Cyber Liability Insurance: Why It's Now a COI Requirement

Your property management company gives a vendor remote access to your building management system so they can maintain the HVAC controls. Six months later, that vendor's network is compromised by ransomware. The attackers use the vendor's credentials to move laterally into your BMS, locking you out of heating and cooling controls for 47 properties in the middle of January. Tenants are displaced. Emergency HVAC contractors are brought in at premium rates. Three tenants file breach-of-lease claims.

The vendor's Commercial General Liability policy does not cover this. CGL covers bodily injury and property damage from physical events — not network intrusions, data breaches, or system outages caused by cyberattacks. The vendor's Professional Liability policy might partially respond, but only if the cyber event arose from a professional services failure, and even then, coverage is limited.

Cyber Liability insurance exists precisely for this scenario. And it is rapidly becoming a standard requirement in vendor compliance programs.

What Cyber Liability Insurance Covers

Cyber Liability policies vary more than traditional commercial lines because the market is newer and less standardized. However, most policies cover two broad categories: first-party losses (the insured's own costs) and third-party claims (lawsuits and regulatory actions from others).

First-Party Coverages

Data Breach Response. The immediate costs of responding to a data breach: forensic investigation to determine the scope and cause, notification to affected individuals (required by state breach notification laws), credit monitoring services, call center operations, and public relations/crisis management. These costs can easily exceed $200 per affected record. A breach involving 50,000 records generates $10 million in response costs alone.

Business Interruption. Loss of income and extra expenses resulting from a cyber event that disrupts the insured's operations. If ransomware shuts down a vendor's systems for two weeks, their cyber policy covers the revenue they lost and the extra costs they incurred to maintain operations (temporary systems, overtime labor, expedited recovery services).

Ransomware and Cyber Extortion. Coverage for ransom payments (where legal and where the insurer agrees to pay), negotiation costs (specialized firms that handle ransom negotiations), and associated forensic and recovery expenses. This coverage has become increasingly contentious as ransomware payments have escalated, with some insurers imposing sub-limits or requiring pre-approval.

Data Recovery. Costs to restore, recreate, or recover data and software that was damaged, destroyed, or corrupted by a cyber event. This includes not just backup restoration but the labor and systems required when backups are incomplete or compromised.

Regulatory Fines and Penalties. Coverage for fines and penalties assessed by regulatory bodies (state attorneys general, HHS for HIPAA violations, payment card brands for PCI non-compliance). This coverage is subject to insurability — some jurisdictions do not allow insurance to cover regulatory fines, and policies typically exclude intentional violations.

Third-Party Coverages

Privacy Liability. Defense and indemnity for lawsuits alleging failure to protect personally identifiable information (PII), protected health information (PHI), or other sensitive data. Class action lawsuits following major data breaches routinely generate eight-figure settlements.

Network Security Liability. Defense and indemnity for claims arising from a security failure on the insured's network that causes damage to a third party. This is the coverage that responds when a vendor's compromised systems are used to attack your network — the third-party claim from you against the vendor.

Media Liability. Coverage for claims arising from the insured's digital content: defamation, copyright infringement, invasion of privacy through online publications. This coverage overlaps with the advertising injury provisions of a CGL policy but extends to digital-specific exposures.

Regulatory Proceedings. Defense costs for regulatory investigations and proceedings, including responding to subpoenas, providing testimony, and negotiating consent orders. This is separate from the fines themselves — even when fines are not insurable, the cost of defending against the regulatory action is covered.

First-Party vs. Third-Party: Why Both Matter

When requiring cyber coverage from a vendor, the distinction between first-party and third-party coverage matters.

First-party coverage protects the vendor. If the vendor is breached, their first-party coverage pays for their forensic investigation, their notification obligations, their business interruption. This helps the vendor survive the event and continue serving you, but it does not directly compensate you for your losses.

Third-party coverage protects you. If the vendor's cyber event causes you harm — your data is exposed, your systems are compromised, your operations are disrupted — the vendor's third-party cyber coverage is what responds to your claim against the vendor.

Both matter. First-party coverage ensures the vendor can respond to and recover from a cyber event (an uninsured vendor who suffers a major breach may go out of business, leaving you with no recourse). Third-party coverage ensures that when the vendor's cyber failure causes you harm, there is a policy to pay your claim.

Standard Limits

Cyber Liability limits vary significantly by industry, company size, and risk profile. However, common benchmarks for vendor requirements include:

$1,000,000 — Minimum for low-risk vendors with limited access to your data or systems. Appropriate for vendors who handle minimal PII and have no direct network access.

