Cyber Liability Insurance

Also: Cyber

Coverage for losses arising from cyber-attacks, data breaches, and the regulatory and third-party fallout that follows.

Cyber Liability insurance, often shortened to cyber insurance, is a policy that covers the financial consequences of cyber-attacks and data breaches. It pays for first-party costs such as breach response, notification, credit monitoring, forensic investigation, business interruption from a network outage, and cyber extortion, as well as third-party claims brought by customers, partners, or regulators whose data was exposed.

It is bought by organizations of every size that store sensitive data, process payments, or depend on internet-connected systems. In many regulated industries it is effectively a baseline requirement, and clients in B2B relationships routinely demand it of their vendors.

Cyber is adjacent to Tech E&O (and frequently sold alongside it in a combined form) and to Professional Liability. Where Tech E&O answers the question of whether the technology performed as promised under contract, cyber answers the question of what happened when an external actor or a security event exposed data the insured held.

Cyber insurance was built for attacks on systems and first-party breach response. It generally does not cover third-party liability arising from a generative AI's outputs absent a covered cyber event. Bodily injury and property damage sit outside the form. Media liability inside a cyber wording only responds to AI-generated content where the wording is affirmatively extended to it, and many carriers are narrowing that language at renewal. Where AI endorsements exist, they typically sub-limit the exposure.

Also known as

Cyber Insurance, Cyber Risk Insurance

Frequently asked

Does cyber insurance cover prompt injection attacks?

Coverage is unsettled and carrier-specific. A prompt injection that exfiltrates personal data through an LLM-powered customer service tool can trigger the first-party breach-response section if the loss meets the policy's definition of unauthorized access to a computer system. Pure third-party harm from the manipulated output (a wrongful action the AI took on a user's behalf) typically falls outside cyber and into Generative AI Liability territory.

What does a cyber insurance policy actually pay for?

The first-party section pays for breach notification, credit monitoring, forensic investigation, public relations response, business interruption from a network outage, ransomware payments where legally permitted, and data restoration. The third-party section pays defense costs and damages for claims by customers whose data was exposed, plus regulatory fines and penalties where insurable. Sub-limits often apply to ransomware, social engineering, and any AI-related coverage.

Do cyber underwriters require multi-factor authentication?

Almost universally since 2022. The ransomware-driven cyber market correction forced carriers to make MFA on email, remote access, and privileged accounts a baseline underwriting requirement. Endpoint detection and response (EDR), encrypted backups tested for restoration, and a documented incident response plan are now standard renewal asks. Generative AI use is the newest underwriting question, with carriers asking deployers to disclose what models are in production.

Related terms

generative AI liability insurance overview

General information, not legal or insurance advice.