Cyber FAQs

Does my business package policy cover a data breach or ransomware attack?

Quick answer: Generally no. Standard business package policies are built around physical property and general liability and typically exclude cyber events.

A standard business owners policy (BOP) does not cover data breaches or ransomware attacks unless cyber coverage is specifically added by endorsement or structured as a separate policy. A BOP was designed for physical risks, and a cyber attack produces an entirely different category of loss.

Why does a standard BOP exclude cyber losses?

A BOP bundles property coverage and general liability into one package. The property section covers physical damage to hardware, a destroyed server for instance. It does not cover the data on that server, the revenue lost while systems are offline, or the cost of notifying affected customers. General liability covers bodily injury and physical property damage to third parties. It does not cover a third party’s financial loss because their private data was exposed in a breach. Most BOPs carry an exclusion for electronic data loss and cyber events.

What costs does a ransomware attack actually produce?

An attacker encrypts every file on your network and demands payment to restore access. The costs that follow a successful ransomware attack typically include:

  • Forensic investigation to determine how attackers got in and what they accessed
  • Notification to customers, employees, or patients whose data may have been exposed
  • Business income lost during the days or weeks your systems are down
  • Legal defense if a client or regulator sues over the breach
  • The ransom itself, if payment is made

None of those costs fall under the standard BOP property or liability sections.

What does the gap cost a small business in practice?

For example, a small Georgia accounting firm is hit by a phishing attack that gives an attacker access to client tax files. The firm spends money on a forensic firm, sends breach notifications, and defends against a client lawsuit. Total cost: over $80,000. The BOP responds to none of it.

For example, a cyber endorsement added to that same BOP for a few hundred dollars a year would have covered most of those costs. The gap is significant relative to the cost of closing it.

What coverage options actually respond to cyber events?

Two paths exist. The first is a standalone cyber liability policy, which provides its own limits for breach response costs, ransomware extortion payments, business income loss from a network outage, and third-party liability when a client’s data is compromised. The second is a cyber endorsement that attaches to an existing BOP, extending the policy to cover cyber losses up to a defined sub-limit.

How do you determine which option fits your business?

The right fit depends on what types of data your business holds, how much revenue a multi-day shutdown would cost, and whether clients could bring a claim if their information were exposed. Businesses that handle significant volumes of personal data, financial records, or health information generally need higher limits than a BOP endorsement provides.

A licensed advisor can review your current BOP, identify whether a cyber gap exists, and tell you what adding protection would cost for your specific situation. Request a free coverage review to get those answers.