If your company collects, stores, or processes personal data — and virtually every startup does — you're a target. Cyber Liability covers third-party claims that arise when your network security fails or private data is exposed. When a breach leads to a lawsuit, this is the policy that pays for your legal defense and any resulting damages. It's built for the lawsuits that follow the breach, not the breach response itself.
Last reviewed April 24, 2026 · Reviewed by the Corgi Insurance team
Breaches make headlines. Lawsuits make bills. Your Cyber policy covers the bills.
Coverage structure under form CORG-CY-0100. What the standard policy covers (third-party liability), what it doesn't (first-party costs), and how to build the coverage you need. Limits shown are illustrative. Important: The coverage descriptions on this page are general summaries for informational purposes only. They do not constitute a policy, binder, or guarantee of coverage. Coverage is provided only under the terms, conditions, exclusions, and limits of the issued policy. Always refer to your actual policy wording and declarations page for the governing terms and conditions. If there is any conflict between this summary and the policy, the policy controls.
Cyber Liability
What this policy pays for.
A hacker exploits a vulnerability in your API and exfiltrates 50,000 customer records. Affected customers file a class action alleging negligence in protecting their personal information.1
Your policy covers third-party claims alleging that a failure in your network security led to unauthorized access, disclosure, or theft of personal data. Defense costs, settlements, and judgments are covered up to your policy limit. Because Cyber is claims-made, the breach must occur after your retroactive date and the claim must be made during the policy period.
Malware infiltrates your cloud infrastructure and compromises enterprise client data stored on your servers. The client sues for damages arising from the disclosure of their customers' information.2
When a security failure on your systems leads to the unauthorized disclosure of data you were entrusted with, and a third party sues you for it, your policy covers the defense and damages. This applies whether the breach was caused by external attack, malware, or a failure in your security controls.
Attackers exploit a vulnerability during a DDoS attack on your servers, exfiltrating payment card data while your security team is focused on restoring service. Affected customers file suit.3
When a network security failure (the exploited vulnerability) leads to unauthorized access and disclosure of personal data, your policy covers the resulting third-party liability claims. Note: a pure DDoS attack that only causes downtime — without any data compromise — would not trigger third-party liability coverage under this policy, because there is no privacy breach for a third party to sue over.
Scenario notes
Cyber Liability is a claims-made policy with defense costs within limits. Every dollar spent defending a claim reduces the amount available for settlements or judgments. The claim must be first made during the policy period, and the underlying breach must have occurred after the retroactive date.
The standard policy — Coverage A — is third-party liability coverage only. It covers lawsuits and claims brought against you by others. It does not cover your own costs to respond to a breach, such as forensic investigations, breach notification, credit monitoring, or business interruption losses. Those are first-party coverages available as endorsements. See the add-on section below.
Regulatory proceedings, government investigations, and enforcement actions are excluded from the standard Cyber policy — both as covered "Claims" and from the definition of covered "Loss." This means neither the defense costs for a government investigation nor any resulting fines or penalties are covered under the base policy. Regulatory defense and penalty coverage may be available via endorsement where legally insurable.
Policy notes
This policy does not cover claims arising from bodily injury, property damage, professional errors or omissions (that's Tech E&O), employment disputes (that's EPLI), or intentional/criminal acts.
Social engineering fraud (e.g., an employee tricked into wiring funds) and ransomware payments are not covered under the standard policy. See the add-on section for available first-party endorsements.
The scenarios above are illustrative examples only and do not guarantee coverage for any specific claim. Actual coverage depends on the facts and circumstances of each claim and the specific terms of your issued policy. Results may differ based on policy endorsements, exclusions, limits, and applicable law.
Cyber Liability, Tech E&O, CGL each respond to a different claim trigger and coverage boundary.
What triggers it: A data breach or network security failure leads to third-party claims against you Type of harm covered: Third-party liability from unauthorized data access, disclosure, or network compromise Common scenario: Hackers steal 50K customer records; class action follows Key difference: Covers the breach liability. The question is: was personal data compromised or was your network security breached? If yes, start here.
