Data breach, ransomware, CCPA liability, and business interruption coverage for California businesses. Standard GL and property policies don't cover cyber events — this does.
Coverage Components
A complete cyber policy covers your own losses (first-party) and claims from others (third-party). Here's what each component does.
Covers ransom payments, decryption specialist fees, system restoration, and business interruption while systems are locked. Average ransomware demand exceeded $1.5M in 2024.
Covers forensic investigation to identify the breach, breach notification to affected individuals (required by California law), credit monitoring for affected parties, and public relations costs.
Covers lost income and ongoing expenses when a cyber event forces system downtime. A ransomware attack that shuts down operations for 5 days can cost more than the ransom itself.
Covers customer lawsuits when their personal data is compromised by a breach you suffer. Under California's CCPA, affected individuals can sue for up to $750 per consumer per incident.
Covers CCPA regulatory investigations, defense costs, and fines imposed by the California Privacy Protection Agency (CPPA). Also covers PCI-DSS fines for payment card breaches.
Technology errors & omissions covers claims from failures of technology products or services you provide to others — a software bug, system outage, or implementation failure that damages a client.
California's Consumer Privacy Act gives individuals the right to sue businesses directly for data breaches — creating liability exposure most California businesses have never quantified.
Businesses that collect personal information from California consumers AND meet any of: $25M+ annual gross revenue, buy/sell data on 100,000+ consumers, or derive 50%+ of revenue from selling consumer data.
Unlike most privacy laws, CCPA gives individuals a direct right to sue businesses for unencrypted personal data breaches — without needing to prove actual damages. Statutory damages of $100-$750 per consumer per incident.
CCPA-related breach response costs, regulatory defense and investigation, class action defense and settlements, and the forensic investigation required to determine breach scope.
The California Privacy Protection Agency actively investigates CCPA violations and can initiate civil actions independently. Cyber insurance covers regulatory defense and the resulting fines.
Coverage Explorer
By Industry
Every industry has different cyber exposures, regulatory requirements, and coverage priorities.
Cyber insurers now actively assess your security posture. Missing key controls can result in coverage denial or much higher premiums.
Required on email, remote access (VPN), and privileged accounts. The #1 underwriting requirement — missing MFA is a coverage disqualifier at most carriers.
Backups not connected to the main network. Ransomware encrypts connected backups. Offline backups are what actually restores your systems.
Advanced endpoint security that detects threats in real time. Basic antivirus is no longer sufficient — carriers want EDR or MDR.
Controls on admin and privileged accounts. Attackers target these accounts first — limiting their access limits blast radius of a breach.
Phishing is the #1 entry point for attacks. Regular training reduces phishing click rates and improves incident response.
A documented plan for responding to a cyber incident. Carriers want to know you won't waste precious hours figuring out who to call.
Coverage Gap
| Cyber Event / Loss | GL Policy | Property Policy | Cyber Insurance |
|---|---|---|---|
| Ransomware payment & recovery | Excluded | Excluded | ✓ Covered |
| Business interruption from system outage | Excluded | Excluded | ✓ Covered |
| Data breach notification costs | Excluded | Excluded | ✓ Covered |
| Customer lawsuits for data breach (CCPA) | Excluded | Excluded | ✓ Covered |
| Regulatory fines — CCPA / CPPA | Excluded | Excluded | ✓ Covered |
| Forensic investigation costs | Excluded | Excluded | ✓ Covered |
| Wire fraud / social engineering loss | Excluded | Excluded | Add-on endorsement |
| Physical damage to servers from power surge | Excluded | ✓ Equipment breakdown | Some policies include |
Serving All of California
We serve California businesses statewide — from solo professionals to enterprise operations.
FAQ
Cyber insurance covers first-party losses (your direct losses) and third-party liability (claims from others). First-party: ransomware payments and recovery, business interruption from system downtime, data recovery, breach notification, and PR costs. Third-party: customer lawsuits for data breaches, CCPA regulatory fines and defense, PCI-DSS penalties for payment card breaches.
CCPA doesn't explicitly require it, but creates massive liability exposure that makes it essential. CCPA allows individuals to sue businesses for data breaches — up to $750 per consumer per incident in statutory damages without needing to prove actual harm. A breach affecting 50,000 California consumers could produce $37.5M in statutory claims. Cyber insurance covers CCPA breach response, regulatory defense, and settlements.
No. Standard GL and property policies explicitly exclude cyber events. Some older GL policies have ambiguous cyber language, but modern policies contain specific cyber exclusions. Cyber insurance is a standalone policy specifically designed for technology-related risks that GL and property policies don't cover.
Yes. Over 60% of ransomware attacks target small and mid-size businesses. Small businesses are often targeted because they have fewer security resources. Any California business that stores customer data, processes payments, or relies on computer systems should have cyber insurance. A ransomware attack that shuts down operations for a week can cost more than a year's worth of cyber insurance premiums.
Most carriers now require: multi-factor authentication (MFA) on email and remote access, offline or immutable backups, endpoint detection and response (EDR) tools, and privileged access management. Missing MFA is a coverage disqualifier at most standard carriers. We review your security posture before placement and match you to carriers appropriate for your controls.
A small California business (under $5M revenue) with basic security controls might pay $800-$2,500/year for $1M in coverage. Mid-size businesses ($5M-$50M revenue) typically pay $2,500-$15,000/year. Healthcare and financial services businesses pay more due to regulatory exposure. Businesses with strong security controls — especially MFA and offline backups — get significantly better rates.
Cyber insurance covers incidents that happen to your business — data breaches, ransomware, business interruption. Tech E&O (errors & omissions) covers claims from failures of technology products or services you provide to clients — a software bug, missed deadline, or implementation error that damages a client. Technology companies typically need both, and many carriers offer them as a combined policy.
We review your security posture, identify coverage gaps, and compare 350+ carriers to find the right cyber policy — at the best available rate for your security controls.