What Is Cyber Insurance?

A complete guide to understanding what cyber insurance covers in the US, how claims work, what's excluded, state and federal regulatory requirements, and how to choose the right policy for your American business.

Updated April 2026 15 min read

What is cyber insurance?

Cyber insurance is a type of business insurance that covers your financial losses from cyber incidents like data breaches, ransomware attacks, system outages, and other digital disruptions. It's also known as "cyber liability insurance" or "cyber risk insurance."

In the US, cyber incidents are hitting businesses hard and consistently. The average cost of a data breach in the United States is $5.09 million β€” the highest globally β€” and 39% of American businesses experienced a cyber attack in 2024. For small and medium businesses, a single breach can be catastrophic. 60% of SMBs close within 6 months of an attack. Cyber insurance exists because many businesses can't absorb this financial shock alone.

Key point: Cyber insurance reimburses you for direct costs (forensic investigation, ransom negotiation, notification costs) and third-party claims (lawsuits from affected customers). You're buying protection for a type of liability and operational crisis, not a physical asset.

What does cyber insurance cover?

Most cyber insurance policies split coverage into two main categories: costs to YOUR business (first-party) and claims FROM OTHERS (third-party).

First-party coverage (costs to your business)

This covers direct costs you incur in response to a cyber incident:

  • Incident response and forensic investigation β€” The cost of hiring experts to investigate the breach, determine what was compromised, and identify the attacker.
  • Data recovery and restoration β€” Costs to recover lost or corrupted data and restore systems to normal operation.
  • Business interruption losses β€” If your systems are down, you lose revenue. This covers the income you would have earned during the outage.
  • Ransomware payments β€” Some policies reimburse ransom payments if you decide to pay. Note: US authorities increasingly advise against payment, and some payments may be subject to sanctions screening.
  • Notification costs β€” All 50 US states require notification of individuals following a breach. Cyber insurance covers letters, email campaigns, and call center costs.
  • Credit monitoring β€” Providing monitoring services to individuals affected by the breach (often 1-3 years).
  • Public relations and crisis management β€” Costs to hire PR firms to manage reputational damage and public communication.

Third-party coverage (claims from others)

This covers legal claims and regulatory action arising from the incident:

  • Regulatory defence and fines β€” Defence costs if you face investigations by US regulators (state AGs, FTC, SEC). Covers fines and penalties up to specified limits based on your jurisdiction and industry.
  • Legal defence costs β€” Attorneys to defend you against lawsuits from affected customers or partners.
  • Settlements and judgments β€” Compensation you're ordered to pay to affected parties after losing a lawsuit.
  • HIPAA penalties and defence β€” If you're a healthcare provider or business associate, coverage for HIPAA investigation, fines, and breach notification costs.
  • PCI DSS fines β€” If you process card payments and suffer a breach, payment networks may fine you. Cyber insurance can cover these.
  • Media liability claims β€” Claims that your business defamed someone or invaded privacy through your digital systems or online presence.

Most policies come with coverage limits (e.g., $1 million total), deductibles (you pay the first $10,000 of any claim), and sub-limits (e.g., ransomware covered up to $500,000, even if total limit is $1 million).

What doesn't cyber insurance cover?

Insurance is defined as much by what it excludes as by what it includes. Here are the most common cyber insurance exclusions:

  • Acts of war or nation-state attacks β€” Most policies exclude attacks by governments or military forces. This "war exclusion" is standard across insurance.
  • Unpatched known vulnerabilities β€” If a security patch was available and you didn't apply it, the insurer may deny claims from attacks exploiting that specific vulnerability.
  • Bodily injury or property damage β€” Cyber insurance covers digital losses. If a cyber attack leads to physical harm, that's typically covered by your general liability policy, not cyber.
  • Long-term reputational damage β€” Cyber insurance covers short-term crisis costs (PR, notification). Permanent loss of customer trust or market share isn't covered.
  • Loss of future revenue β€” Business interruption covers revenue lost during the incident. It doesn't cover future lost business due to reputational harm.
  • Prior known claims β€” If you knew about a potential claim before buying the policy, it's excluded.
  • Voluntary shutdowns β€” If you choose to shut down your systems without insurer approval, resulting losses may not be covered.
  • Social engineering (sometimes) β€” Some policies exclude or heavily sub-limit losses from social engineering attacks (e.g., CEO fraud). Check your policy carefully.

Read the fine print: Exclusions vary significantly between insurers. A breach that one insurer covers, another may exclude. Always ask your broker to highlight exclusions relevant to your business and state.

How does a cyber insurance claim work?

Step 1: Incident occurs β€” You discover a breach, system outage, or suspected attack.

Step 2: Contact insurer immediately β€” Call your insurer's claims hotline right away. Most US policies require prompt notification. Delaying notification may void coverage.

Step 3: Insurer appoints incident response team β€” The insurer will typically have a preferred team of forensic experts, legal counsel, and PR firms. Some policies let you choose your own; others require you to use the insurer's panel. The insurer pays the IR team directly.

Step 4: Containment and investigation β€” The IR team stops the attack (if ongoing), investigates what happened, identifies what data was compromised, and documents findings.

Step 5: Claim assessment β€” The insurer reviews the incident and IR findings to determine what's covered under your policy. They'll assess whether exclusions apply, whether costs are reasonable, and whether the claim is within coverage limits and deductibles.

Step 6: Payout β€” Once approved, the insurer reimburses you for covered costs or pays vendors directly.

Important: Good cyber insurance policies don't just provide moneyβ€”they provide people. Your policy includes access to forensic investigators, legal counsel familiar with breach notification law, and PR specialists. These are often more valuable than the dollar payout because they know how to handle incidents efficiently and protect you from regulatory action.

US regulatory landscape

The US operates under a patchwork regulatory framework where cyber insurance is influenced by federal, state, and industry-level requirements. All 50 states have data breach notification laws requiring notification to affected individuals within specific timeframes. HIPAA (healthcare), SEC disclosure rules (public companies), state regulations like California's CCPA/CPRA and New York's NYDFS cybersecurity requirements, and PCI DSS (payment processing) all drive up cyber insurance costs. Cyber insurance helps cover defence costs and fines from these varied requirements.

Last updated: April 2026

Ready to find the right cover?

Get matched with a specialist cyber insurance broker β€” free, fast, no obligation.

Find My Policy β†’
Related guides

How much does cyber insurance cost in the US?

Pricing data by company size and industry. Plus the factors that push US premiums up or down.

Read β†’

Do I actually need it?

Not every business needs the same cover. Find out whether cyber insurance makes sense for your size and sector.

Read β†’