Cyber Liability Insurance Glossary
35 cyber liability terms, defined from the language of a real, currently-in-force cyber policy — not from a marketing brochure. Every entry tells you what it means, why it matters at claim time, and what to look for on your own policy.
Cyber policies are not like your other insurance. Coverage is sold as a menu of separate insuring agreements, each with its own limit and retention — and the ones you most need are the ones most often left unbought. A cyber policy with a $3M limit can have $0 of coverage for the loss you are most likely to suffer.
The one thing to check tonight
Open your cyber declarations page. Find the schedule of Insuring Agreements. Look at the line that says Funds Transfer Fraud and Social Engineering.
If the limit column says N/A, you are not covered for the most common cyber loss a business like yours actually suffers — no matter what the rest of the policy says.
Funds Transfer Fraud (FTF)
What it is. A fraudulent instruction, sent electronically — including through social engineering — to you or your bank, directing money to be transferred out of your account. Modern policy language explicitly contemplates instructions that impersonate you, your vendors, or your clients including through the use of deepfakes.
Why it matters at claim time. This is the single most common cyber loss a small or mid-size business actually suffers. Nobody hacks your network — someone emails your controller pretending to be you, and the controller wires the money. And here is the part that ruins companies: Funds Transfer Fraud is frequently a separate insuring agreement that must be purchased. We have seen cyber policies with $3M limits across every other coverage and N/A next to Funds Transfer Fraud. The policy is not defective. It was simply never bought.
What to look for on your policy. Go to your declarations page, find the Insuring Agreements schedule, and look for Funds Transfer Fraud and Social Engineering. If the limit column says N/A or is blank, you do not have it. Check the retention too — some carriers apply a higher retention to FTF than to everything else.
Source: Coalition Active Cyber Policy, Section III — Definitions (Funds Transfer Fraud); Insuring Agreement I.
Social Engineering
What it is. Manipulating a person — not a machine — into transferring funds or handing over credentials. The fraudulent instruction looks like it came from your CEO, your vendor, or your client.
Why it matters at claim time. Your firewall did not fail. Your employee did what they were asked to do by someone they believed. That is why some carriers treat social engineering as a distinct peril requiring its own insuring agreement, often with a lower sublimit and a higher retention than the rest of the policy. It is the peril most likely to hit you and the one most likely to be missing.
What to look for on your policy. Whether social engineering is bundled with Funds Transfer Fraud on your schedule or sold separately, and what the sublimit is. A $3M policy with a $100K social engineering sublimit is a $100K policy for the loss you are most likely to have.
Source: Coalition Active Cyber Policy, Insuring Agreement I.
Security Failure
What it is. The failure of security of your computer systems — including an AI security event — resulting in loss or corruption of data, transmission of malicious code, a denial-of-service attack, or unauthorized access, including when resulting from stolen credentials.
Why it matters at claim time. "Security failure" is the trigger word for most of the policy. Note that it expressly includes unauthorized access from stolen credentials — so a password bought on a dark web market and used to log in normally still counts. Current forms also fold in AI security events, which older policies do not contemplate at all.
What to look for on your policy. Whether your form's definition of security failure includes stolen credentials and AI events. If your policy is more than a couple of years old, it may not.
Source: Coalition Active Cyber Policy, Section III — Definitions (Security Failure).
Systems Failure
What it is. Any unintentional and unplanned disruption or failure of your computer systems — not caused by an attack.
Why it matters at claim time. This is the coverage for the outage nobody attacked you to cause. A botched patch, a failed migration, a config error. Many older cyber policies cover only malicious events, meaning your worst downtime — the self-inflicted kind — is uncovered. Systems failure coverage closes that.
What to look for on your policy. Whether Systems Failure appears as a separate trigger under Business Interruption, alongside Security Failure. If only Security Failure is listed, an accidental outage is not covered.
Source: Coalition Active Cyber Policy, Section III — Definitions (Systems Failure).
Direct Business Interruption
What it is. Coverage for the income you lose when a security failure, systems failure, or voluntary shutdown interrupts your operations.
Why it matters at claim time. Downtime is usually the largest number in a cyber claim, and it is the one businesses least expect. It pays net profit before taxes plus continuing operating expenses, including payroll — you still have to pay people while you cannot operate.
What to look for on your policy. Your waiting period and your indemnity period. See both terms below. Also confirm whether "voluntary shutdown" is a covered trigger — that is what lets you take systems offline to contain damage without forfeiting coverage.
