Cyber Liability Insurance for Businesses That Handle Data
A phishing email tricks an accounts payable staffer into wiring $47,000 to a fraudulent account. A ransomware attack encrypts a medical practice's entire patient record system; the attackers want $85,000 to restore access. A retailer's point-of-sale system is quietly breached for six weeks, and 12,000 customer card numbers are exfiltrated before anyone notices.
Coverage Structure
Two tracks. Both matter.
Cyber policies divide into two tracks. First-party coverage responds to your direct costs after an incident. Third-party coverage responds to claims made against you by others. Understanding the split is the key to buying the right limits.
First-Party
Your breach costs
Forensic investigation to identify how the attacker got in. Breach notification campaigns and credit monitoring for affected individuals. Ransomware and cyber extortion payments plus professional negotiators. Business income loss when systems go offline. Crisis PR and reputational response. When a breach hits, the clock starts and the costs stack fast.
Social engineering losses (wire fraud, deepfake attacks) are typically covered under a sub-limit. Check the sub-limit carefully because some carriers cap it at $100,000 on a $2M policy.
Third-Party
Your liability to others
Privacy liability lawsuits from individuals whose data was compromised. Regulatory defense and fines, including HIPAA penalties, CCPA enforcement, and PCI-DSS assessments. Network security liability when your compromised systems attack a third party. Media liability for defamation or copyright claims from digital content. Class actions after significant breaches can run into the millions before a single settlement is reached.
Fines for HIPAA willful neglect can reach $1.5 million annually. That is not a theoretical number.
Reference
Coverage at a Glance.
The core coverage parts under a standalone cyber liability policy.
Forensic investigation
First-partyWhat it pays for
Specialist firm identifies how the attacker got in, what they accessed, how long they were in your system
Common example
Ransomware detected on internal server; forensic team traces entry to phishing email
Breach notification
First-partyWhat it pays for
Mass notification campaigns, call center staffing, credit monitoring for affected individuals
Common example
10,000 customer records exposed; state law requires notification within 30 days
Ransomware & cyber extortion
First-partyWhat it pays for
Ransom payment, professional negotiators, data restoration costs
Common example
Attackers encrypt patient records and demand $85,000 for decryption key
Business income loss
First-partyWhat it pays for
Revenue lost while systems are offline due to a cyber event
Common example
E-commerce site offline for 5 days following breach; daily revenue loss of $12,000
Privacy liability
Third-partyWhat it pays for
Defense and settlement of lawsuits from individuals whose data was compromised
Common example
Class action filed after 50,000 customer records exposed in data breach
Regulatory defense & fines
Third-partyWhat it pays for
Legal defense for regulatory investigations; applicable fines and penalties
Common example
HIPAA investigation after PHI breach; potential fines up to $1.5M annually
What Cyber Liability Insurance Does Not Cover
Cyber policies are specific. Assuming your existing coverage fills these gaps is how businesses end up uninsured at the worst possible moment.
Technology errors and omissions
What you need
Tech E&O / professional liability
Nation-state attacks (war exclusion)
What you need
Discuss with broker before binding
Security hygiene failures
What you need
MFA, patching, training required
Prior known breaches
What you need
Check retroactive date continuity
Bodily injury and property damage
What you need
General liability insurance
Intentional illegal acts
What you need
Not insurable
Industries
Who Needs Cyber Liability Insurance?
Any business that stores, transmits, or processes data carries cyber exposure. Some industries carry it harder than others.
Healthcare providers and medical practices
PHI triggers HIPAA's mandatory breach reporting and significant regulatory penalties. Healthcare operators face some of the highest per-record breach costs of any sector.
Financial services and accounting firms
High-value client data, wire transfer fraud exposure, and state-level regulatory obligations make this one of the most targeted industries.
Retailers and e-commerce businesses
POS systems and stored card data create PCI-DSS obligations. A card data breach triggers both notification costs and card brand assessments.
Technology and SaaS companies
Client data dependencies and network security liability mean a breach at your business can cascade to every client you serve.
Professional services firms
Client confidential data and contract liability create meaningful third-party exposure even without a technology product.
Manufacturers with connected OT/IoT systems
Ransomware attacks on operational technology shut down production lines. The income loss is real; the cyber BI coverage needs to match it.
Small businesses under 50 employees
43% of all cyberattacks target small businesses, in part because security controls are thinnest there. Size is not a defense.
If your operation stores customer data, processes payments, or depends on connected systems to function, speak to our team about transferring the exposure before it becomes a claim.
How Much Cyber Coverage Do You Actually Need?
Cyber premiums stabilized significantly in 2024 and into 2025 after a period of sharp increases driven by ransomware claim frequency. The market is more competitive now. Underwriters are scrutinizing security controls more closely, which means businesses with strong controls can access meaningfully better rates.
Most small businesses carry $1 million in cyber limits. That sounds like a lot until you stack it: forensic investigation ($50,000 to $200,000), breach notification for 10,000 records ($30 to $50 per record), regulatory defense and fines, business income loss during system downtime, and third-party liability if clients sue. A mid-sized breach can consume a $1 million policy before the class action is filed.
Cyber business interruption is a distinct trigger from property BI. The two coverages work differently, and the limits need to reflect the actual exposure under each. Our brokers work through this calculation as part of every submission.
$3–$5/record
Multiply your total record count by $3 to $5 for notification costs alone. That gives you a floor.
$100K–$2M
Sub-limit for wire fraud and deepfake attacks varies significantly by carrier. Check it carefully on any quote.
10–25%
Businesses with MFA, EDR, offline backups, and documented incident response plans typically see meaningfully lower premiums.
Request a quote. The controls your business already has in place may move the number more than you expect.
Process
How Cyber Liability Insurance Works at Rosella
Most brokerages work with a handful of cyber carriers. If your industry is flagged or your revenue puts you in a higher-risk tier, you may come back with one or two options, or none at all from admitted markets.
After Bind: Once bound, COIs in under two minutes. Claims: a real person who knows your file and the cyber-specific claims process.
We submit across 100+ carrier portals
Your risk goes to admitted and E&S markets that specialize in higher-risk verticals: healthcare, fintech, SaaS, and tech businesses where admitted carriers price conservatively.
Policy wording compared before you see it
Our system compares policy wording across every quote, surfacing differences in war exclusion language, social engineering sub-limits, retroactive date alignment, and security control requirements.
Broker judgment runs the process
Limits recommendation, underwriting controls review, and endorsement negotiation require a person who understands your risk profile, not just your SIC code. We do the carrier work so that conversation is about your exposure, not your paperwork.
Forensic coordination, breach counsel, and public notification management are handled by someone who knows your file, not a call center.
Get a quote
Tell us about your business and we will come back with carrier options and real numbers in a few business days.
GET STARTED
Ready to Place Cyber Coverage?
We submit across admitted and E&S markets to find the right coverage at the right price. If your current policy has gaps in social engineering limits or war exclusion language, we'll find them before a claim does.