place with, but accountable only to the person whose name is on the policy. Read more about how we work.