$2,000,000 to $5,000,000 — Standard for vendors with meaningful access to sensitive data, building systems, financial records, or tenant information. This is the range most property management and commercial real estate firms require.

$5,000,000 to $10,000,000 — Required for vendors handling large volumes of PII, providing critical technology infrastructure, or managing payment processing systems.

Unlike CGL limits, which have been relatively stable for decades, cyber limits are still evolving as the market matures and claim frequency and severity data accumulates. What was considered adequate coverage five years ago may be insufficient today.

Which Vendors Need Cyber Liability

Not every vendor needs cyber coverage. The determining factor is whether the vendor has access to your sensitive data, your technology systems, or your network infrastructure.

Always Require Cyber Coverage

• IT service providers — Managed service providers, cloud vendors, software-as-a-service platforms, network infrastructure providers. These vendors have direct access to your systems and often hold administrative credentials.
• Property management software vendors — Tenant management systems, building automation platforms, access control systems. These vendors process tenant PII and may have network connectivity to building systems.
• Payroll and HR service providers — These vendors handle Social Security numbers, bank account information, and tax records. A breach at a payroll provider exposes your employees directly.
• Payment processors — Any vendor that processes credit card payments or handles financial account information on your behalf. PCI compliance obligations flow through to these vendors.
• Legal and accounting firms — These vendors hold confidential business information, financial records, and litigation materials. A breach at your law firm can be as damaging as a breach at your own company.

Consider Requiring Cyber Coverage

• Janitorial and maintenance vendors with access to building management systems or access control credentials.
• Security companies that manage camera systems, alarm monitoring, or access control databases.
• Marketing agencies that manage your website, email lists, or tenant communication platforms.
• Staffing agencies that process employee applications and background check data.

Generally Not Required

• Vendors with no data or system access — A landscaping company, a window washing service, a snow removal contractor. These vendors interact with your physical property, not your data or systems. CGL, Auto, and WC are sufficient.

How to Verify Cyber Coverage on a COI

Cyber Liability presents a verification challenge because it does not have a dedicated section on the standard ACORD 25 certificate. The ACORD 25 was designed for traditional commercial lines: GL, Auto, WC, Umbrella. Cyber Liability is typically documented in one of three ways:

ACORD 25 — Description of Operations

Some producers document cyber coverage in the Description of Operations section of the standard ACORD 25, listing the cyber policy number, carrier, limits, and policy period. This works but provides minimal detail.

ACORD 28 — Evidence of Property Insurance

Some producers use the ACORD 28 form for cyber coverage, particularly when the policy includes first-party coverages (data recovery, business interruption). This is technically a misapplication of the form but occurs in practice.

Separate Certificate or Evidence of Coverage

Many cyber carriers issue their own certificate format that is not an ACORD form at all. This is the most common approach and provides the most detail about the specific coverages and limits.

When verifying cyber coverage, request:

• Policy number and carrier name — Verify the carrier is rated (AM Best A- or better) and is an admitted carrier in the applicable state.
• Policy period — Confirm the policy is current and covers the relevant work period.
• Per-occurrence and aggregate limits — Verify both meet your requirements.
• Coverage confirmation — Confirm that both first-party and third-party coverages are included.
• Retroactive date — Cyber policies are typically claims-made. The retroactive date must precede the start of the vendor relationship.

The Claims-Made Challenge

Unlike CGL, which is predominantly occurrence-based, virtually all Cyber Liability policies are written on a claims-made basis. This means the policy only covers claims made during the policy period (and after the retroactive date).

For vendor compliance, this creates specific concerns:

Retroactive date gaps. If a vendor switches cyber carriers and the new policy has a retroactive date that does not reach back to the start of the vendor relationship, claims arising from events during the gap period are not covered.

Tail coverage. If the vendor relationship ends, the vendor may not renew their cyber policy (or may switch carriers with a new retroactive date). Claims arising from events during the relationship but reported after the policy ends are not covered — unless the vendor purchases an Extended Reporting Period (tail).

When requiring cyber coverage from vendors, specify that the retroactive date must predate the start of the vendor relationship, and consider requiring tail coverage if the relationship terminates.

Cyber Liability in the COI Landscape

Cyber Liability insurance is where the COI industry was with Professional Liability 20 years ago — a specialized coverage that is rapidly becoming standard. The shift is driven by the reality that cyber risk is no longer a technology problem confined to IT departments. It is an operational risk that affects every vendor relationship involving data or system access.

For compliance programs, adding cyber to the requirement set means adapting verification processes to handle non-standard certificate formats, claims-made policy structures, and rapidly evolving coverage terms. It also means educating internal stakeholders on why a vendor that passes every traditional insurance requirement may still present unacceptable risk if they lack cyber coverage.