Cybercrime didn't used to be an insurance problem. For most of the internet's early history, attacks were relatively rare, damages were manageable, and most businesses assumed their existing policies had them covered.

That assumption no longer holds.

Organized cybercrime has matured into a full industry complete with ransomware-as-a-service platforms, negotiation specialists, and affiliate networks that help attackers scale their operations globally. The targets aren't just Fortune 500 companies. Law firms, dental practices, regional manufacturers, and school districts are all fair game because every organization holds something valuable: customer data, financial records, or simply the operational continuity that attackers can hold for ransom.

Regulatory exposure has added a second layer of financial risk on top of breach costs. GDPR fines can reach 4% of global annual revenue. CCPA violations carry penalties up to $7,500 per intentional violation. HIPAA settlements routinely run into the millions. In some cases, the regulatory compliance fine exceeds the direct cost of the breach itself.

The final piece of the puzzle: traditional insurance doesn't cover any of this. General liability policies were written for a world of physical property and bodily injury. They don't respond to ransomware payments, breach notification campaigns, or class-action lawsuits from customers whose credit card data was stolen. That coverage gap is exactly what cyber liability insurance was designed to fill.

Cyber insurance policies are generally organized around two categories of loss: 

• costs your organization bears directly 

• legal liability for harm caused to others

Understanding the distinction matters because not all policies include both.

First-party coverage: Your organization's direct costs

First-party coverage pays for losses your business experiences as the direct victim of a cyber incident. This is the coverage that kicks in when attackers are inside your network, and the clock is already running.

Breach response and forensics. When a breach occurs, you need to know what happened, when it started, what data was accessed, and how attackers got in. Incident response forensics are expensive — often $300–$500 per hour for specialized firms. First-party coverage typically funds this investigation.

Notification costs. Most states require businesses to notify affected individuals when their personal data is compromised. For a breach involving tens of thousands of records, notification alone can cost hundreds of thousands of dollars in printing, postage, and call center support.

Credit monitoring services. Following a breach, affected individuals often receive credit monitoring as part of the remediation package. Policies frequently cover these services for the mandated period.

Ransomware payments and extortion. If attackers encrypt your systems and demand payment, cyber insurance can cover the ransom and in a case by case scenario, fund the negotiation process through specialized vendors. This is one of the most frequently used first-party benefits.

Business interruption. When systems go down after an attack, revenue stops. Business interruption coverage compensates for income lost during the period of restoration, similar to how property insurance handles a fire that closes a physical location.

Data restoration. Rebuilding corrupted or destroyed data from backups if you have them, or from scratch if you don't is covered under many first-party policies.

Public relations and crisis communications. How you communicate after a breach affects customer retention, partner relationships, and long-term brand value. Some policies fund PR support to help manage the response.

Third-party coverage: Liability for harm to others

Third-party coverage protects your organization when customers, partners, or other affected parties hold you legally responsible for a breach. This coverage responds to lawsuits, regulatory investigations, and settlement demands.

Privacy liability. If your breach exposes customer personal data, affected individuals may sue for damages. Privacy liability coverage funds your legal defense and pays settlements or judgments up to the policy limit.

Regulatory defense and fines. GDPR, CCPA, HIPAA, and state regulators can initiate investigations following a breach. Coverage here includes the cost of regulatory defense and, where insurable by law, the fines themselves.

Network security liability. If a compromise of your systems spreads malware to a client's network — or if a vendor's breach originates through your infrastructure — you may be liable for their losses. Network security liability coverage addresses these scenarios.

Media liability. Some policies extend to cover claims of defamation, copyright infringement, or privacy violations arising from your organization's online content.

First-Party vs. Third-party at a glance

Understanding what a policy covers is only half the equation. Exclusions are where many organizations discover — after an incident — that their policy doesn't respond the way they expected. These gaps are not loopholes buried in fine print. They are deliberate limitations that underwriters have put in place as the threat environment has evolved.

Acts of war and nation-state attacks

This is the most contested exclusion in cyber insurance today. Most policies contain war exclusions that deny coverage for losses caused by acts of war or hostile actions by sovereign governments. The controversy: when a nation-state launches a cyberattack against private businesses — as Russia did with NotPetya in 2017 — insurers have argued those attacks qualify as acts of war.

The resulting litigation is ongoing, with courts reaching different conclusions in different jurisdictions. For businesses in critical infrastructure sectors or those with significant international exposure, this exclusion represents a meaningful coverage gap.

Bodily injury and property damage

If a cyberattack causes physical harm, a compromised industrial control system that injures workers, or a medical device failure caused by a breach, cyber policies generally do not cover the resulting bodily injury or property damage claims. Those losses fall under general liability and property policies, which may themselves exclude cyber-originated events. Organizations in operational technology environments should examine this gap carefully.

Intentional acts and employee fraud

Losses caused by intentional misconduct by the insured; including fraud carried out by employees are typically excluded. Coverage is designed for external attacks and unintentional security failures, not for an employee who deliberately steals data or sabotages systems.

