Cyber Liability Insurance: Agent's Guide 2026
Cyber liability is the fastest-growing line in commercial insurance — and for good reason. Average ransom payments increased 104% between Q1 and Q2 of 2025, publicly disclosed ransomware attacks rose 63% year-over-year, and carriers are tightening underwriting requirements in response. For agents, cyber presents both an enormous growth opportunity and a knowledge gap that needs closing. Your clients need this coverage, and most of them either don't have it or are inadequately protected.
The global cyber insurance market is projected to hit $23 billion in premiums by 2026, according to S&P Global. But penetration remains low — only 10%–20% of small and mid-size businesses carry cyber coverage, meaning the majority of commercial accounts in your book likely have an unaddressed exposure. This guide covers what agents need to know to sell and service cyber liability effectively.
TLDR: Cyber liability insurance covers first-party costs (breach response, business interruption, ransomware payments) and third-party liabilities (lawsuits, regulatory fines, PCI penalties). Underwriting now requires proof of MFA, endpoint detection, and backup protocols before carriers will quote. Premiums range from $1,000–$7,500+ annually for small businesses depending on industry and revenue. This is a claims-made line, and the market is getting more selective on underwriting while premiums stabilize for well-prepared accounts.
First-Party vs. Third-Party Coverage
Cyber liability policies are structured around two broad categories of coverage. Understanding the distinction is essential for matching coverage to client exposure.
First-Party Coverage (The Insured's Own Costs)
First-party coverage pays for the insured's direct costs resulting from a cyber event. These are expenses the business incurs itself — not claims or lawsuits from others.
Data breach response costs:
- Forensic investigation to determine what happened and what data was compromised
- Notification costs — printing and mailing breach notification letters to affected individuals (state breach notification laws require this, and costs run $1–$3 per notification for large breaches)
- Credit monitoring and identity theft protection services for affected individuals
- Public relations and crisis communication to manage reputational damage
- Legal counsel to advise on breach response and regulatory obligations
Business interruption:
- Lost income when a cyber event (ransomware, DDoS attack, system failure) disrupts business operations
- Extra expenses to restore operations (temporary systems, overtime labor, expedited repairs)
- Dependent business interruption — loss from a cyber event affecting a key vendor or service provider (cloud hosting, payment processor, supply chain partner)
Ransomware and cyber extortion:
- Ransom payments (where legal and approved by the carrier)
- Costs of negotiation with threat actors (many carriers provide access to professional ransom negotiation firms)
- Costs to restore systems and data if ransom is not paid
Data restoration:
- Costs to recreate, restore, or recollect data that was destroyed or corrupted in a cyber event
- Hardware replacement if physical equipment is damaged by a cyber attack (e.g., firmware corruption)
Third-Party Coverage (Claims Against the Insured)
Third-party coverage pays for claims, lawsuits, and regulatory actions brought against the insured by others as a result of a cyber event.
Privacy liability:
- Defense costs and settlements/judgments from lawsuits alleging failure to protect personal information
- Class action defense — data breaches affecting large numbers of individuals frequently trigger class action litigation
Network security liability:
- Claims arising from the insured's failure to prevent a cyber attack that affects others (e.g., the insured's compromised email is used to launch attacks on the insured's clients)
Regulatory proceedings:
- Defense costs and fines resulting from regulatory investigations by state attorneys general, HHS (for HIPAA violations), FTC, SEC, and other regulatory bodies
- Civil penalties — note that some jurisdictions prohibit insurance coverage for certain regulatory fines; coverage availability varies by state
Media liability:
- Claims arising from the insured's electronic content — defamation, copyright infringement, invasion of privacy through digital media
- Not all cyber policies include media liability; some offer it as an optional coverage
PCI DSS liability:
- Fines and assessments imposed by payment card brands (Visa, Mastercard) when the insured fails to meet Payment Card Industry Data Security Standards
- Card reissuance costs charged back to the merchant after a breach
- PCI forensic investigation costs
Who Needs Cyber Liability Coverage
The short answer: every business that uses computers, email, or collects any customer data. But some businesses face significantly higher exposure than others.
