What is cyber liability insurance and who needs it?
Cyber liability insurance is one of the fastest-growing commercial lines in the industry. Nearly every business that stores customer data, processes payments, or relies on computer systems is a candidate. Here's what agents need to know to place it correctly.
What does cyber liability insurance cover?
Cyber policies typically cover two broad categories of loss:
- First-party coverage — losses the business suffers directly: data recovery costs, business interruption from a network outage, ransomware payments, and crisis management/PR expenses
- Third-party (liability) coverage — claims from customers, vendors, or partners whose data was compromised: defense costs, settlements, and regulatory fines
Common covered events include ransomware attacks, phishing-caused data breaches, accidental data exposure, social engineering fraud, and system failure caused by a third-party vendor.
What cyber insurance does NOT cover
- Future lost profits or reputational damage beyond the policy period
- Infrastructure improvements made after a breach
- Nation-state cyberattacks (war exclusion — increasingly contested)
- Bodily injury or property damage caused by a cyber event (covered under GL or property)
- Intentional acts by employees
Who needs cyber liability insurance?
Any business that meets one or more of the following criteria should be offered cyber coverage:
- Stores customer personally identifiable information (PII) — names, addresses, SSNs, DOBs
- Processes credit card or payment data
- Relies on computer systems to operate (virtually every business today)
- Uses third-party vendors with access to their network
- Operates in healthcare, finance, retail, legal, or education — regulated industries with mandatory breach notification
Key underwriting questions for cyber
Underwriters have tightened significantly since 2020. Most applications now ask:
- Does the business use multi-factor authentication (MFA) on email and remote access?
- Are backups stored offline or in a separate network segment?
- Does the business have endpoint detection and response (EDR) software?
- What is the revenue and number of records stored?
- Has the business had a prior breach or ransomware event?
MFA is now a hard requirement for most carriers — without it, coverage is either unavailable or comes with significant exclusions.
How cyber premiums are calculated
Premiums are driven primarily by revenue, industry, number of records, and security controls. A small professional services firm with $1M in revenue and strong MFA might pay $800–$2,000/year. A healthcare company with 100,000 patient records could pay $10,000–$50,000+. Ransomware claims have pushed rates up significantly — many carriers exited the market in 2021–2022 and the remaining market is more selective.
How AgencyAssist helps
Cyber intake requires collecting technical information most clients don't have at their fingertips — MFA status, backup procedures, vendor access controls. AgencyAssist sends clients a plain-English intake form that asks the right questions without requiring them to understand insurance jargon. The completed answers come back ready to map to your carrier applications.
Collect cyber intake information faster
Send clients a smart intake link. Get everything you need for a cyber submission in one form.
Start free trial