Comparing Cyber Insurance in the US Market
The United States cyber insurance landscape is complex because coverage is shaped by 50 different state breach notification laws, federal regulations (HIPAA, NYDFS, SEC), and industry-specific requirements. Two policies with the same price can have vastly different protections depending on how they handle US-specific risks like state compliance, ransomware, and regulatory fines.
A specialist broker understands which US carriers offer the strongest coverage for your state and industry. But if you're comparing policies yourself, this guide covers the critical factors unique to the US market.
US-Specific Comparison Factors
These coverage areas are particularly important in the US market:
| Coverage Area | What to Compare | Why It Matters in the US |
|---|---|---|
| First-Party vs Third-Party Split | How much of the limit covers your losses vs. liability to others | A $5M limit split 50/50 ($2.5M first-party, $2.5M third-party) gives you less actual coverage for your own breach costs than an 80/20 split ($4M first-party, $1M third-party). Check the split. |
| Ransomware Sub-limits | Specific cap on ransomware coverage, including extortion demands | Ransomware is a top threat in the US. A $5M policy with a $500K ransomware sub-limit leaves you exposed. Negotiate for higher sub-limits or unlimited ransomware coverage if it's a material risk. |
| State Compliance & Notification Costs | Coverage for breach notification, credit monitoring, and regulatory response across all 50 states | All 50 states have breach notification laws with different notification timelines and costs. Your policy must cover notification and credit monitoring in the states where you operate. Some states allow longer notification windows; others require 24β30 hours. |
| HIPAA Breach Costs (if healthcare) | Coverage for investigation, notification, and OCR (Office for Civil Rights) fines | Healthcare providers face mandatory breach reporting to HHS and potential OCR fines up to $100 per record per violation (capped at $1.5M per breach type per year). Ensure your policy covers OCR defence and fines. |
| PCI DSS Fines (if payment processor) | Coverage for PCI compliance fines and card replacement costs | If you process payment cards, a breach can trigger PCI fines (up to $100 per card per month) and card replacement costs. Check whether your policy covers PCI defence and fines separately. |
| Regulatory Defence Costs | Legal defence against SEC disclosure violations, state AG investigations, or class action suits | Public companies must disclose material cybersecurity incidents to the SEC. Private companies may face state attorney general investigations. These costs add up quickly. Check if defence costs are inside or outside your policy limit. |
| Business Interruption Waiting Period | 6-hour, 12-hour, 24-hour, or 72-hour waiting period before BI coverage kicks in | A 72-hour waiting period means you absorb three days of lost income. A 6-hour waiting period covers almost immediately. For high-revenue businesses, the difference can be $50Kβ$500K+. Negotiate for the shortest waiting period. |
| Cyber Terrorism Coverage Scope | Whether the policy covers attacks by nation-states, government actors, or military-affiliated entities | Some US policies exclude cyber terrorism or cyber warfare entirely. Others have narrow carve-outs. If your threat model includes nation-state actors, review this clause carefully with your broker. |
| Social Engineering & Wire Fraud | Coverage for social engineering schemes (CEO fraud, phishing) and fraudulent wire transfers | Social engineering and wire fraud are not covered by all policies. Some limit coverage to $50Kβ$250K. If you have treasury operations vulnerable to CEO fraud, negotiate for higher social engineering limits. |
| Crisis Management & PR Costs | Coverage for public relations, media management, and reputational harm response | A breach affects customer trust and brand reputation. Crisis management coverage (PR, communications consulting) can prevent long-term customer loss. Check whether this is included and at what limit. |
US Market Tiers: Policy Comparison Framework
Most US cyber insurers offer tiered coverage. Here's a simplified comparison of typical tiers:
| Tier | Annual Premium | Total Limit | First-Party / Third-Party | Ransomware Sub-limit | BI Waiting Period | Best For |
|---|---|---|---|---|---|---|
| Basic | $1,000β$3,000 | $500Kβ$1M | 50/50 | $100Kβ$250K | 72 hours | Micro businesses, low data sensitivity |
| Standard | $3,000β$8,000 | $1Mβ$2M | 60/40 | $500Kβ$1M | 24 hours | Small to mid-market, moderate risk |
| Comprehensive | $8,000β$25,000+ | $3Mβ$5M+ | 75/25 or 80/20 | $1Mβ$2M or unlimited | 6 hours | Mid to upper mid-market, high-risk industries |
Note: These are typical ranges for 2026. Actual premiums vary by industry, state, company size, security controls, and claims history. Healthcare, financial services, and retail typically pay 1.5β3Γ these amounts.