High-Priority Industries
Healthcare: HIPAA requirements, protected health information (PHI), and high per-record breach costs make healthcare one of the most exposed industries. Healthcare organizations pay $3,000–$7,500+ annually for cyber coverage depending on size and patient volume.
Financial services: Banks, credit unions, financial advisors, and accounting firms handle sensitive financial data subject to GLBA, SEC regulations, and state financial privacy laws.
Professional services: Law firms, CPAs, consultants, and engineering firms hold confidential client data. A breach at a law firm can expose privileged attorney-client communications.
Retail and e-commerce: Payment card data, PCI DSS compliance requirements, and high-volume customer databases create significant exposure. A PCI breach can result in fines of $5,000–$100,000 per month until compliance is achieved.
Technology companies: SaaS providers, managed service providers, and software companies face both direct exposure and liability from breaches affecting their customers.
Manufacturing: Increasingly targeted by ransomware due to operational technology (OT) systems that can shut down production lines. Manufacturers often lack the cybersecurity maturity of other industries, making them attractive targets.
Small Businesses Are Not Exempt
A common client objection is "we're too small to be a target." The data says otherwise. Small businesses are disproportionately targeted because they typically have weaker security controls and fewer resources to respond to attacks. The average cost of a data breach for a business with fewer than 500 employees exceeds $3 million, according to IBM's annual Cost of a Data Breach Report.
Underwriting Requirements in 2026
This is where the cyber market has changed most dramatically. Carriers are no longer accepting a simple application and premium. Coalition's data shows 82% of cyber claims involved organizations without MFA, which is why MFA has become a non-negotiable underwriting requirement.
Minimum Controls Most Carriers Require
Multi-factor authentication (MFA):
- Required for all remote access (VPN, RDP)
- Required for email access
- Required for privileged/admin accounts
- Required for access to cloud-based applications
- Businesses without MFA are routinely denied coverage or quoted at significantly higher premiums
Endpoint detection and response (EDR):
- Antivirus alone is no longer sufficient — carriers want active EDR solutions that detect, investigate, and respond to threats
- 24/7 monitoring (MDR — managed detection and response) is increasingly expected for mid-market accounts
Backup and recovery:
- Regular backups of critical data and systems
- Backups stored offline or in immutable storage (not accessible from the production network)
- Tested backup restoration procedures — carriers want proof that backups actually work
Email security:
- Phishing-resistant email filtering
- DMARC, DKIM, and SPF records configured to prevent email spoofing
- Security awareness training for employees
Patch management:
- Regular patching of operating systems and software
- Critical vulnerability patches applied within 30 days (or less for actively exploited vulnerabilities)
The Application Process
Marsh McLennan's research found 41% of cyber applications are denied on first submission, with missing MFA and inadequate endpoint protection as the top two reasons. For agents, this means:
- Pre-qualify the risk before submitting. Ask the client about their security controls before sending an application to the carrier. If they don't have MFA, help them understand that they need to implement it before applying.
- Position yourself as an advisor. Helping clients improve their security posture to qualify for coverage is a value-add that differentiates you from agents who just fill out applications and hope for the best.
- Document the client's security controls. Keep records of what the client reported on the application — this protects you if a claim is denied due to misrepresentation.
