What Does Cyber Insurance Cover? A Startup-Friendly Breakdown

When a founder asks 'what does cyber insurance cover,' they're usually asking one of three things: (1) will it pay if ransomware hits us, (2) will it cover us if a customer sues over a breach, or (3) will it satisfy the requirement in our enterprise MSA. The answer to all three is usually yes—but the details matter.

This post breaks down each major coverage component in plain language, with short definitions, what's included, and what's typically excluded. Use it as a reference when evaluating policies or explaining your coverage to a customer who asks for documentation.

Ransomware and Cyber Extortion Coverage

Ransomware is now the most common cyber event affecting small and mid-size businesses. Attackers encrypt your files and systems, then demand payment—typically in cryptocurrency—to restore access. For a startup, this can mean your product goes offline, your database is inaccessible, and your team is frozen while the business bleeds ARR.

What ransomware coverage typically includes:

• Ransom payment: The amount paid to the attacker to obtain the decryption key or prevent publication of stolen data. Carriers approve payments and verify the recipient isn't on an OFAC sanctions list before authorizing.
• Negotiation costs: Professional ransomware negotiators who work to reduce the demand and ensure the decryption key actually works. This is a specialized field and a legitimate covered expense.
• Recovery and remediation: The cost of restoring systems, rebuilding compromised infrastructure, and validating that attackers have been fully removed from your environment.
• Data restoration: Re-creating or recovering data that was encrypted, corrupted, or destroyed. This may overlap with the data restoration coverage section below.

What's typically excluded:

• Ransomware attacks attributed to sanctioned nation-states or groups (OFAC-listed entities)
• Losses from systems or data you don't own (e.g., a vendor's systems you rely on)
• Ransom demands where payment is illegal under US law (rare but possible)

Incident Response Costs

Incident response (IR) coverage pays for the immediate costs of discovering, containing, and investigating a cyber incident—before any lawsuits are filed and before any data is confirmed as stolen. This is often the most valuable coverage for a startup because these costs hit immediately and without warning.

What incident response coverage typically includes:

• Forensic investigation: A specialized IR firm to determine how attackers got in, what systems they accessed, what data they exfiltrated, and whether they're still in your environment. Forensic engagements for small breaches start around $50,000.
• Breach counsel: A specialized law firm that advises you on your legal obligations—notification requirements, regulatory exposure, privilege over forensic findings, and litigation risk. Breach counsel is distinct from your general corporate counsel and typically engaged immediately after discovery.
• Public relations and crisis communications: If the breach becomes public or requires customer disclosure, PR support helps you manage the narrative. Especially relevant if you have a consumer-facing product or a high-profile customer whose name may surface.
• Customer notification: The cost of drafting, reviewing, and sending breach notifications to affected individuals. Includes postage for physical mailings (required in some states), call center operations, and email services.
• Credit monitoring services: Offering affected individuals 12-24 months of credit monitoring is standard practice and often legally required or expected. Cost is typically $10-$20 per person per year.

What's typically excluded:

• Costs incurred before you report the incident to your insurer (report early)
• Forensic work related to incidents you knew about before the policy started
• Costs to upgrade or improve security systems beyond pre-incident state (betterment exclusion)

Business Interruption Coverage

Business interruption (BI) coverage under a cyber policy replaces the revenue you lose and covers the extra expenses you incur when a cyber event takes your operations offline. For a SaaS company, this is direct ARR loss for every hour your platform is unavailable due to a covered event.

What cyber business interruption coverage typically includes:

• Lost revenue: Income you would have earned during the period of interruption, calculated based on your historical revenue run rate. If your SaaS generates $10K per day in ARR and is down for 3 days, BI coverage replaces up to $30K (minus any waiting period).
• Extra expenses: Reasonable costs incurred to get back online faster—emergency cloud migration, temporary infrastructure, overtime for your engineering team, or expedited vendor support.
• Dependent business interruption (sometimes): If a vendor you depend on suffers a breach or outage that takes your product offline, some policies extend BI coverage to this scenario. This is critical for startups heavily dependent on a single cloud provider or SaaS vendor. Confirm this is included explicitly.

What's typically excluded:

• Waiting periods (typically 8-72 hours before BI coverage kicks in—shorter waiting periods cost more)
• Voluntary shutdowns not caused by a covered cyber event
• Revenue loss from reputational damage after an incident (a separate and rarely covered exposure)
• Cloud provider outages not caused by a security event (most policies exclude non-malicious infrastructure failures)

Data Restoration Coverage

Data restoration coverage pays to recover, recreate, or restore data that is corrupted, encrypted, or destroyed as a result of a covered cyber event. For database-centric startups, this is a critical coverage component.

