Most vendor compliance programs were built around a world where the primary risks were physical: a contractor injured on your premises, a vendor’s vehicle involved in an accident, property damage caused during a service call. Commercial general liability covers those risks well. It was designed for them.
It was not designed for a vendor who stores your customer records in a cloud environment that gets breached. Or a payroll processor hit with ransomware that exposes employee data. Or an IT managed services provider whose credentials are compromised and used to access your network.
These are not edge cases anymore. Third-party vendor breaches are now among the most common sources of data exposure, and the financial consequences extend well beyond the vendor to every organization whose data they held. Yet a significant number of vendor compliance programs still treat cyber liability as an afterthought, if they address it at all.
This post covers what cyber liability insurance actually covers, why general liability does not fill the gap, which vendors should carry it, what limits are reasonable to require, and what to look for when reviewing a certificate.
What General Liability Does Not Cover
Commercial general liability insurance covers bodily injury, property damage, and personal and advertising injury. When it was designed, data was not property in the legal sense that courts and insurers recognized, and cyberattacks were not a meaningful exposure category.
Standard CGL policies today either exclude cyber-related losses explicitly or cover them so narrowly that the coverage provides little practical protection. A data breach at a vendor does not cause bodily injury. The resulting regulatory fines, notification costs, legal defense, and liability to affected individuals fall outside what a CGL policy is built to pay.
Some vendors carry a cyber endorsement added to a general liability policy rather than a standalone cyber policy. These endorsements exist on a spectrum from meaningful to essentially cosmetic. A brief rider with a $100,000 sublimit does not provide the same protection as a purpose-built cyber policy with first-party and third-party coverage at appropriate limits. When reviewing vendor coverage, the presence of any cyber language on a COI is not sufficient on its own. The form, structure, and limits of the coverage matter considerably.
What Cyber Liability Insurance Actually Covers
A standalone cyber liability policy is typically structured around two categories of coverage.
First-party coverage addresses losses the vendor incurs directly as a result of a cyber incident. This includes costs to investigate the breach and identify what was affected, legal and regulatory costs associated with notifying affected individuals and regulators, credit monitoring services for affected individuals, ransomware payments and associated costs, business interruption losses during system recovery, and costs to restore or recreate data and systems.
Third-party coverage addresses claims brought against the vendor by others harmed by the incident. This is the coverage that matters most from your perspective as a client organization. If a vendor breach exposes your customers’ data and those customers bring claims against your organization, you want the vendor’s cyber policy to respond to your resulting liability and defense costs. Third-party cyber coverage typically includes network security and privacy liability, regulatory defense and fines where insurable by law, and media liability for certain content-related claims.
The distinction matters when setting your requirements. A vendor with robust first-party coverage but limited third-party coverage may be well-protected for their own losses while leaving you exposed for downstream consequences.
Which Vendors Should Carry Cyber Liability
Not every vendor relationship creates meaningful cyber exposure. A vendor who installs equipment at your facility and has no access to your data or systems is a different risk profile than one who processes your payroll or hosts your customer database.
The practical question to ask for each vendor relationship is whether the vendor has access to, processes, stores, or transmits any of the following on your behalf: personally identifiable information (PII), protected health information (PHI), payment card data, employee records, financial data, or access credentials to your systems or networks.
If the answer is yes to any of these, cyber liability coverage should be a standard requirement for that vendor relationship. Categories of vendors that commonly trigger this threshold include:
IT managed services providers and cloud hosting vendors, who often have broad access to systems and data across their client base. A breach at a managed services provider can cascade to every organization they support simultaneously.
Payroll and HR technology vendors, who process employee PII, tax information, and banking data as a core function of their service.
Benefits administrators and healthcare vendors, who handle PHI and are subject to HIPAA requirements that create specific breach notification and liability obligations.
Software as a service vendors whose platforms store or process client data, customer records, or transaction histories.
Financial services vendors, including accounting firms, payment processors, and collections agencies, who handle sensitive financial data and payment card information.
Marketing and data analytics vendors who receive customer data for campaign management, segmentation, or analysis.
The vendor does not need to be a technology company to trigger this threshold. A staffing agency that maintains employee records, a logistics provider that handles customer shipment data, or a document management firm that stores sensitive records all present meaningful cyber exposure depending on what data they hold and how they secure it.
What Limits Are Reasonable to Require
Cyber insurance limits have evolved significantly as the cost of breaches has increased. The average cost of a data breach now exceeds $4 million per incident according to industry research, and that figure does not capture the full downstream cost to organizations whose data was held by the breached vendor.