Source: Coalition Active Cyber Policy, Insuring Agreement E.
Contingent Business Interruption
What it is. Coverage for income you lose when someone else's systems fail — your cloud host, your payroll processor, your key vendor.
Why it matters at claim time. You did nothing wrong and your business still stopped. Note that policies distinguish IT Providers (your cloud/hosting vendors) from Non-IT Providers (a dependent business under written contract), and they are frequently covered at different limits. It is common to see IT Provider failure covered at the full limit while Non-IT Provider failure carries a fraction of it.
What to look for on your policy. Compare the limits line by line: IT Provider Security Failure, IT Provider Systems Failure, Non-IT Provider Security Failure, Non-IT Provider Systems Failure. They are often four different numbers.
Source: Coalition Active Cyber Policy, Insuring Agreement F.
Waiting Period
What it is. The number of hours an interruption must last before business interruption coverage begins — a time-based deductible.
Why it matters at claim time. An 8-hour waiting period means an outage of 7 hours pays you nothing. Some carriers offer a reduced waiting period (as little as 1 hour) for certain triggers, which materially changes what a short outage is worth to you.
What to look for on your policy. Your waiting period, and whether a reduced waiting period applies to any trigger. On the policies we read, 8 hours standard with a 1-hour reduced option is common.
Source: Coalition Active Cyber Policy, Item 5 of the Declarations.
Indemnity Period
What it is. The window during which business interruption loss is actually paid — beginning when the disruption starts and ending when operations are restored, or could have been restored with due diligence.
Why it matters at claim time. There is usually a hard cap, commonly 180 days. A catastrophic event that takes you a year to fully recover from is paid for six months. That is a real limit on a real exposure.
What to look for on your policy. The maximum indemnity period in your definitions section, and note that it ends when you could have restored operations — not when you actually did.
Source: Coalition Active Cyber Policy, Section III — Definitions (Indemnity Period).
Ransomware and Cyber Extortion
What it is. Coverage for threats made against you — to lock your systems, release your data, destroy digital assets, or move your funds — for the purpose of demanding payment. Cyber extortion expenses include the ransom itself (money, securities, or Bitcoin and other virtual currencies) plus the cost of negotiating and making the payment.
Why it matters at claim time. Paying is a decision with legal, operational, and reputational consequences. Note the words prior written consent: pay a ransom without the carrier's consent and you may have funded it yourself. Call the hotline before you call the attacker.
What to look for on your policy. Whether payment requires prior written consent (it almost always does), and whether the policy covers the negotiation costs, not just the ransom.
Source: Coalition Active Cyber Policy, Insuring Agreement C; Definitions (Cyber Extortion, Cyber Extortion Expenses).
Breach Response Costs
What it is. The costs of responding to a breach: forensics, legal counsel, notifying affected individuals, notifying regulators, credit and identity monitoring, PR and crisis management, and — on current forms — SEC cybersecurity disclosure costs.
Why it matters at claim time. This is the bucket that gets used in almost every claim. The important structural question is whether it sits inside your aggregate limit or gets its own. Some policies offer an optional separate limit for breach response costs, which means notification spend does not erode the money available to defend you later.
What to look for on your policy. Whether you elected a separate limit for Breach Response Costs. If you did, that limit is not subject to the aggregate or per-event limit — a meaningful upgrade most buyers never notice.
Source: Coalition Active Cyber Policy, Insuring Agreement B; Item 4.C of the Declarations.
Rapid Response Services
What it is. Immediate incident triage — a 24/7 hotline, a short legal consultation, and initial remote support from an incident response team.
Why it matters at claim time. Read the two clauses that matter: on well-designed forms, Rapid Response is not subject to a retention and does not erode the aggregate limit. That means calling for help early costs you nothing. Businesses that sit on an incident for three days because they are afraid of "triggering a claim" are making the loss worse for no reason.
What to look for on your policy. Whether your policy has pre-claim assistance, whether it erodes your limit, and what the hotline number is. Put it somewhere your IT person can find it at 2am.
Source: Coalition Active Cyber Policy, Insuring Agreement A.
Data Recovery and Computer Replacement Costs
What it is. The cost to restore or recreate corrupted data, and to replace bricked hardware — devices rendered permanently non-functional by corrupted firmware.
