How to review a cyber liability tower.

The cyber tower in 90 seconds

A cyber program is built in two halves. First-party covers your own losses: ransomware payments, business interruption, data restoration, incident response costs, regulatory defense. Third-party covers your liability to others: privacy claims, network security failures, media liability, regulatory penalties where insurable.

The tower stacks like any other excess program. A primary policy carries a per-claim limit and an aggregate. Excess layers sit on top, each with its own form. In theory excess follows form. In practice excess carriers add their own warranties, exclusions, and conditions, and the differences become load-bearing in a real claim. The first job at renewal is to confirm the excess forms actually follow the primary, or to document where they don’t.

Sublimits worth a closer look

Sublimits are how carriers cap their exposure to specific perils inside a stated full limit. A $5M cyber policy with a $250K social engineering sublimit is a $250K social engineering policy. The categories that matter most:

• Ransomware. Many carriers have moved ransomware to a sublimit at 25% to 50% of the full limit, separate from the cyber extortion grant. Read both definitions and confirm whether sub-categories like data exfiltration extortion sit inside or outside the sublimit.
• Business email compromise and social engineering. Often a $100K to $500K sublimit even on programs with $5M+ limits. The trigger requires "intentional and unauthorized" instruction, which carriers and insureds dispute when employees were tricked into authorizing transfers.
• Regulatory defense and penalties. Often a sublimit and often subject to insurability under state law. Confirm whether HIPAA, GDPR, and state-AG investigations are included pre-suit or only post-action.
• PCI fines, penalties, and assessments. Frequently sublimited at $250K to $1M. If you take card payments at any volume, this sublimit is usually too low.
• Dependent business interruption. Coverage for outages at vendors you depend on, such as cloud hosts, payroll processors, or core SaaS systems. The most undersized sublimit on most mid-market programs given how much operating dependency now sits at three or four vendors.

The war and hostile-act exclusion

Recent court treatment of war exclusions in cyber claims has made this clause more contentious than it has been in decades. Carriers now write tighter exclusions for "cyber operations" attributed to nation-state actors. The exclusion sometimes applies even when the operation does not target the insured directly and even when no formal attribution has been made.

What good looks like: a written carve-back for cyber operations against the insured that are not part of an active armed conflict, plain-language definitions of "attribution," and a carrier-funded burden of proof for the exclusion. Bad looks like a one-sentence exclusion referencing "any war or warlike action" with no carve-backs and a definition that lets the carrier invoke it on a government statement alone. Negotiate the wording at renewal. This is the single highest-leverage change available on a cyber form.

Ransomware coinsurance

Coinsurance is when the carrier pays a stated percentage of a covered loss and you pay the rest. It used to be rare on cyber. It is now common on ransomware and increasingly on broader cyber extortion. Carriers added it because ransomware paid losses were running well above pricing assumptions.

The math matters. On a $5M ransomware event with a $50K retention and 25% coinsurance, the insured retains $50K plus 25% of the remaining $4.95M, or $1.287M total. At 50% coinsurance, the insured retains $50K plus $2.475M, or $2.525M total. Coinsurance is often added at renewal without a corresponding premium reduction. If the form changed, the price should have changed. If it didn’t, you negotiated badly or you didn’t negotiate.

Incident response panels

Most cyber policies require you to use carrier-approved vendors for incident response: breach counsel, forensic investigation, public relations, notification. The panel is a short list, often four to eight names per category. Using off-panel vendors can reduce coverage or void it for that loss.

Two things to confirm at renewal. First, what’s actually on the panel and how the panel has performed on prior claims. Some carriers maintain panels of high-quality firms. Others rotate vendors based on rate, not capability. Second, the "approved counsel" rule. Most policies let you nominate your preferred outside counsel for approval. Submit names before an incident, not during. Approval at 2 a.m. on a ransomware Saturday is not a reliable process.

Notice triggers and waiting periods

Cyber policies include notice provisions that are tighter than most other lines. Common triggers include 24, 48, or 72-hour windows from "first awareness" of a covered event. The "first awareness" question is where claims fall apart. If a help-desk ticket from three weeks ago described unusual login activity that turned out to be the initial intrusion, was that "first awareness"? Carriers have argued yes.

Mitigations: train the IT and security functions on the notice trigger, document the awareness timeline contemporaneously, and notify on suspected events rather than confirmed events. Most carriers prefer over-notice. The cost of a closed-without-payment file is far less than the cost of a denied claim on a six-figure event.

Waiting periods on business interruption coverage are a separate trap. A 12-hour waiting period sounds reasonable until you realize the carrier measures it from the moment of "actual interruption," and many ransomware events have 8 to 10-hour partial-degradation periods before the system fully fails. Pay attention to how "interruption" is defined and how the waiting period interacts with the partial-loss provision.

MFA and underwriting

The cyber application is now a security questionnaire. Multi-factor authentication, endpoint detection and response, immutable backups, and privileged access management are no longer best practices, they are preconditions for coverage at any reasonable price. The application is also a representation. If you check "yes" on universal MFA and a forensic firm later determines that a domain admin account was exempted at the time of compromise, the carrier will look at that representation.

Two practical steps. Have IT and security review the application before signature, not the broker alone. And document evidence for each "yes" answer in a binder you keep with the policy. If the answers were true on the application date, you want to be able to prove it.

When to pull the tower apart and remarket

A cyber tower is worth a full remarket when one of three conditions is true. First, the form has materially degraded at the most recent renewal: new exclusions, new coinsurance, lowered sublimits, or warranty conditions you cannot meet. Second, your exposure has changed: new business lines, new geographies, new regulatory regimes, an acquisition that materially changes the data footprint. Third, claims activity at the incumbent carrier or the broader market suggests the program is mispriced.

A remarket is not free. Underwriters pull credit-style data, run external scans against your domain, and form an opinion on the account before you see a quote. A poorly-prepared remarket comes back worse than the incumbent. The decision is whether you have the time to prepare a clean submission, including current network diagrams, security control documentation, and a coherent narrative on prior incidents. If you don’t, fix the incumbent program first and remarket next year.

Get a cyber tower review

Pressure-test your cyber program.

We review cyber towers for mid-market operators on a fixed-fee basis. Independent of any broker. We map sublimits against your real exposure, flag exclusions worth negotiating, and give you a written opinion you can take to the next renewal conversation.

Read about our cyber liability consulting

Or contact us directly

Related

• Management liability consulting · D&O and EPL programs that often interact with cyber claims.
• Professional liability consulting · E&O coverage for technology and services firms.
• The commercial insurance renewal checklist · the broader 90-day renewal sequence.