How to Quote Cyber Insurance: Markets, Applications, and Key Questions
The cyber insurance market is projected to reach $29 billion by 2027, growing at roughly 32% annually between 2017 and 2022. That makes cyber liability insurance the fastest-growing line in commercial insurance — and one of the least familiar to agents trained on GL, WC, and property. Quoting cyber is different from quoting a BOP or workers comp. The applications are longer, the underwriting questions are technical, and carrier appetite shifts quarterly as loss data evolves.
This guide covers the full cyber quoting workflow: client intake, application deep-dive, carrier markets, and the mistakes that trip up even experienced commercial producers.
Cyber insurance quoting requires revenue data, data-type classification, security controls inventory, and prior incident history. Carrier appetite changes rapidly — standalone policies from specialty markets outperform endorsements for most risks, and the application itself is the underwriting process.
First-Party vs Third-Party Coverage Explained
Before quoting, you need to understand what the policy actually covers. Cyber liability splits into two broad categories, and most standalone policies include both.
| Coverage Type | What It Covers | Example Scenario |
|---|---|---|
| First-Party | Breach response costs, forensic investigation, business interruption from a cyber event, data restoration, ransomware payments (where legal), crisis communications, credit monitoring for affected individuals | A ransomware attack encrypts a client's servers. First-party coverage pays for forensic investigation, data recovery, business income loss during downtime, and ransom negotiation. |
| Third-Party | Regulatory defense and fines, notification costs (state-mandated breach letters), lawsuits from affected customers or partners, media liability for website content, PCI-DSS fines and assessments | A client's database is breached, exposing 50,000 customer records. Third-party coverage pays for state-mandated notification, regulatory defense if the AG investigates, and settlements from class action lawsuits. |
Both sides matter. We've seen agents quote first-party-only sublimits on endorsements and leave clients exposed to the regulatory and litigation costs that often dwarf the breach response itself. The average data breach now costs $4.88 million globally according to IBM's 2024 report, and a significant portion of that total comes from third-party costs: legal defense, regulatory fines, and customer notification.
A common misconception: General liability insurance does not cover cyber incidents. The standard CGL policy excludes electronic data, and the ISO "Access or Disclosure" exclusion (CG 21 06 / CG 21 07) explicitly removes coverage for data breaches. If an agent assumes the GL covers cyber — and we've seen it happen — the client has no coverage when an incident occurs.
What You Need From the Client
Unlike workers comp, where the ACORD 130 is standardized, cyber applications vary by carrier and probe deeply into the client's technology stack. Before approaching any carrier, collect these items:
| Item | Why It Matters | Notes |
|---|---|---|
| Annual revenue | Primary rating factor for most carriers | Some carriers use employee count instead for certain industries |
| Industry / NAICS code | Determines risk tier — healthcare, financial services, and retail are higher risk | NAICS codes drive initial classification |
| Types of data stored | PII, PHI, PCI (credit card), intellectual property | Healthcare clients with PHI trigger HIPAA-specific underwriting |
| Number of records / individuals | Scale of exposure for notification costs and regulatory fines | More records = higher limits needed |
| Current security controls | MFA, endpoint detection, encryption, backup protocols | This is the bulk of the application (see next section) |
| Prior incidents and claims | Any breach, ransomware, phishing compromise, or claim in the last 3-5 years | Non-disclosure of prior incidents is the fastest path to a rescission |
| Current cyber coverage (if any) | Existing policy limits, carrier, expiration date | Carriers want to understand prior coverage and any gaps |
| Third-party vendor reliance | Cloud providers, SaaS platforms, outsourced IT | Supply chain risk is a growing underwriting concern |
Revenue bands matter more than you'd expect. Many carriers have simplified applications for accounts under $25 million in revenue and require full supplemental questionnaires above that threshold. When we work with agents on mid-market accounts ($25M-$100M revenue), the application process often takes two to three weeks including back-and-forth with the underwriter.
The Application Deep-Dive: Security Controls That Carriers Require
This is where cyber quoting diverges from every other commercial line. The application isn't just gathering exposure data — it's a security audit. Carriers have tightened requirements significantly since the ransomware surge of 2020-2021, and what was optional three years ago is now a hard requirement for bindable quotes.
Multi-Factor Authentication (MFA): Nearly every carrier now requires MFA on email, remote access (VPN/RDP), and privileged admin accounts. We've seen carriers flat-out decline accounts that don't have MFA on remote access, regardless of revenue or industry. This is non-negotiable for most markets.
Endpoint Detection and Response (EDR): Traditional antivirus isn't sufficient. Carriers want EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) that provide behavioral analysis and automated threat response. Legacy antivirus-only accounts face higher premiums or exclusions.
