Service

Cyber liability review for mid-market operators.

Sublimits, war exclusion language, ransomware coinsurance, incident-response panel restrictions, and dependent business interruption pressure-tested against the actual threat profile. The line of the program that has changed the most since you last looked at it.

What we review

The form, the sublimits, the panel.

First-party and third-party grants

Forensic investigation, notification and credit monitoring, business interruption, ransomware, regulatory defense, privacy liability, and PCI. Each grant against the actual exposure profile and the data the company holds.

Sublimits

Ransomware, business email compromise, regulatory, PCI, and bricking sublimits, mapped against the AP department’s wire volume, the regulatory regime, and the payment card environment.

War and hostile-act exclusions

The current language post-NotPetya, the cyber-specific war exclusion forms now standard at most carriers, and the practical implications of nation-state attribution disputes.

Ransomware coinsurance

The coinsurance percentage on the ransomware sublimit, what costs it applies to, and the negotiability of the percentage at remarket.

Incident-response panel

Panel composition, pre-approved breach counsel, forensic firms, and the company’s existing vendor relationships. Where panel additions are needed, we document them at bind, not at claim.

Dependent and contingent BI

Coverage when a key vendor goes down. Sublimit, scheduled vs unscheduled treatment, and the waiting period before BI begins to accrue.

Social engineering coverage

The fraudulent instruction sublimit, verification protocol requirements that would void coverage, and the overlap with the crime policy’s social engineering grant.

Underwriting controls compliance

MFA, EDR, segregated backups, and the application warranties that activate exclusions if the controls described at bind are not maintained at claim.

When this matters

Triggers we hear before renewal.

• A near-miss incident or a wire fraud attempt revealed weaknesses in the existing program.
• A customer’s vendor security review demands cyber limits or wording you do not currently have.
• The carrier proposed a new exclusion at renewal and the broker doesn’t have a counter.
• A compliance regime (SOC 2, ISO 27001, HIPAA, GLBA) has changed the data exposure profile.
• Major IT change: cloud migration, new payment processor, or a dependency on a single SaaS platform.

FAQ

Common questions about cyber liability.

What's the difference between first-party and third-party cyber coverage?

First-party cyber covers the insured's own losses: forensic investigation, notification, credit monitoring, business interruption from a network event, and ransomware payments. Third-party cyber covers liability the insured owes to others, including regulatory fines and penalties (where insurable), defense and settlement of privacy claims, and PCI assessments. A complete program needs both grants. Many older or stripped-down forms emphasize one and underweight the other.

How do sublimits actually work in cyber?

A cyber policy with a $5M policy aggregate may have sublimits of $1M for ransomware, $500K for business email compromise, $250K for regulatory defense, and $100K for PCI. The headline limit is not what is actually available for any specific event type. The sublimits are where coverage either holds or fails. We map the sublimits against the company's actual exposure profile, not the marketing summary.

What is the war exclusion and why is it back in the news?

Most cyber policies exclude losses arising from war and hostile acts. After NotPetya, courts have been asked whether nation-state cyber attacks fall under traditional war exclusions written for kinetic conflict. The Merck v. Ace decision in New Jersey ruled the exclusion did not apply to NotPetya. Carriers responded by introducing cyber-specific war exclusions and hostile-act language. The wording your policy carries today is materially different from what it carried five years ago, and we read it line by line.

What is ransomware coinsurance?

Several carriers now apply coinsurance, typically 20% to 50%, on the ransomware sublimit. The insured shares in the cost of the ransom payment and often the related forensics and recovery. Coinsurance was uncommon before 2021. It is now common enough that any program last reviewed before then likely has coinsurance language the insured has not absorbed.

Why does the incident-response panel matter?

When a cyber event occurs, the carrier expects you to use vendors from its panel: breach counsel, forensic firms, and notification providers. Using off-panel vendors, even ones the company already has retainers with, can result in reduced reimbursement. We confirm the panel composition matches the vendors the company would actually want to use, and we negotiate panel additions where the existing panel doesn't include the firm's preferred breach counsel.

How does dependent business interruption work in cyber?

Dependent business interruption, sometimes called contingent BI, covers the insured's loss when a key vendor or supplier suffers a network event that takes them offline. For companies that depend on a single SaaS provider, payment processor, or logistics platform, dependent BI is often the most valuable feature in the program. Many forms either exclude it, sublimit it heavily, or require the dependent provider to be specifically scheduled.