The cyber coverage on a business owners policy and a standalone cyber policy are not the same thing, and the difference matters most at claim time. A business owners policy often includes a small cyber endorsement, added for little or no visible premium. A standalone cyber policy is a separate contract with its own limit and broader coverage. For a practice that holds patient data or moves money, the endorsement usually will not respond to the loss that actually happens.
What a BOP endorsement gives you
The cyber endorsement on a business owners policy typically provides a small amount of breach response and some liability. For a business with almost no digital footprint, that can be a reasonable start. The problem is that owners read the word cyber on the declarations page and assume full protection, and the endorsement is rarely built for that.
What standalone cyber adds
A standalone policy carries its own limit and covers the pieces an endorsement usually shortchanges: adequate social engineering and funds-transfer fraud, ransomware and recovery, business interruption including dependent outages when a vendor platform goes down, and a real breach-response bench. You can read those coverages in plain language on our cyber insurance overview and the BOP endorsement vs standalone page.
Where the endorsement falls short
The gap shows up in a few predictable places. Social engineering, the spoofed payment that is the most likely loss, is often sublimited or excluded on an endorsement. Business interruption and dependent outages are frequently missing. And the response limit can be exhausted by the forensics, notification, and legal work of a single incident before recovery is even addressed.
How to tell what you have
You do not have to guess. Pull your business owners policy declarations page and look for a cyber or data-compromise endorsement, then read the sublimit next to it and whether social engineering is named. If it is small, sublimited, or absent, that is the gap. If reading the endorsement is not how you want to spend an afternoon, share your policy and we will read the cyber piece for you.
Which one you should carry
For a practice that emails invoices, takes payments, or stores patient records, standalone cyber is usually the real coverage, and the cost is often modest. A business with almost no digital footprint may reasonably rely on the endorsement. We compare both so the decision is informed, not assumed.
Questions to ask your advisor
- Do I have a cyber endorsement on my business owners policy, and what is its sublimit?
- Does that endorsement cover social engineering, or exclude it?
- Would the endorsement’s limit survive the response cost of a single breach?
- What would a standalone policy add, and what would it cost?
- Given how my practice moves money and holds data, which coverage actually fits?
Want guidance first? Compare your coverage. Already know what you need? Get a quote.