What is cyber liability insurance?
Cyber Liability Insurance covers financial losses arising from cyber incidents: data breaches, ransomware attacks, system disruptions, regulatory fines, business interruption, and reputation damage. Cyber insurance emerged as a niche product in the 2000s and has become a mainstream board-level requirement post-2017 (WannaCry, NotPetya). Coverage spans first-party (own losses) and third-party (liability to others), making it materially different from general liability and E&O.
Cyber policy coverage components
- First-party coverage: data restoration, business interruption, cyber extortion (ransomware), incident response costs (forensics, legal, notification, credit monitoring), reputation damage.
- Third-party coverage: data breach liability to affected individuals, regulatory defense and fines (where insurable), media/privacy liability.
- Add-ons: social engineering fraud, system failure (non-malicious), reputational harm coverage.
Common exclusions
- Acts of war: nation-state attribution can trigger war exclusion (NotPetya/Merck case, 2024 ruling).
- Insider/employee theft: separate fidelity coverage may apply.
- Failure to maintain controls: minimum security baselines required (MFA, patch management, backups).
- Prior known incidents: retroactive date applies.
- Fines unenforceable as a matter of law: regulatory fine insurability varies by jurisdiction.
Underwriting and minimum controls (2023+ tightening)
- Multi-factor authentication (MFA): all remote access, privileged accounts.
- Endpoint Detection & Response (EDR): not just legacy antivirus.
- Backup strategy: air-gapped, immutable, tested restore.
- Privileged access management: just-in-time, audit logging.
- Vulnerability management: regular patching SLA, scanning.
- Incident response plan: tested tabletop exercises.
Buying cyber cover that responds
Cyber policies are decided by their conditions more than their limits. The reading list: incident-response provisions (panel counsel and forensics — pre-approval requirements can clash with your own retainers), business-interruption triggers and waiting periods, dependent/contingent BI for cloud-provider outages, ransomware sub-limits and sanctions carve-outs (payments to listed actors are uninsurable), and the application’s warranties — misstatements about MFA or backups are the classic coverage-denial ground. Map the policy to KVKK/GDPR exposure: regulatory fines cover varies by jurisdictional insurability, but breach-response costs, notification logistics and third-party claims are the dependable core. Enterprise customers increasingly set minimum cyber-insurance requirements in MSAs; certificates should match those clauses exactly.