Does cyber liability cover ransomware?

Most forms include cyber-extortion coverage, often with a sub-limit and sometimes with restrictions on actual ransom payment. Read the extortion section closely.

What does cyber liability not cover?

Bodily injury, property damage, prior known incidents, breaches traced to required controls you did not maintain, hardware upgrades beyond pre-incident state. Forms vary widely on war and infrastructure events.

Are defense costs inside the limit?

Often yes on small-business forms. A $1M limit that includes defense pays less in indemnity than a $1M limit with defense outside.

Cyber Liability: First-Party vs Third-Party Coverage Explained

Cyber liability coverage is two policies stitched into one form. The first-party side pays your own costs after a breach or system incident. The third-party side pays claims brought against you by customers, partners, or regulators whose data you exposed. Knowing which side does what is the difference between buying a policy that responds and buying a policy that turns out to cover almost nothing for your actual loss. This page splits the two cleanly. For the buying decision (do you need it at all), see /coverage/cyber-liability-for-small-business/. Beaconcover is not a licensed broker.

The short answer

First-party covers what happens to you: forensic investigation, breach notification to affected individuals, credit monitoring, data restoration, business income lost while systems are down, cyber extortion or ransomware payment (where legally permitted), public-relations response, and incident-response counsel. Third-party covers what someone else sues you for: liability for the data exposure, regulatory defense for state attorney-general or HHS inquiries, payment-card industry fines and assessments, and media liability for content you publish online ^{[NAIC: cybersecurity, 2026-05]}.

A small-business cyber form usually includes both sides, with separate limits and separate retentions (deductibles) for each. The headline limit is rarely a single number; it is a structure.

What first-party costs does cyber liability cover?

After a confirmed incident, the first-party side is what the carrier actually opens its checkbook for in the first 72 hours.

Forensic investigation. The cost of incident-response specialists determining what happened, when, what data was accessed, and how to contain it. Often paid through the carrier's panel of pre-vetted firms at pre-negotiated rates.
Breach notification. Most states require notification to affected residents within a set window (commonly 30 to 60 days), and most require parallel notice to the state attorney general above certain thresholds. The cost of identifying affected individuals, drafting the notice, and mailing it is first-party.
Credit monitoring. Often offered to affected individuals, sometimes mandatory under state statute. The carrier pays the per-person cost for a stated period (commonly 12 to 24 months).
Data restoration. Rebuilding compromised data from backups, or reconstructing it where backups are unrecoverable.
Business income. Net income lost plus continuing operating expenses while systems are down because of a covered event. Usually subject to a short waiting period (8 to 12 hours is common). See /coverage/business-interruption/ for the same mechanic in the property context.
Cyber extortion or ransomware. Negotiation costs and, where the policy and law permit, payment of the ransom itself. The law on ransom payment is shifting; some forms now cap or exclude the payment portion.
PR and crisis management. Communications support to affected customers and the public, often paid through carrier-panel firms.

Each of these has a separate first-party sub-limit on most small-business cyber forms. The headline number ($1M, $2M, $5M aggregate) tells you the ceiling; the schedule of sub-limits tells you what the policy will actually pay for each kind of loss ^{[III: business insurance basics, 2026-05]}.

Third-party costs (claims against you)

When someone sues or a regulator opens a file, the third-party side responds.

Network and information security liability. Defense and indemnity for claims by customers, partners, or third parties whose data was exposed, or whose systems were harmed because yours was.
Regulatory defense. Legal defense costs (and, where insurable, civil penalties) for state attorney-general investigations, HHS/OCR HIPAA inquiries, FTC actions, or state-specific privacy enforcement (CCPA, CPRA, the growing list of state privacy statutes).
PCI DSS assessments. Costs charged by the card brands or acquirer when a merchant's breach involves payment-card data: forensic-audit fees, card-replacement costs, and contractual penalties. Often a separate sub-limit.
Media liability. Claims arising from content you publish, infringement, defamation, privacy violations in your own communications. Some forms include this; some exclude it.

The third-party side responds even to a claim without merit, because legal defense is typically part of the limit (sometimes outside the limit, depending on the form). Watch whether defense costs erode the limit or sit on top; the difference can be material in a serious claim.

Common exclusions

What cyber liability does not cover catches buyers out:

Bodily injury and property damage. Physical harm from a cyber event is excluded; that is general liability territory.
Prior known incidents and acts. Incidents you knew about before the policy started are excluded. The application's "known incident" question matters.
Failure to maintain required security controls. Forms increasingly require multi-factor authentication, regular backups, or patching as a condition of coverage. A breach traced to a missing required control can be excluded entirely.
Acts of war and infrastructure events. State-actor and war exclusions have tightened across the market. Read the war-exclusion language closely on any current policy.
Bricking or improvement. The cost of replacing hardware or upgrading systems beyond the pre-incident state.
Wage-and-hour, employment, and bodily-injury content. These belong on EPLI, workers' comp, or commercial general liability respectively.

The covered-costs list is where small-business cyber policies differ most. Two policies with the same $1M aggregate can pay very different amounts on the same incident depending on sub-limits, retentions, and required-control exclusions.

Where to get quotes

Quote with carriers that specialize in cyber for small business and tech firms. Read the schedule of sub-limits before signing, not after. Confirm the required-control list on the application matches what you actually have running. Get two or three quotes and compare the schedule, not the headline.

Cyber premium varies materially by data volume, revenue, industry, and the security controls in place; businesses with multi-factor authentication and tested backups price better than those without ^{[NAIC: cybersecurity, 2026-05]}. A single national average is misleading without those variables fixed. See /methodology/ for the six dimensions we look at on any plan.

Frequently asked questions

First-party pays your own breach costs (forensics, notification, business income, ransomware). Third-party pays claims and regulatory actions brought against you. Most small-business cyber forms include both, with separate limits.

Not a broker. Beaconcover is an independent comparison site. We are not a licensed insurance broker, agent, or adviser; we route you to providers and do not sell, bind, or advise on policies, and nothing here is legal or tax advice. Coverage, price, and requirements vary by state, profession, payroll, and underwriting. See /methodology/ and /disclosure/. Last reviewed: 2026-05-27.