Most firms assume that if something goes wrong with their data, one of the policies they already pay for will catch it. Insurers have spent years making sure that assumption is wrong. Cyber exclusions have been added quietly across general liability, crime, and property, usually at renewal, usually without much fanfare. The result is a firm that carries a full stack of business insurance and still has no coverage for the one event that actually happened. If you are weighing whether the exposure applies to you, do professional firms need cyber insurance is the companion piece. This article is about where the exclusions hide.
The exclusion you never noticed
Coverage rarely disappears with an announcement. It disappears with an endorsement. Over the past several renewal cycles, carriers across the market have added language that removes data breach and electronic events from policies that used to be silent on the subject. Silence, in older forms, sometimes worked in the firm’s favor. That is what the new exclusions close off. Because the change arrives as one more page in a renewal packet nobody reads closely, the firm keeps paying similar premiums and assumes it has similar coverage. It does not. The policy got narrower while looking the same.
General liability
General liability was never built for privacy, notification, or data. It answers bodily injury and property damage. Even so, firms have long reached for it after a breach, hoping the broad language would stretch. Many general liability policies now carry explicit exclusions that shut that door, removing coverage for data breaches and electronic events outright. Between a policy that was not designed for the exposure and an exclusion that formally removes it, general liability is generally not where a breach claim lands.
Crime and property
The other two policies owners reach for fail for their own reasons. Crime coverage is generally built for employee theft and specific kinds of fraud, and many crime policies now carry cyber or computer fraud exclusions or squeeze these losses into tight sublimits. A cyber event can slip right between what crime covers and what it excludes. Property coverage has a different mismatch. It generally pays for physical damage to tangible property, and data is often not treated as tangible property, so a breach or a ransomware event usually does not fit the form. Many property policies now add cyber exclusions on top of that structural gap. Three policies, three different reasons the claim does not stick.
The gap that is left
Line the three up and the hole is obvious. General liability excludes it or was never built for it. Crime excludes it or sublimits it. Property does not treat data as covered property. A single breach can fall outside all three at once, which is exactly what surprises firms that thought carrying more policies meant carrying more protection. The gap is not an accident. It is the market deliberately moving cyber exposure into its own line.
What standalone cyber is for
A standalone cyber policy exists to fill that space. Depending on the policy, it generally responds to the breach itself, which can include response and notification costs, privacy liability, and business interruption from a cyber event, subject to your terms. It is not a rider hoping to stretch. It is coverage built for the exposure the other policies now push out. One clarification worth making: cyber is not the same as technology E&O. Cyber generally covers your own breach and privacy exposure, while technology E&O generally covers claims that your professional tech work harmed a client. Many firms need both, and technology E&O vs cyber insurance sorts out which does what.
Questions to ask your advisor
- Has a cyber exclusion been added to my general liability at any recent renewal?
- Does my crime policy exclude or sublimit computer fraud and cyber events?
- Would my property policy treat lost or breached data as covered property?
- If a breach happened tomorrow, which policy would actually respond?
- Do I need standalone cyber, technology E&O, or both for the way I handle data?
The exclusions are quiet by design, which is why they surprise firms at the worst time. A firm that reads its endorsements and confirms where cyber actually sits is insuring the event it might face, not the one its old policies used to cover.
Want guidance first? Compare your coverage. Already know what you need? Get a quote.