What triggers it: A professional mistake in your technology work causes a client financial loss Type of harm covered: Financial loss from errors, omissions, or negligence in delivering tech services Common scenario: Your code update crashes a client's system for 48 hours; they sue for lost revenue Key difference: Covers the professional failure. The question is: did your technology service or product fail to perform correctly? If yes, that's Tech E&O.
What triggers it: A physical-world incident — bodily injury or property damage Type of harm covered: Bodily injury, tangible property damage, certain advertising offenses Common scenario: A visitor trips in your office and breaks their wrist Key difference: Covers the physical world. If no person was hurt and no tangible property was damaged, CGL doesn't apply.
Coverage A — Network Security and Privacy Liability responds when a hacker exploits a vulnerability in your api and exfiltrates 50,000 customer records. affected customers file a class action alleging negligence in protecting their personal information.
Cyber Liability is a claims-made policy with defense costs within limits. Every dollar spent defending a claim reduces the amount available for settlements or judgments. The claim must be first made during the policy period, and the underlying breach must have occurred after the retroactive date. The standard policy — Coverage A — is third-party liability coverage only. It covers lawsuits and claims brought against you by others. It does not cover your own costs to respond to a breach, such as forensic investigations, breach notification, credit monitoring, or business interruption losses. Those are first-party coverages available as endorsements. See the add-on section below.
Available add-ons include Breach Response / Event Management Endorsement, Ransomware / Cyber Extortion Endorsement, Business Interruption Endorsement, Funds Transfer Fraud Endorsement, Employee Privacy Endorsement, PCI Liability Endorsement, Rogue Employee Carveback Endorsement. Endorsements are required where noted and availability may vary by jurisdiction and underwriting.
Covers your own first-party costs to respond to a data breach: forensic investigation, legal counsel, breach notification, credit monitoring, and call center services. This is usually what people think of when they hear "cyber insurance." [Endorsement required]
Covers ransom payments and related expenses when a threat actor encrypts your systems or threatens to release stolen data. Includes negotiation costs and, where legally permissible, the ransom payment itself. [Endorsement required]
Covers lost income and extra expense when a covered cyber event takes your systems offline. If a breach or attack shuts down your operations, this fills the revenue gap during the recovery period. [Endorsement required]
Covers direct financial loss when a cyber attack — such as a social engineering scheme or fraudulent instruction — causes your company to transfer funds to an unauthorized recipient. [Endorsement required]
Extends third-party liability coverage to claims brought by your own employees when their personal data is compromised. For example: employees sue after your HR database is breached. [Endorsement required]
Covers contractual fines and assessments imposed by payment card brands (Visa, Mastercard, etc.) following a breach of payment card data. For example: PCI assessments after a payment processing breach. [Endorsement required]
The base policy excludes intentional acts, which can create a gap when an employee intentionally causes a breach. This endorsement carves back coverage for claims arising from unauthorized intentional acts by an employee acting outside the scope of their authority. For example: a disgruntled engineer posts your customer database publicly. [Endorsement required]
Cyber is the breach-response backbone for any startup with customer data. Layer in CGL, Tech E&O, D&O, and more — modular coverage that grows with you.
Protects your business against third-party claims for bodily injury, property damage, and personal or advertising injury arising from your operations.
Protects against losses and claims resulting from data breaches, cyberattacks, and network security failures.
Covers claims alleging your technology products or services failed to perform as intended, causing financial harm to a client.
Covers claims made against company leaders for alleged wrongful acts in managing the business.
Protects against claims alleging wrongful termination, discrimination, harassment, or other employment-related issues.
Protects your company and plan fiduciaries against claims alleging mismanagement of employee benefit plans, including retirement and health plans.
Protects against claims arising from your published or distributed content, including allegations of defamation, copyright infringement, or invasion of privacy.
Provides liability coverage when employees use rented or personal vehicles for company business.
Key terms from the policy language and approved coverage summary.
Go deeper on cyber liability and the rest of the startup insurance stack.
Can’t find an answer to your question? Get in touch