Pricing Factors
Industry and Risk Profile
Cyber premiums vary significantly by industry:
| Industry | Typical Annual Premium (Small Business) | Why |
|---|---|---|
| Healthcare | $3,000–$7,500+ | HIPAA exposure, PHI, high per-record costs |
| Financial services | $2,500–$6,000+ | Regulatory exposure, financial data |
| Retail / E-commerce | $2,000–$5,000+ | PCI DSS, payment card data |
| Professional services | $1,500–$3,000 | Client data, professional liability nexus |
| Technology / SaaS | $2,000–$8,000+ | Dependent on customer data volume and services |
| Construction / Manufacturing | $1,000–$3,000 | Lower data exposure, higher OT risk |
Revenue and Employee Count
Revenue is the primary sizing metric for cyber pricing. Carriers price based on revenue bands:
- Under $1 million revenue: $1,000–$2,000/year for $1 million limits
- $1–5 million revenue: $1,500–$4,000/year
- $5–25 million revenue: $3,000–$10,000/year
- $25–100 million revenue: $8,000–$25,000+/year
Other Pricing Variables
- Records count — number of PII/PHI records the business stores; more records = higher exposure
- Security controls — strong security posture (MFA, EDR, backups, training) produces lower premiums
- Claims history — prior cyber incidents or claims increase premiums significantly
- Coverage limits — most small businesses purchase $1–2 million limits; higher limits cost proportionally more
- Deductible/retention — typical cyber deductibles range from $2,500 to $25,000; higher retentions reduce premiums
- Coverage breadth — policies with ransomware sublimits, dependent BI exclusions, or limited regulatory coverage cost less but provide less protection
Market Trends in 2026
After significant rate increases in 2021–2023, the cyber market has stabilized somewhat. According to WTW's Insurance Marketplace Realities 2026 report, accounts with strong security controls are seeing flat to modest premium reductions at renewal, while accounts with weak controls or prior losses continue to face increases. New competition in the cyber market is putting downward pressure on rates for well-prepared accounts.
Common Exclusions
Every cyber policy has exclusions, and they vary more between carriers than in most commercial lines. Key exclusions to review:
War and Nation-State Attacks
Most cyber policies exclude acts of war, including cyber warfare by nation-state actors. After the NotPetya attack in 2017 (attributed to Russia, caused over $10 billion in global damage), carriers clarified and tightened war exclusions. Some policies use a "hostile cyber operations" exclusion that's broader than the traditional war exclusion.
Agent action item: Review the war/cyber operations exclusion language carefully. Some carriers have adopted Lloyd's Market Association (LMA) model clauses that provide clearer boundaries between covered and excluded events.
Infrastructure Failure
Many policies exclude losses resulting from failure of public infrastructure — power grids, internet backbone, telecommunications systems — unless the failure results from a cyber attack specifically targeting the insured.
Prior Known Events
Claims-made policies exclude events the insured was aware of before the policy inception. If the insured knew about a breach or vulnerability before purchasing coverage, resulting claims are excluded.
Unencrypted Data
Some policies exclude or sublimit claims arising from loss of unencrypted personal data. This incentivizes encryption and reduces carrier exposure for the most preventable breaches.
Social Engineering / Funds Transfer Fraud
Social engineering (business email compromise, CEO fraud) is covered by some cyber policies but excluded or sublimited by others. Many carriers offer social engineering coverage as an optional endorsement with a separate sublimit ($100,000–$250,000 is common).
Important for agents: Social engineering losses are among the most common cyber claims. Make sure your client's policy covers this exposure — and if it's sublimited, discuss whether the sublimit is adequate.
Regulatory Fines Where Prohibited by Law
Some states don't allow insurance coverage for regulatory fines and penalties. Cyber policies typically include language stating that regulatory fine coverage applies "where insurable by law." Know your state's position on this — it affects the value of third-party coverage.
Common Gaps and E&O Traps
Not Offering Cyber at All
This is the biggest gap in many agencies' books. If you're not discussing cyber with every commercial client, you're leaving them exposed — and leaving yourself exposed to an E&O claim if they suffer a breach and didn't know coverage was available. Document every cyber coverage discussion, whether the client purchases or declines.
Relying on CGL "Data Breach" Coverage
Standard CGL policies exclude most cyber-related claims through the electronic data exclusion (CG 21 06 or CG 21 07). Some carriers offer a limited data breach endorsement on the CGL or BOP — but these endorsements typically provide only first-party breach response costs with low sublimits ($50,000–$100,000). They are not a substitute for a standalone cyber liability policy.
Ignoring Dependent Business Interruption
Many businesses rely heavily on third-party technology — cloud hosting (AWS, Azure), SaaS applications, payment processors, and supply chain platforms. If a cloud provider suffers an outage due to a cyber attack, the insured's business may shut down even though the insured's own systems are fine. Dependent (or contingent) business interruption coverage addresses this exposure, but it's not included in all cyber policies.