State-Specific Compliance Considerations
Several states have outsized influence on US cyber insurance pricing and coverage:
- California: CCPA and CPRA impose strict data handling and notification requirements. Businesses must notify affected individuals within a "reasonable time" and must cover notification and credit monitoring costs. Policies covering California operations typically cost 20β30% more.
- New York: The NYDFS Cybersecurity Requirements (23 NYCRR 500) apply to financial services companies operating in New York and mandate MFA, encryption, and breach notification within 72 hours. NYDFS-compliant cyber insurance is more expensive and carries stricter underwriting.
- Texas, Florida, Pennsylvania: Large populations mean breach notification costs scale. A breach affecting 100,000 Texans costs significantly more to notify and monitor than a smaller breach.
- All 50 States: Every state has breach notification laws. A national policy must cover notification timelines and credit monitoring in all states where you operate.
US Policy Comparison Checklist
- Policy wording (full document, not just summary sheet)
- Schedule showing limits, sub-limits, and retentions
- State compliance coverage (which states are covered? are notification and credit monitoring included?)
- HIPAA coverage details (if healthcare)
- PCI DSS coverage details (if payment processor)
- Ransomware sub-limit and extortion demand coverage
- Business interruption waiting period
- Cyber terrorism exclusion language
- Social engineering and wire fraud limits
- Crisis management and PR coverage amount
- Claims procedures and notification requirements
- Incident response panel details
Common US Cyber Insurance Mistakes
- Overlooking the first-party/third-party split. A 50/50 split leaves you with only $2.5M for your own breach costs on a $5M policy. Negotiate for a 70/30 or 80/20 split if first-party costs are your primary concern.
- Accepting ransomware sub-limits without pushback. If ransomware is a material threat, ask the insurer to increase the sub-limit or remove it. Many carriers will negotiate, especially if your security posture is strong.
- Not confirming state coverage. A policy sold nationwide may not cover all 50 states equally. Some carriers exclude certain states or apply higher retentions in high-risk states. Confirm coverage in your primary operating states.
- Ignoring the BI waiting period. A 72-hour waiting period can cost you $100Kβ$1M+ in lost revenue, depending on your daily revenue. This is often the highest-impact clause and deserves negotiation.
- Assuming social engineering is covered. Many policies exclude social engineering or cap it at $50Kβ$100K. If you have treasury operations vulnerable to CEO fraud, verify and negotiate higher limits.
- Not reviewing regulatory defence cost placement. If regulatory defence costs are inside your policy limit, your legal fees eat into your total payout. Insist on defence costs outside the limit if possible.
- Missing cyber terrorism exclusion scope. Some US policies exclude nation-state attacks, cyber warfare, or any "act in cyberspace by a military entity." If this applies to your threat model, this exclusion matters enormously.
Step-by-Step Comparison Process for US Policies
Define Your US Risk Profile
What states do you operate in? What type of data do you handle (payment cards, health records, personal data)? Are you regulated (healthcare, finance, government contractor)? Do you face significant ransomware risk? Use this to set target coverage limits, especially for first-party, ransomware, and business interruption.
Get Quotes from 3+ US-Focused Carriers
Work with a broker who specialises in US cyber insurance. Request quotes from at least three carriers and ask the broker to present apples-to-apples comparisons on your ten key factors above.
Compare Using the US Checklist
For each policy, document the first-party/third-party split, ransomware sub-limit, state compliance coverage, HIPAA/PCI coverage (if relevant), BI waiting period, cyber terrorism exclusion, and social engineering limits. Create a spreadsheet to see them side by side.
Negotiate Terms Specific to Your State & Industry
Ask whether the carrier will increase ransomware sub-limits, shorten the BI waiting period, expand state coverage, or increase social engineering limits. Many carriers will negotiate if your security posture is strong. State your non-negotiables (e.g., "We need 6-hour BI waiting period") and prioritise what matters most.
Review the Actual Policy Wording
Read the full policy contract, not just the marketing summary. Pay special attention to: exclusions (especially cyber terrorism and war); the definitions section (some terms are defined narrowly); claims notification requirements (typically 24β72 hours); and retroactive date (can it cover breaches discovered but not disclosed before the policy started?). A broker will flag issues for you.
Not sure how to negotiate US cyber insurance terms?
A specialist cyber insurance broker knows US regulations, state requirements, and which carriers will negotiate on terms that matter. Get matched with one for free.
Get Matched with a Broker β