A reasonable starting point for vendor cyber liability requirements by risk tier:
For standard vendors with access to limited PII or non-sensitive data, a minimum of $1 million per occurrence and in the aggregate is a common baseline. This covers most smaller incidents but may be inadequate if the vendor holds large volumes of customer data.
For vendors with access to significant volumes of PII, payment card data, or employee records, $2 million to $5 million is a more appropriate threshold. The volume of records the vendor holds on your behalf is the most relevant factor: a breach exposing 50,000 customer records creates a different liability exposure than one exposing 500.
For vendors handling PHI, processing high volumes of financial transactions, or serving as a managed services provider with broad system access, $5 million or higher is increasingly standard. Healthcare and financial services organizations often require $10 million or more from vendors with deep data access.
Sublimits are a critical detail that the face limit alone does not reveal. A $2 million cyber policy with a $250,000 ransomware sublimit provides $250,000 of effective ransomware coverage, not $2 million. Common sublimits to ask about include ransomware and extortion, social engineering fraud, forensic investigation costs, and business interruption. If these sublimits are materially lower than the face amount, the practical coverage may be significantly less than the headline limit suggests.
What to Look for on a COI
Cyber liability coverage does not appear on the standard ACORD 25 form in a dedicated section the way general liability or workers’ compensation does. It is typically listed in the additional coverages or description of operations section, or on a separate ACORD 101 (Additional Remarks) form attached to the certificate.
When reviewing a COI for cyber coverage, verify the following:
The coverage is listed explicitly. Vague references to “technology coverage” or a cyber endorsement on a general liability policy are not the same as a standalone cyber liability policy. If the description is ambiguous, request clarification from the vendor about the specific policy form and whether it includes both first-party and third-party coverage.
The policy limits meet your requirements. Confirm both the per-occurrence and aggregate limits, and ask about sublimits for key coverage categories if the relationship warrants it.
The policy is claims-made. Cyber liability policies are almost universally written on a claims-made form. This means the retroactive date and continuity considerations discussed in the occurrence versus claims-made post in this series apply here as well. The retroactive date should predate the start of your vendor engagement. For vendors with long-standing access to your data, a retroactive date that does not go back to the beginning of the relationship creates a gap.
Your organization is named as an additional insured or the policy includes third-party liability. Some cyber policies do not extend additional insured status in the same way as a CGL policy. Verify with the vendor how their policy addresses your organization’s downstream exposure if their breach affects your data or your customers.
The policy includes a waiver of subrogation in your favor. Without it, the vendor’s insurer can pursue recovery against your organization after paying a claim, even in situations where the breach originated at the vendor.
Contract Language for Cyber Liability Requirements
The same principles from the broader contract language discussion apply here. Weak language leaves you without enforceable requirements. The following shows the gap.
Weak language:
Vendor shall maintain appropriate cyber liability insurance throughout the term of this Agreement.
“Appropriate” is undefined and unverifiable. This clause cannot be enforced because there is no standard against which to measure compliance.
Strong language:
Vendor shall obtain and maintain Cyber Liability insurance, including both first-party and third-party coverage, with limits of not less than $[X] per occurrence and $[X] in the aggregate. Coverage shall include network security and privacy liability, regulatory defense costs, data breach response costs, and business interruption. Vendor shall ensure that the retroactive date of any claims-made cyber policy is no later than the commencement date of services under this Agreement. Vendor shall cause Client to be named as an additional insured on the third-party liability component of such policy, and shall obtain a waiver of subrogation in favor of Client from its insurer. Upon expiration or termination of this Agreement, Vendor shall maintain tail coverage for a period of not less than three (3) years.
The strong version specifies coverage components, sets a defined limit threshold, addresses the retroactive date, requires additional insured status, mandates a waiver of subrogation, and includes the tail coverage obligation that is especially important given that cyber claims often surface long after the incident occurred.
A Note on Vendor Cyber Hygiene
Cyber liability insurance transfers financial risk. It does not prevent a breach. For vendors with significant data access, insurance requirements should sit alongside basic diligence about the vendor’s security posture: whether they maintain multi-factor authentication, how they handle data encryption, what their incident response procedures look like, and whether they have experienced prior breaches.
Insurance is the backstop. The goal is not to need it.
Clarita tracks cyber liability alongside all other vendor insurance requirements, flagging gaps in coverage, retroactive date issues, and missing endorsements so your compliance team can focus on resolution rather than discovery. If your program covers vendors who touch sensitive data, request early access to get early access.