Not Matching Coverage to Regulatory Exposure
A healthcare client needs coverage that specifically addresses HIPAA notification requirements and OCR investigations. A retailer needs PCI DSS coverage. A financial services firm needs GLBA and SEC regulatory coverage. Generic cyber policies may not adequately address industry-specific regulatory requirements.
Social Engineering Sublimits
As noted above, social engineering is one of the most frequent cyber claims — and it's often sublimited at $100,000 or $250,000. A single wire transfer fraud can exceed these sublimits. Discuss the exposure with clients and consider higher sublimits where available.
How to Quote Cyber Liability
Information Checklist
- Business details — industry, revenue, employee count, number of locations
- Data profile — types of data collected (PII, PHI, financial data, payment cards), approximate number of records
- Technology environment — cloud vs. on-premise, key vendors/platforms, website/e-commerce presence
- Security controls — MFA status, EDR solution, backup procedures, patch management, employee training program
- Regulatory environment — HIPAA, PCI DSS, GLBA, state privacy laws applicable to the business
- Prior incidents — any prior breaches, ransomware events, or cyber claims
- Existing coverage — current cyber policy details (carrier, limits, premium, retroactive date)
- Desired limits — typically $1 million for small businesses, $2–5 million for mid-market
Carrier Options
The cyber market has more carrier options than ever:
- Standard carriers with cyber products (Hartford, Travelers, CNA, Chubb) — offer cyber as part of a commercial package or standalone; good for small-to-mid accounts with standard exposures
- Cyber-focused carriers (Coalition, Corvus, At-Bay, Cowbell) — technology-driven underwriting, continuous monitoring, and specialized claims handling; often competitive for tech-savvy accounts
- Surplus lines — for accounts with prior incidents, weak security controls, or unusual exposures that admitted carriers won't cover
Practical Quoting Tips
- Pre-qualify MFA and EDR before submitting. If the client doesn't have MFA, help them implement it first. Submitting an application that will be declined wastes everyone's time and may flag the account for future submissions.
- Compare coverage forms, not just premiums. Cyber policies vary more between carriers than most commercial lines. A cheaper policy with a war exclusion that covers nation-state ransomware differently, lower social engineering sublimits, or no dependent BI coverage may not be the better option.
- Review the retroactive date. Cyber is a claims-made line. When switching carriers, make sure the new carrier matches the existing retroactive date — or purchase tail coverage from the old carrier.
- Explain breach response services. Many cyber carriers include proactive services — vulnerability scanning, employee phishing training, incident response planning — as part of the policy. These services provide immediate value to the client, even before a claim occurs.
Frequently Asked Questions
How much does cyber liability insurance cost for a small business?
For small businesses with under $5 million in revenue, cyber liability premiums typically range from $1,000 to $5,000 per year for $1 million in coverage limits. Pricing depends heavily on industry (healthcare and financial services pay more), revenue, data volume, and security controls. Businesses with MFA, EDR, and documented backup procedures will generally qualify for the lower end of the range.
What is the difference between cyber liability and professional liability?
Professional liability (E&O) covers claims arising from professional errors, omissions, or negligence in the delivery of professional services. Cyber liability covers claims and costs arising from data breaches, cyber attacks, and network security failures. There is some overlap — a technology company's failure to protect client data could trigger both policies — but they are distinct coverages addressing different exposures. Most technology companies need both.
Does my general liability policy cover data breaches?
No. Standard CGL policies exclude most cyber-related claims through electronic data exclusions. Some carriers offer limited data breach endorsements on CGL or BOP policies, but these provide minimal coverage (typically $50,000–$100,000 for first-party breach response costs only). A standalone cyber liability policy is necessary for adequate protection.
What security controls do I need to qualify for cyber insurance?
At minimum, most carriers in 2026 require: multi-factor authentication on all remote access, email, and admin accounts; endpoint detection and response (not just antivirus); regular offline or immutable backups; email filtering and anti-phishing controls; and a patch management process. More demanding carriers also require security awareness training, incident response plans, and third-party vendor risk assessments. Without MFA, most carriers will decline the application outright.