What data restoration coverage typically includes:

• Recovery from backups: Labor costs to restore data from clean backup copies, including vendor fees for emergency support.
• Data recreation: Where data cannot be restored from backups—because backups were also encrypted or weren't maintained—coverage pays for the cost of recreating records from source documents or re-processing transactions.
• Data cleansing: Removing malicious code or corrupted records from partially intact datasets.

What's typically excluded:

• Data that was never backed up and cannot be recreated (prevention is the only answer here)
• Software code restoration—some policies exclude proprietary code, though others include it
• Loss of value of data as opposed to the cost of restoration (market value claims are rarely covered)

A note on limits: data restoration is often subject to a sublimit within the overall policy. Confirm what the sublimit is, especially if your business depends on large databases or complex data pipelines where recreation costs could be significant.

Third-Party Liability Coverage

Third-party liability (also called cyber liability) covers claims made against you by customers, vendors, regulators, or other parties who suffer harm because of a cyber incident that originated with you. This is the coverage that enterprise customers are asking for when they require you to carry cyber liability in their MSA.

What third-party cyber liability typically includes:

• Defense costs: Legal fees to defend against lawsuits, regulatory investigations, and demand letters. Defense costs are typically included within (not in addition to) the policy limit—this matters for sizing your coverage.
• Settlements and judgments: Amounts paid to resolve claims, up to your policy limit net of defense costs. Your carrier participates in settlement decisions and typically has consent rights.
• Regulatory defense and penalties: Legal defense costs for regulatory investigations (FTC, state AG, HHS) and, in some policies and jurisdictions, fines and penalties assessed. Read your policy carefully—GDPR fines are often excluded by US carriers.
• PCI fines and assessments: If you're in PCI DSS scope and your breach triggers card brand fines or forensic assessment requirements, some policies cover these costs explicitly.

What's typically excluded:

• GDPR fines and penalties (most US policies—confirm with your carrier)
• Claims arising from intentional security failures or fraud
• Contractual liability you assumed beyond what would apply at law (certain indemnification provisions)
• Claims involving data you don't process on behalf of customers (your own internal data breaches may be covered separately)

Media Liability Coverage

Media liability is a component of cyber policies that covers claims arising from content you publish online—your website, blog, social media, marketing emails, and in-app messaging. It's often overlooked but increasingly relevant as startups build content-heavy marketing programs.

What media liability typically includes:

• Defamation: Claims that content you published (a blog post, a competitor comparison page, a testimonial quote) was false and damaged someone's reputation.
• Copyright and trademark infringement: Claims that you used someone else's intellectual property without permission in your digital content—images, text, music, code samples.
• Invasion of privacy: Claims arising from publishing information about individuals without their consent, including using customer likenesses in marketing without proper releases.

What's typically excluded:

• Patent infringement (not covered by cyber policies—this requires a separate IP insurance product)
• Content published before the policy period started
• Claims arising from intentional misrepresentation or knowing use of infringing content

What Cyber Insurance Usually Doesn't Cover

Reading the exclusions is as important as reading the coverage grants. Here's a summary of what most cyber policies exclude, regardless of how the incident occurs:

• Physical damage caused by a cyber event: If a cyber attack causes physical damage to property (e.g., destroying hardware), most cyber policies exclude this—it typically falls under a property policy.
• Bodily injury: If a cyber attack on a connected device causes physical harm to a person, standard cyber policies typically don't cover this. This is relevant for IoT, medical device, or industrial control software—these require specialized policies.
• Infrastructure failures not caused by a security event: A cloud provider going down because of a hardware failure (not an attack) typically isn't covered. Only security events—breaches, attacks, unauthorized access—trigger cyber coverage.
• Nation-state and war exclusions: Incidents attributed to state-sponsored actors or acts of war are increasingly excluded in cyber policies, following high-profile disputes like the NotPetya litigation. Check your policy's war exclusion language carefully.
• Intentional acts by founders or executives: If a founder deliberately misuses customer data or authorizes unauthorized access, coverage won't apply. Insider fraud by senior personnel is typically excluded.
• Failure to maintain disclosed security controls: If you told your underwriter you had MFA enforced and you didn't, and then suffered a breach through an account without MFA, the carrier may deny coverage on the basis of material misrepresentation in the application.
• Pre-existing conditions: Incidents or vulnerabilities you were aware of before the policy started are excluded. If you knew about a breach before binding coverage, you won't be covered for it.
• Betterment: Carriers won't pay to upgrade your systems beyond their pre-incident state. If restoring your systems requires implementing new security tools that didn't exist before, the improvement cost beyond restoration may not be covered.

See What Cyber Coverage Your Startup Needs

Understanding what cyber insurance covers is the first step. The second is getting a policy that actually matches your company's risk profile—not a generic policy designed for a different kind of business. At Latent Insurance, you can get a cyber coverage recommendation in under 5 minutes. Answer a few questions about your company, see coverage options tailored to your stage and data profile, and get a certificate of insurance the same day. No broker scheduling, no waiting around. Just coverage you can actually use.