What is cyber insurance?

Cyber insurance, or cyber liability insurance, is a contract that helps an organization pay for costs and liabilities arising from network and technology-related risks including data breaches, ransomware, business interruption, and third-party claims that are caused by a cyber incident. It provides financial protection, access to incident response resources, and legal and public relations support, all according to the specific cyber insurance policy terms and conditions.

Why is cyber insurance important?

Cybersecurity is a paramount concern for businesses across all sectors in today’s rapidly evolving digital business environment. The proliferation of interconnected devices and the expansion of cloud services has increased the attack surface for cybercriminals. Organizations are continuously exposed to new, expanding, and more complex cybersecurity risks that target sensitive information, intellectual property, business processes, personal information, and more.

As both individual businesses and the global economy increasingly rely on sophisticated technologies, the risk of financial loss from a cyber incident continues to increase. Cyber insurance offers financial protection against such losses.

What does cyber insurance cover?

Cyber insurance can help organizations recover losses and other costs from breaches, business interruption, ransomware, and other types of cyberattacks. Coverage can provide you with resources and reimbursement for items such as legal fees, incident preparation and response support, employee training, forensics services, and breach notification services. Policies can also offer balance sheet protection for first- and third-party costs and liabilities, such as lost revenue and extra expenses, regulatory fines and penalties, data and hardware restoration and repair, and reputational harm.

How does cyber insurance work?

You can think of cyber insurance as a financial safety net for when your digital systems are harmed, almost like fire insurance for computers and data. It helps pay for immediate response, including forensics, IT recovery, and public relations; lost revenue if your operations stop; legal costs if customers sue; and, sometimes, ransomware or fraud losses — all depending on the policy wording.

How cyber insurance is established

Underwriters assess various areas, such as your industry; the kinds of data you hold; your existing cybersecurity controls, such as multifactor authentication, backups, and endpoint protection; and past cyber incidents and claims your organization may have had. Using that information, they will set the price, deductibles, limits, and other cyber insurance policy conditions.

Cyber insurance policy details

Like other types of coverage, cyber insurance policies will cover many costs, but will have limits, exclusions, and sublimits.

What is first-party coverage?

First‑party coverage helps your recovery by paying the direct costs your company incurs after a cyber incident. Typical protections include forensics and incident response, data restoration and IT recovery, business interruption and extra expense, ransomware/extortion negotiation/payments (if allowed), breach notification and credit monitoring, crisis communications/PR, and costs to hire lawyers or forensic accountants.

Things to look for when purchasing include: Adequate business interruption limits and clear BI trigger/measurement; explicit data restoration scope and reasonable sublimits; ransom/extortion terms; for example, is payment allowed and what approval process and legal/sanctions checks apply; sublimits; vendor rules; for example, are you required to use the insurer’s panel; retentions/deductibles, aggregate vs per‑incident limits, retroactive/prior‑acts dates, and reporting deadlines.

Confirm these items with your broker and test them in tabletop exercises to understand how the policy may work in a real incident.

What is third-party coverage?

Third-party coverage provides protection from claims by customers, partners, or regulators after a cyber incident. It typically pays legal defense, judgments and settlements for privacy breaches, network security failures, and third‑party losses.

When purchasing, you should look into areas including: which types of claims will be covered; regulatory exposures and whether fines/penalties are included; contractual liability; limits and per‑claim vs aggregate treatment plus sublimits; consent‑to‑settle and insurer control of defense; notice, cooperation, and reporting requirements; key exclusions, such as nation‑state, war, intentional/known prior acts; and cascading/vendor risk, which means does contingent or supply‑chain outage coverage apply? Also confirm panel counsel rules and how coverage works across jurisdictions.

As with first-party coverage, you should confirm these items with your broker and test them in tabletop exercises.

What is typically not covered by a cyber insurance policy?

The following typically are not covered, though the details will depend on the specifics of an individual policy (this is not an exhaustive list):

Intentional, criminal, or fraudulent acts by the insured or insiders
Known prior incidents or facts not disclosed during the insurance application process
Certain regulatory fines/penalties; coverage varies by jurisdiction and policy
Ordinary bodily injury or physical property damage, unless a specific endorsement exists
Contractual liability for promises made to others, unless expressly covered
Losses from failure to maintain required security controls or late notification, which can void coverage
Some social engineering, funds transfer fraud, crypto losses, sanctions, or illegal transactions are often excluded or capped by low sublimits

What to do if you have an incident?

It’s important to notify your insurer quickly if you have (or believe you have) an incident. You should preserve logs and other evidence, and work with any cyber incident responders recommended by your insurers in order to capture costs that may be eligible for reimbursement.

Cyber insurance and cyber risk management

Effective cyber risk management takes a proactive, multi-layered approach. Cyber insurance complements — not replaces — your cybersecurity controls, business continuity planning, contractual risk allocation (vendor contracts), and incident response readiness. It is most effective when it’s part of an integrated program featuring strong controls, regularly tested incident response plans, and other insurance products tailored to an organization’s overall exposures.

Cyber insurance provides financial protection

Effective cyber risk management includes basic controls like multi-factor authentication, secure data storage, and regular updates to software and hardware systems as well as ongoing staff training to recognize phishing attempts and other suspicious activities. But even when a company has strong measures in place, human error or a cyberattack can find a weakness and lead to an incident.

Cyber insurance provides a vital layer of financial protection, helping organizations to manage their balance sheet and compliance targets, and potentially providing financial support in the case of a breach or other incident. A cyber insurance policy can cover everything from business interruption and extortion to the increasing risks from supply chains.

Is cyber insurance worth cost?

The financial impact of a cyber incident can be immense. In 2024, the average cost of a data breach in the US reached a record $10.22 million, according to IBM. Insurance provides resources that may help rebuild and can give businesses confidence that they are managing potential risks. It’s important to tailor cyber insurance to an organization’s unique needs. For example, policies can be customized to include first-party coverage for immediate response costs and third-party coverage for liability to customers or partners.

FAQs

In today’s technology dependent and interconnected world, all organizations — ranging from small, local businesses to global enterprises — that use technology or data are exposed to cybersecurity risk and would benefit from cyber insurance. Cyber threats don’t follow a calendar, meaning organizations must have an “always-on” mindset. By continuously refining their risk management strategies, including their insurance requirements, businesses can be better prepared for current and emerging threats.

Cyber risk is not just a technical problem; it’s a business problem. By promoting good cyber risk management, planning for new technologies responsibly, partnering with trusted advisors, and securing effective insurance, organizations can build a strategy that maintains strong cybersecurity controls, instills confidence, and provides financial protection.

Standard general liability (GL) policies typically are written to cover bodily injury and property damage, not intangible harms like data loss, privacy breaches, ransomware, or cyber business interruption. In fact, many GL forms now include exclusions for “electronic data” or “network security/privacy” that expressly remove cyber risks. Some GL endorsements or separate coverages such as technology errors and omissions, media liability, and crime extensions can fill narrow gaps, but they’re often limited by sublimits, restrictive triggers, and coverage conditions. Review your specific GL policy wording with a so-called “gap analysis” for exclusions, sublimits, and endorsements.

Yes. The Marsh Cyber Self-Assessment is a digital tool that examines your organization’s cyber risks and streamlines and expedites the process of applying for cyber insurance — so you can make more informed, confident investments in cyber insurance and security.

Report,Featured insight

What is cyber insurance?