Coverage deep dives

What does cyber insurance actually cover? A line-by-line breakdown

Cyber is now a baseline policy for any serious firm. Here's what's inside it, what's not, and where the form choices most often bite.

Julius Roderer Co-Founder & CEO April 5, 2026

Cyber insurance is the youngest major line in commercial insurance and the most variable form-to-form. Two policies that both say “cyber liability” on the cover sheet can cover wildly different things. Here’s the actual inventory.

First-party coverages — what the policy pays to you

Incident response and breach coaching

The first call when something goes wrong. Includes legal counsel (“breach coach”), forensics, public relations and crisis management. Most modern forms include a panel of approved vendors and a 24/7 hotline. Sub-limits vary; the better forms put no cap on the coaching itself.

Notification and credit monitoring

When records are exposed, you have statutory obligations to notify affected individuals and (often) regulators. Per-record cost averages $30–$80 in 2026. This is where limit adequacy most often fails on healthcare and finance accounts.

Ransomware and extortion

Cover for ransom payments (where insurable in your jurisdiction), restoration costs and forensics. Many forms now condition coverage on having basic controls — MFA, backups, EDR. Without those, you may have cover but only by exception, or with raised retention.

Business interruption (BI)

Lost income and continuing expenses while your systems are down. The waiting period (typically 8–12 hours) and the BI period (typically 90–180 days, sometimes 12 months) are the two form variables that matter most. A 24-hour waiting period sounds fine until ransomware encrypts you for 26 hours and your BI never triggers.

Contingent business interruption

When the loss happens to a vendor or service provider your firm depends on. This was an afterthought in 2022. After the Change Healthcare cascade, it’s a primary concern.

Data restoration

Cost to recover lost data and reconstruct corrupted files — separate from BI but often paid together.

Third-party coverages — what the policy pays to others

Privacy and network security liability

Defence and indemnity when customers, employees or third parties sue over a data breach or network failure. The core of cyber liability.

Regulatory defence and fines

Defence costs for regulatory actions (HHS/OCR, SEC, FINRA, FTC, state AGs, GDPR/CCPA where applicable) plus fines and penalties where insurable. Insurability of fines varies by jurisdiction and by violation type — don’t assume.

PCI fines and assessments

If you process card data and breach card-industry standards, you face PCI penalties separately from regulatory ones. Hospitality and retail buyers in particular should confirm this is in their form.

Media liability

Defamation, libel, IP infringement and similar — typically scoped to content you publish (website, marketing, AI output). Increasingly relevant for AI-shipping firms.

Common add-ons that matter

Social engineering / funds-transfer fraud

The wire that goes to the wrong account. Almost always sub-limited on package forms. For any firm moving meaningful money, the sub-limit needs to be raised to a primary limit sized to your transaction volume.

Bricking

Replacement cost of hardware made permanently unusable by an attack. Cheap addition for hardware-heavy operations.

Reputational harm BI

BI extension for lost revenue after systems are back, traceable to brand damage from public disclosure. Coverage is tightening; forms differ widely.

Cryptojacking / utility fraud

Cover for compute or service costs racked up by an attacker using your accounts. Niche but real for cloud-heavy operations.

Common exclusions to read for

  • War and nation-state cyber — wording matters; many forms got tighter in 2022–2024
  • Failure to maintain known controls — patching, MFA, backups
  • Bodily injury from a cyber event — sits with GL, not cyber
  • Loss of intellectual property value — covered for restoration cost, not for the lost commercial value
  • Prior known incidents — claims-made; what you knew about before bind is out

What good looks like

Three tests for whether your cyber form actually fits:

  1. Limits sized to records and dollars. Not headcount, not industry default.
  2. Affirmative AI cover if you ship AI. Endorsement or built into the form — not silent.
  3. Social-engineering bound to a primary limit matched to wire volume.

If your current cyber programme fails any of those, the next renewal is the time to re-shop. The cyber market is fragmented enough that meaningful improvement on form and premium is usually available.

Related on Nomos

Where this lives on the site.

Cyber liability Tech & AI startups MSPs & IT services Professional services Healthcare practices Real estate & property Manufacturing Financial advisors & RIAs Non-profits
About the author

Julius Roderer

Co-Founder & CEO

Julius's career spans from insurance to frontier computational neuroscience research. He was an investment banking associate at UBS covering insurance, and an AI researcher at Imperial College London. He holds an MSc in Artificial Intelligence from Imperial (with Distinction) and a BSc in Economics from the London School of Economics (First Class Honours).

LinkedIn →
Get a quote

One programme,
for the whole firm.

Tell us about your firm. We'll come back with cover sized to your real risk — and we respond within an hour, any time.

Whole-firm view across every line
Quotes in days, not weeks
Reply within 1 hour, any time
Specialty and admitted markets, one programme

Request a quote

We'll get back to you with options.

We respond within 1 hour — any time, not 24.

No obligations. No spam.