Backup Procedures: Carriers ask about backup frequency, offline/air-gapped storage, and restoration speed. These answers directly impact ransomware underwriting. "Everything is in the cloud" is not the same as tested, air-gapped backups with a documented restoration process.
Security Awareness Training: Does the client run phishing simulations? Is training mandatory for all employees? How often? Carriers view this as a leading indicator of organizational security culture.
Incident Response Plan: Does the client have a written plan? Has it been tested? Carriers often provide breach response services as part of the policy, but they want to know the client has internal procedures too.
Patching Cadence: How quickly does the client apply critical security patches? Carriers increasingly ask about patching timelines, especially for internet-facing systems. A client that takes 60+ days to apply critical patches is a materially different risk than one that patches within 14 days.
Honest limitation: Not every client will have all these controls in place, and that doesn't automatically make them uninsurable. But agents need to set expectations — clients without MFA and EDR will face limited carrier options, higher premiums, and potential sublimits on ransomware.
Step-by-Step Quoting Process
Step 1: Classify the Risk
Start with industry and revenue. A SaaS company with $10 million in revenue and 500,000 user records is a fundamentally different risk than a plumbing contractor with the same revenue and no stored PII beyond names and addresses.
Step 2: Assess Security Posture
Before submitting to carriers, walk through the security control checklist with the client or their IT contact. There's no point submitting to a carrier that requires MFA on all remote access if the client doesn't have it deployed. This step saves days of back-and-forth with underwriters.
When we help agents with cyber quoting, the security posture assessment is where most of the time goes. The agents who pre-qualify the client's controls before submitting get faster turnaround and fewer declinations.
Step 3: Select Carriers Based on Appetite
Carrier appetite in cyber changes faster than in any other commercial line. A carrier that aggressively wrote healthcare cyber last quarter may have pulled back after adverse loss development. Appetite shifts are common, and staying current requires regular communication with underwriters and wholesalers.
Key factors that determine carrier appetite for cyber:
- Industry — Healthcare, financial services, and education face higher scrutiny. Some carriers avoid these sectors entirely.
- Revenue band — Small accounts (under $25M) have more carrier options. Mid-market ($25M-$250M) narrows the field. Large accounts require specialty market access.
- Claims history — Any prior cyber claim triggers additional underwriting. Multiple prior claims significantly limit options.
- Security controls — Carriers have minimum requirements. Missing MFA or EDR can be an automatic decline.
- Geographic scope — Multinational operations require carriers that can write or coordinate coverage across jurisdictions.
Step 4: Submit and Manage Underwriter Questions
Expect follow-up questions. Cyber underwriters routinely request supplemental information beyond the initial application — particularly around technology platforms, cloud infrastructure, and IT staffing. Responsiveness matters: underwriters are working dozens of submissions, and slow responses push your account to the bottom of the queue.
Step 5: Compare Quotes Carefully
Cyber quotes are harder to compare than GL or WC quotes because coverage terms vary significantly between carriers. When evaluating quotes, look beyond the premium:
- Retroactive date — Does the policy cover incidents that occurred before inception but are discovered during the policy period? A restrictive retroactive date leaves gaps.
- Waiting period for business interruption — Typically 8 to 12 hours. A shorter waiting period means coverage kicks in sooner during a system outage.
- Sublimits — Some carriers sublimit ransomware payments, social engineering fraud, or regulatory fines. A $1M policy with a $100K ransomware sublimit is not the same as a $1M policy with full limits for ransomware.
- Panel vendors — Many carriers require you to use their pre-approved breach response vendors (forensics, legal, notification). Check whether the client's preferred vendors are on the panel.
- Coinsurance on ransomware — Some carriers now impose 50% coinsurance on ransomware payments if the insured doesn't meet certain security requirements. Read the terms.
Carrier Markets for Cyber Insurance
The cyber market includes carriers operating across several tiers. Understanding who writes what helps you target submissions efficiently.
Standalone cyber specialists — Coalition, Corvus (now part of Travelers), At-Bay, Cowbell, and Beazley write cyber as a primary line with dedicated underwriting teams. These markets are strongest for small to mid-market accounts and often return quotes faster through automated underwriting.
Traditional carriers with cyber units — Chubb, AXA XL, Hartford, Travelers, and CNA have built cyber portfolios alongside their traditional lines. Hartford writes cyber endorsements on BOPs and standalone policies for small commercial. Chubb and AXA XL are strongest in large and international accounts.
Surplus lines and wholesale markets — For accounts that standard markets won't write — higher-risk industries, prior claims, inadequate controls — the E&S market provides capacity. Lloyd's syndicates, Markel, and AXIS commonly write cyber risks that admitted carriers decline.