Unencrypted devices when encryption is required

Many policies include a condition requiring that sensitive data be encrypted on portable devices. If a laptop containing unencrypted customer records is stolen and the policy required encryption, the resulting claim may be denied. Compliance with your own policy's security requirements is not optional.

Losses before the retroactive date

Cyber policies are typically written on a claims-made basis, meaning they cover claims reported during the policy period, but only for incidents that occurred after the policy's retroactive date. If attackers compromised your network six months before you purchased a policy and the damage is discovered later, coverage may not apply.

Organizations often assume they have cyber coverage when they don't. The source of that assumption is usually a general liability, errors and omissions, or property policy that seems like it should cover digital losses. Here's where each falls short.

General liability insurance covers claims for bodily injury and property damage caused by your business operations. It was never designed to address digital incidents. A customer slipping in your office? Covered. That same customer's personal data being stolen from your servers? Not covered.

Errors and omissions (E&O) or tech liability insurance covers claims that your professional services or technology products caused a client financial harm due to negligence or failure to perform. It addresses professional liability, not incident response costs. If your software malfunctions and a client loses money, E&O responds. If your systems are breached and the attacker steals that client's data, a separate cyber policy is needed.

Property insurance covers physical assets — buildings, equipment, inventory — against physical perils. Data is not physical property under most policy definitions. Lost revenue from a ransomware attack is not a physical loss. Some newer property policies are beginning to address business interruption from cyber events, but this coverage is inconsistent and often limited.

Cyber insurance is specifically architected for digital incidents. It covers the costs that follow a breach, attack, or extortion event — both the direct costs your organization incurs and the liability exposure that follows. No other standard commercial policy replicates this.

There is no federal mandate requiring most U.S. businesses to carry cyber liability insurance. But "not legally required" and "optional in practice" are increasingly different things.

Enterprise client contracts. Large organizations routinely require vendors and partners to maintain cyber insurance as a condition of doing business. If your company serves mid-market or enterprise clients, expect contract language specifying minimum coverage limits.

State-level regulation. New York's Department of Financial Services cybersecurity regulation (23 NYCRR 500) is the most comprehensive state-level framework and implicitly creates pressure for regulated entities to maintain cyber coverage. Other states are following with similar frameworks.

Government contracting. The Cybersecurity Maturity Model Certification (CMMC) framework and related requirements for Department of Defense contractors increasingly make cyber hygiene, and by extension cyber insurance, a practical necessity for maintaining contracts.

Lenders and M&A due diligence. Banks and private equity firms conducting due diligence now routinely ask about cyber insurance as part of risk assessment. The absence of coverage can affect financing terms or deal valuations.

Whether or not you're contractually obligated to carry it, the financial math is straightforward: the average breach costs $4.88 million. If your organization couldn't absorb that uninsured, cyber coverage isn't optional it's the mechanism that keeps a single incident from becoming an existential event.

The cyber insurance market of 2017 looks almost nothing like the market of 2026. Understanding that evolution explains why insurers ask the questions they now ask — and why they're asking them at all.

2017–2020: The open market. Early cyber policies were relatively inexpensive, coverage was broad, and underwriting was minimal. Insurers asked basic questions about revenue and industry, often approved coverage with little scrutiny, and priced accordingly. Premiums were modest because losses were manageable.

2020–2022: The ransomware reckoning. Ransomware attacks exploded in frequency and severity. Criminal groups began targeting critical infrastructure, healthcare systems, and supply chains with sophisticated, coordinated attacks. Insurers paid enormous claims — and responded by raising premiums by more than 130% year-over-year at the peak. Some carriers exited the market entirely. Those that remained began asking harder questions.

2023–2026: Security controls as underwriting criteria. The current market is defined by one shift: insurers now require demonstrable proof of security controls before they'll bind coverage. This isn't advisory guidance. It's a condition of getting a policy — and of having claims paid when something goes wrong.

The controls underwriters scrutinize most closely include:

• Endpoint detection and response (EDR): Does your organization have tools that detect malicious activity on endpoints in real time, or are you relying on traditional antivirus?

• Multi-factor authentication (MFA): Is MFA enforced for remote access, email, and privileged accounts?

• Backup integrity: Are backups tested regularly, stored offline or immutably, and confirmed restorable?

• Privileged access management: Are administrative credentials protected and monitored?

• Employee security awareness training: Is your workforce prepared to recognize phishing and social engineering?

These aren't suggestions. An organization that checks these boxes during underwriting but allows controls to lapse before an incident may find itself arguing with an insurer about whether a claim should be paid.

As you evaluate your risk, be wary of "Million Dollar Breach Guarantees" offered by some cybersecurity vendors. While they sound reassuring, it is critical to understand that a product warranty is not an insurance policy. Most warranties are written as supplemental coverage, meaning they only trigger after your primary cyber insurance has paid its limit. If you lack a primary policy, that "guarantee" may leave you with zero coverage.

Ready to secure your business? If you’re using Huntress Managed EDR and Managed ITDR, talk to your Acrisure representative about Huntress‑aligned coverage and the $0 ransomware deductible, and use Huntress to document the security controls insurers expect.