Hablamos Español Insurance Companies We Work With
Learning Center

Cyber Exclusions Hiding in Your Other Policies, and the Gap Standalone Cyber Fills

By Richard Sweet. Reviewed by Richard Sweet. Updated July 7, 2026.

Already know you need this? Get a quote Compare your coverage →

Most firms assume that if something goes wrong with their data, one of the policies they already pay for will catch it. Insurers have spent years making sure that assumption is wrong. Cyber exclusions have been added quietly across general liability, crime, and property, usually at renewal, usually without much fanfare. The result is a firm that carries a full stack of business insurance and still has no coverage for the one event that actually happened. If you are weighing whether the exposure applies to you, do professional firms need cyber insurance is the companion piece. This article is about where the exclusions hide.

The exclusion you never noticed

Coverage rarely disappears with an announcement. It disappears with an endorsement. Over the past several renewal cycles, carriers across the market have added language that removes data breach and electronic events from policies that used to be silent on the subject. Silence, in older forms, sometimes worked in the firm’s favor. That is what the new exclusions close off. Because the change arrives as one more page in a renewal packet nobody reads closely, the firm keeps paying similar premiums and assumes it has similar coverage. It does not. The policy got narrower while looking the same.

General liability

General liability was never built for privacy, notification, or data. It answers bodily injury and property damage. Even so, firms have long reached for it after a breach, hoping the broad language would stretch. Many general liability policies now carry explicit exclusions that shut that door, removing coverage for data breaches and electronic events outright. Between a policy that was not designed for the exposure and an exclusion that formally removes it, general liability is generally not where a breach claim lands.

Crime and property

The other two policies owners reach for fail for their own reasons. Crime coverage is generally built for employee theft and specific kinds of fraud, and many crime policies now carry cyber or computer fraud exclusions or squeeze these losses into tight sublimits. A cyber event can slip right between what crime covers and what it excludes. Property coverage has a different mismatch. It generally pays for physical damage to tangible property, and data is often not treated as tangible property, so a breach or a ransomware event usually does not fit the form. Many property policies now add cyber exclusions on top of that structural gap. Three policies, three different reasons the claim does not stick.

The gap that is left

Line the three up and the hole is obvious. General liability excludes it or was never built for it. Crime excludes it or sublimits it. Property does not treat data as covered property. A single breach can fall outside all three at once, which is exactly what surprises firms that thought carrying more policies meant carrying more protection. The gap is not an accident. It is the market deliberately moving cyber exposure into its own line.

What standalone cyber is for

A standalone cyber policy exists to fill that space. Depending on the policy, it generally responds to the breach itself, which can include response and notification costs, privacy liability, and business interruption from a cyber event, subject to your terms. It is not a rider hoping to stretch. It is coverage built for the exposure the other policies now push out. One clarification worth making: cyber is not the same as technology E&O. Cyber generally covers your own breach and privacy exposure, while technology E&O generally covers claims that your professional tech work harmed a client. Many firms need both, and technology E&O vs cyber insurance sorts out which does what.

Questions to ask your advisor

  • Has a cyber exclusion been added to my general liability at any recent renewal?
  • Does my crime policy exclude or sublimit computer fraud and cyber events?
  • Would my property policy treat lost or breached data as covered property?
  • If a breach happened tomorrow, which policy would actually respond?
  • Do I need standalone cyber, technology E&O, or both for the way I handle data?

The exclusions are quiet by design, which is why they surprise firms at the worst time. A firm that reads its endorsements and confirms where cyber actually sits is insuring the event it might face, not the one its old policies used to cover.

Want guidance first? Compare your coverage. Already know what you need? Get a quote.

What many people don't realize

The part that catches owners off guard

  • General liability, crime, and property increasingly exclude cyber.
  • The exclusions are often added quietly at renewal.
  • A data breach can fall outside all three at once.
  • Standalone cyber is built to fill that gap.
  • We check for cyber exclusions across your whole program.
The Vantage Point

What we see most often

Firms assume that if a cyber event happens, one of their existing policies will catch it. Insurers have spent years making sure that is no longer true. Cyber exclusions have been quietly added across general liability, crime, and property, and most owners never got the memo.

What we see most often is a firm that believes it is covered for a breach because it carries a full stack of business insurance, without realizing every policy in that stack has been endorsed to push cyber out. The coverage did not shrink loudly. It shrank at renewal, one exclusion at a time.

A real example

A professional firm suffered a data breach that exposed client records. It turned to its general liability policy first, then its property policy, then its crime policy, and each declined for a different reason tied to a cyber exclusion or a coverage that was never meant for data.

The firm had a stack of policies and still no coverage for the event that actually happened. A standalone cyber policy is built precisely for that gap, and having one would have given the firm a place to bring the claim.

Details changed to protect privacy. Shared to illustrate, not to promise an outcome.

Free, two-minute check

See where your coverage stands

Answer a few quick questions and get a clear read on your current coverage in about two minutes. We flag what is worth a closer look.

Compare your coverage
When to review

It may be time for a coverage review if:

  • You assume an existing policy would cover a breach
  • Your policies renewed and you did not read the endorsements
  • You handle client data but carry no standalone cyber policy
  • A vendor or client asked whether you carry cyber coverage
  • You are not sure where cyber sits across your program
Compare your coverage Get a quote
Frequently asked

Frequently asked

Does general liability cover a data breach?
Usually not anymore. Many general liability policies now include exclusions that remove coverage for data breaches and electronic events, and the coverage was not designed for privacy or notification costs in the first place. Assuming general liability responds to a breach is a common and costly misread.
Would my crime policy cover a cyber loss?
It depends, and often less than owners expect. Crime policies are generally built for employee theft and certain fraud, and many now carry cyber or computer fraud exclusions or tight sublimits. A cyber event can fall between what crime covers and what it excludes, which is part of why the gap exists.
What about my property policy?
Property policies generally cover physical damage to tangible property, and data is often not treated as tangible property. Many now add explicit cyber exclusions as well. A breach or a ransomware event usually does not fit what a property policy was built to pay.
So what does standalone cyber cover that these do not?
A standalone cyber policy is generally built for the breach itself. Depending on the policy, that can include response costs, notification, privacy liability, and business interruption from a cyber event, subject to your terms. It exists to fill the gap the other policies now exclude.
How is cyber different from technology E&O?
They overlap but are not the same. Technology E&O generally covers claims that your professional tech work caused a client a loss, while cyber generally covers your own breach and privacy exposure. Many firms need both, which the technology E&O versus cyber comparison explains in more detail.
RS
Written and reviewed by

Richard Sweet

Founder and Principal Advisor, Vantage Point Risk

Richard Sweet runs Vantage Point Risk, an independent insurance and risk advisory for property owners, real estate investors, business owners, and families. He works with investors every week on the coverage decisions that decide how a claim actually turns out, and writes the Learning Center to put those decisions in plain language.

Reviewed for accuracy by Richard Sweet. Last updated July 7, 2026.

Richard also writes The Vantage Point, notes on building a better business.

This article is general education about insurance and risk, not legal advice. Exclusions, sublimits, and coverage terms vary by policy and carrier and change at renewal. Confirm how cyber is treated across your own policies with a licensed advisor before relying on any of them.

Compare your coverage

It's not a quote. It's a real review.

Answer a few quick questions and get a clear read in about two minutes. We will flag what is worth a closer look, and you can hand us your current policy if you want us to dig in. No pressure, no obligation.

We review your current coverage for gaps and overlaps
We compare the market to see if you are overpaying
We tell you what is actually worth changing, and what is not
You get clear answers, even when you are already covered well