Endorsement vs Standalone: When Each Makes Sense
| Factor | Endorsement (on BOP/Package) | Standalone Cyber Policy |
|---|---|---|
| Typical Limits | $50K to $500K | $1M to $10M+ |
| Coverage Depth | Basic first-party and third-party | Full first-party, third-party, plus social engineering, system failure, contingent business interruption |
| Application | Minimal additional questions | Full cyber application with security controls assessment |
| Best For | Low-risk small businesses with minimal stored data | Any business that stores PII/PHI, relies on technology for operations, or has regulatory exposure |
| Premium Range | $200 to $2,000 annually | $1,500 to $25,000+ for small/mid-market |
| Claims Handling | General adjuster; limited breach response panel | Dedicated cyber claims team with pre-approved forensics, legal, and notification vendors |
Our recommendation: For any client that stores more than incidental customer data or depends on technology for daily operations, a standalone policy is the appropriate placement. Endorsements work for the lowest-risk small businesses — a landscaper with no customer data beyond names and phone numbers — but even that landscaper could face a social engineering wire fraud loss.
Common Pitfalls in Cyber Quoting
Pitfall 1: Assuming GL covers cyber. It doesn't. The standard ISO CGL form excludes electronic data. We've worked with agents who discovered this gap only after a client reported a breach and the GL carrier denied the claim.
Pitfall 2: Not asking about prior incidents. If the client had a phishing compromise two years ago that they consider "minor," it still needs to be disclosed. Non-disclosure is grounds for rescission — and the carrier will investigate after a claim.
Pitfall 3: Quoting the wrong revenue band. Cyber premiums are highly sensitive to revenue. A client projecting $8M who closes the year at $14M will face coverage gaps if the policy has revenue warranties. Verify revenue carefully.
Pitfall 4: Treating all cyber policies as equivalent. A $1M policy from Carrier A and a $1M policy from Carrier B can have dramatically different terms — sublimits on ransomware, coinsurance provisions, retroactive dates, vendor panels. Read the specimen forms, not just the dec page.
Pitfall 5: Skipping the IT conversation. Many agents collect revenue and industry data but ignore security controls. That's where declinations happen. Talk to the client's IT lead before submitting.
Not a fit for every agent: Cyber quoting for large accounts (over $100M revenue) or highly regulated industries (healthcare systems, financial institutions) requires wholesale or MGA access and technical depth beyond the typical generalist agency. If you don't have the carrier relationships, partner with a wholesale broker who specializes in cyber rather than submitting incomplete applications to retail carriers.
Frequently Asked Questions
Does a BOP cyber endorsement replace a standalone cyber policy?
No. BOP cyber endorsements typically provide $50,000 to $500,000 in coverage with limited first-party and third-party terms. They lack breach response vendor panels, dedicated cyber claims teams, and the coverage breadth of a standalone policy. For any business that stores meaningful PII, processes credit cards, or relies on technology for core operations, a standalone policy is the right recommendation.
What is the typical turnaround time for a cyber quote?
For small accounts (under $25M revenue) with complete applications, expect 3 to 7 business days from most carriers. Some technology-driven markets like Coalition and At-Bay can return quotes in 24 to 48 hours using automated underwriting. Mid-market accounts ($25M-$250M) typically take 7 to 14 business days and involve manual underwriting with follow-up questions. Large or complex accounts can take 3 to 4 weeks.
How do carriers handle ransomware coverage in 2026?
Ransomware coverage has stabilized after the severe tightening of 2021-2023, but it's not back to the broad terms of 2019. Most carriers include ransomware coverage with conditions: MFA on remote access, EDR deployed, and backups tested and air-gapped. Some carriers impose 50% coinsurance on ransomware payments if security thresholds aren't met, and others apply sublimits or separate retentions. "Coverage included" doesn't mean "coverage without conditions."
What data does the underwriter care about most?
Revenue and industry get you in the door. Security controls determine the price and terms. Underwriters prioritize: (1) MFA deployment on email, VPN, and admin accounts, (2) EDR presence and configuration, (3) backup strategy including offline/air-gapped storage, (4) prior incidents and claims history, and (5) employee count and data volume. Improving MFA and EDR deployment is the single fastest way to get a better cyber quote.
Is cyber insurance required by law?
No state currently mandates cyber insurance by law. However, contractual requirements are increasingly common. Healthcare organizations, businesses handling PCI data, government contractors, and companies with enterprise clients often face contractual obligations to carry specific cyber limits. We've seen more RFPs requiring $1M to $5M in cyber coverage as a condition of doing business. The practical requirement is moving faster than the regulatory one.
