US cyber insurance coverage overview
US cyber insurance covers the financial impact of cyber incidents under a complex patchwork of federal, state, and industry regulations. Coverage falls into two main categories: first-party (costs to YOUR business) and third-party (claims from customers, regulators, or partners). The coverage is heavily influenced by mandatory state breach notification laws, HIPAA requirements for healthcare, and regulations like CCPA in California and NYDFS rules for financial services.
First-party coverage: your direct costs
First-party coverage reimburses your organisation for the immediate costs of responding to and recovering from a cyber incident.
- Incident response and forensics: Professional investigation costs, breach containment, and emergency response to stop attacks and understand what happened. Typically covered up to $100Kβ$500K depending on policy.
- Data recovery and system restoration: Costs to rebuild systems, restore data from backups, replace compromised hardware, and return to normal operations.
- Business interruption losses: Compensation for lost revenue while systems are down and the business cannot operate. Includes overtime and expedited recovery costs. Sub-limits often range $250Kβ$2M.
- Breach notification costs: The expense of notifying affected individuals by mail, email, or phone as required by all 50 state laws plus CCPA in California. Often one of the largest cost components in major breaches, typically sub-limited to $100Kβ$500K.
- Credit monitoring services: Providing affected individuals with credit monitoring, identity theft protection, and fraud resolution services as mandated by state law.
- Public relations and reputation repair: Costs for crisis communications, customer communications, and reputation recovery following a high-profile breach.
- Regulatory defence costs: Legal fees to defend against investigations and enforcement actions by state attorneys general, the FTC, or industry regulators.
- HIPAA breach response: For healthcare organisations, specific coverage for HIPAA breach notification and defence of enforcement actions by HHS Office for Civil Rights, typically sub-limited.
- Ransomware-related costs: Many policies now exclude ransom payments but cover incident response, recovery, and business interruption during a ransomware attack.
Third-party coverage: claims from others
Third-party coverage protects your business when other parties hold you liable for losses caused by your cyber incident, including regulatory fines where insurable.
- Legal defence costs: Attorney fees to defend lawsuits brought by affected customers, employees, or partners. No separate sub-limit; typically covered up to policy limit.
- Settlements and judgments: Compensation payments awarded by courts or agreed in settlement negotiations with affected parties.
- Regulatory fines and penalties: Limited coverage for certain regulatory fines imposed by data protection authorities, though many policies exclude government-imposed penalties. Typically sub-limited to $500Kβ$2M.
- Privacy liability claims: Claims alleging your business mishandled personal data, failed to secure sensitive information, or violated privacy obligations under CCPA, HIPAA, or state law.
- Network security liability: Coverage if your systems are exploited to attack other organisations, and those organisations hold you liable for losses.
- PCI DSS liability: Claims arising from payment card data breaches or PCI compliance failures, including fines from payment processors and card networks.
- Technology errors and omissions: Claims that your software, service, or advice caused financial loss to customers (applies mainly to software companies and IT service providers).
US-specific regulatory requirements affecting coverage
Coverage is heavily shaped by US regulatory requirements at multiple levels:
- State data breach notification laws. All 50 states mandate notification of affected individuals following a data breach. Notification timelines, methods, and content are regulated. Cyber insurance must cover notification costs as a core coverage.
- CCPA and CPRA (California). California's privacy laws create specific notification requirements, right-to-know obligations, and significant fines for violations. Companies operating in California face higher premiums and require explicit CCPA coverage.
- HIPAA (healthcare). The Health Insurance Portability and Accountability Act requires healthcare organisations and business associates to maintain safeguards and report breaches to HHS Office for Civil Rights. HIPAA breach notification is a separate regulatory requirement with its own notification rules and timing. Most cyber policies include HIPAA breach response coverage but may sub-limit it.
- New York NYDFS cybersecurity requirements. The New York Department of Financial Services regulates cyber security for financial services companies, requiring MFA, encryption, and 72-hour breach notification. Financial services companies in New York face higher premiums.
- PCI DSS (Payment Card Industry Data Security Standard). Companies handling payment card data must comply with PCI DSS. Fines from payment processors and card networks for non-compliance are sometimes covered under cyber policies, though some policies exclude fines.
- SEC disclosure rules (public companies). Publicly traded companies must disclose material cybersecurity incidents to the SEC. This disclosure requirement creates additional liability and regulatory costs.
Coverage limitations and common sub-limits
Many coverages come with sub-limits β the maximum amount the insurer will pay for that specific coverage type, separate from the main policy limit. A $1M cyber insurance policy might have a $200K sub-limit for breach notification costs, meaning once you've exhausted the notification sub-limit, the insurer stops paying for notification expenses, even if your overall policy limit remains unused.
| Coverage Type |
Category |
Typical Sub-Limit (USD) |
| Incident response and forensics |
First-party |
$100K β $500K |
| Business interruption loss |
First-party |
$250K β $2M |
| Breach notification costs |
First-party |
$100K β $500K |
| HIPAA breach response |
First-party |
$100K β $250K |
| Legal defence costs |
Third-party |
No separate limit |
| Regulatory fines (where insurable) |
Third-party |
$500K β $2M |
| Social engineering fraud |
Additional |
$50K β $250K |
Additional optional coverages
Beyond standard first and third-party coverage, many US insurers offer optional add-ons:
- Social engineering and funds transfer fraud: Covers losses when attackers trick employees into transferring money or revealing credentials. Becoming standard in many policies.
- Dependent business interruption: Covers losses when a critical supplier or customer is breached and their downtime affects your operations. Increasingly important for supply chain risk management.
- Cyber extortion coverage: Covers costs of ransom negotiations, communication with extortionists, and sometimes extortion payments (though many policies limit or exclude this due to regulatory guidance against paying threats).
- Cryptojacking and unauthorised computing: Coverage for costs arising from malicious use of your computing resources to mine cryptocurrency without authorisation.
- Reputational harm: Limited coverage for losses caused by damaged reputation following a breach, though this is often very constrained.
- Invoice manipulation fraud: Covers losses when attackers intercept email and redirect invoices or payment instructions to fraudulent accounts.
Find the right cyber insurance for your US business
A specialist broker can navigate state regulations, HIPAA requirements, and industry-specific needs to find a policy with adequate sub-limits for your risk profile.
Get a personalised quote β
Last updated: April 2026