What is cyber liability insurance?
Cyber Liability Insurance covers financial losses arising from cyber incidents: data breaches, ransomware attacks, system disruptions, regulatory fines, business interruption, and reputation damage. Cyber insurance emerged as a niche product in the 2000s and has become a mainstream board-level requirement post-2017 (WannaCry, NotPetya). Coverage spans first-party (own losses) and third-party (liability to others), making it materially different from general liability and E&O.
Cyber policy coverage components
- First-party coverage: data restoration, business interruption, cyber extortion (ransomware), incident response costs (forensics, legal, notification, credit monitoring), reputation damage.
- Third-party coverage: data breach liability to affected individuals, regulatory defense and fines (where insurable), media/privacy liability.
- Add-ons: social engineering fraud, system failure (non-malicious), reputational harm coverage.
Common exclusions
- Acts of war: nation-state attribution can trigger war exclusion (NotPetya/Merck case, 2024 ruling).
- Insider/employee theft: separate fidelity coverage may apply.
- Failure to maintain controls: minimum security baselines required (MFA, patch management, backups).
- Prior known incidents: retroactive date applies.
- Fines unenforceable as a matter of law: regulatory fine insurability varies by jurisdiction.
Underwriting and minimum controls (2023+ tightening)
- Multi-factor authentication (MFA): all remote access, privileged accounts.
- Endpoint Detection & Response (EDR): not just legacy antivirus.
- Backup strategy: air-gapped, immutable, tested restore.
- Privileged access management: just-in-time, audit logging.
- Vulnerability management: regular patching SLA, scanning.
- Incident response plan: tested tabletop exercises.
Türk şirketleri için siber sigorta
Türk siber sigorta pazarı (Anadolu Sigorta, Allianz, Zurich Türkiye, AXA Türkiye, Aksigorta) son 5 yılda hızlı büyüdü; KVKK ihlal cezalarının artması ve büyük Türk şirketlerin (BİM, A101 gibi perakende; Yapı Kredi, Garanti gibi finansal) siber olay maruziyeti pazara talep yarattı. KVKK Madde 12 ihlali cezaları (1.000.000 TL+) siber poliçeler tarafından genellikle kapsanır ancak idari ceza kapsamı poliçeye göre değişir. Türk bankalar BDDK Bilgi Sistemleri Yönetimi Tebliği kapsamında siber sigorta tutmaya yönelik düzenleyici teşvik altındadır.
Do: implement minimum control baseline before binding policy (MFA, EDR, backups); test incident response with tabletop exercises annually; document KVKK compliance posture for insurer.
Don’t: rely on policy alone — coverage exclusions for inadequate controls are increasingly enforced; insurance is the second line of defense, not the first.