Why it matters at claim time. Note what is not covered: the economic or market value of the data itself, including trade secrets, and the cost to re-perform work product. The policy will pay to rebuild the database. It will not pay you for what the database was worth.
What to look for on your policy. Whether your form includes a betterment allowance — typically permitting you to restore to a more secure standard, often capped at an additional 25% of the cost. Rebuilding to the same vulnerable configuration is not a recovery.
Source: Coalition Active Cyber Policy, Insuring Agreement D; Definitions (Data Recovery and Computer Replacement Costs, Betterment Allowance).
Invoice Manipulation
What it is. The release of a fraudulent invoice or payment instruction to a third party, as a direct result of a security failure — and the cost of goods or services you delivered but cannot collect payment for.
Why it matters at claim time. This is the mirror image of funds transfer fraud: instead of you paying a fraudster, your customer pays a fraudster who was impersonating you, and now your customer will not pay you again. It is a distinct insuring agreement and frequently not purchased.
What to look for on your policy. Check the limit next to Invoice Manipulation on the schedule. It is one of the coverages most likely to show N/A.
Source: Coalition Active Cyber Policy, Insuring Agreement L; Definitions (Invoice Manipulation, Invoice Manipulation Loss).
Impersonation Fraud / Impersonation Repair
What it is. Fraudulent communications or websites impersonating your business or products — where no security failure occurred. Impersonation Repair covers the cost of a law firm and PR firm to warn your customers, take the fake sites down, and reimburse customers who lost money.
Why it matters at claim time. Nobody breached you. Someone cloned you. Your customers get defrauded by a website with your logo, and the damage is entirely yours to clean up. This is a real and growing loss, and it is a separate insuring agreement.
What to look for on your policy. The Impersonation Repair limit. It is typically a sublimit well below the policy aggregate.
Source: Coalition Active Cyber Policy, Insuring Agreement K; Definitions (Impersonation Fraud, Impersonation Repair Costs).
Service Fraud / Cryptojacking
What it is. Unauthorized use of your systems by a third party — including to mine cryptocurrency — that runs up your bills for electricity, cloud compute, SaaS, or telephony.
Why it matters at claim time. Nothing is stolen and nothing is broken. You just get a cloud bill with an extra zero. Note the limitation: only charges that scale with usage are covered. If you pay a flat fee, there is no loss to recover.
What to look for on your policy. The Service Fraud sublimit, which is usually small relative to the policy.
Source: Coalition Active Cyber Policy, Insuring Agreement J; Definitions (Service Fraud Loss).
Network Security and Privacy Liability
What it is. Third-party liability coverage — when someone else sues you because of your security failure, data breach, or privacy violation.
Why it matters at claim time. Everything above pays your costs. This pays what you owe other people. It is the coverage that responds when the class action arrives, and it is written on a claims-made and reported basis, which is a very different animal from your occurrence-based general liability policy.
What to look for on your policy. That it is claims-made and reported — meaning the claim must be both made against you and reported to the carrier during the policy period. Miss the reporting window and coverage can be lost even for a covered claim.
Source: Coalition Active Cyber Policy, Insuring Agreement M; Section I — Third Party Liability Coverages.
Claims-Made and Reported
What it is. Coverage that applies only to claims first made against you during the policy period (or an extended reporting period) and reported to the insurer in accordance with the policy.
Why it matters at claim time. Two conditions, not one. A claim made in November and reported in February may be uncovered even though it happened while you were insured. This is the most common way a valid cyber claim dies.
What to look for on your policy. Your reporting deadline, and your retroactive date. If you switch carriers and the new policy's retro date is this year, everything before it is uninsured.
Source: Coalition Active Cyber Policy, Declarations notice; Definitions (Retroactive Date).
Claim Expenses Erode the Limit
What it is. On most cyber policies, the legal fees spent defending you are deducted from your limit of liability — and can exhaust it.
Why it matters at claim time. This is the structural difference between cyber and general liability that nobody explains. On a standard GL policy defense usually sits outside the limit. On cyber, it comes out of it. A $3M cyber policy that spends $1M on defense has $2M left to pay the claim. Compare with the GL glossary entry on defense inside vs. outside the limits.
What to look for on your policy. The declarations notice. Most cyber forms say it in capital letters on the first page: claim expenses reduce the applicable limits of liability, are subject to retentions, and may exhaust the applicable limits.
Source: Coalition Active Cyber Policy, Declarations notice; Definitions (Claim Expenses).
Retention
What it is. The cyber equivalent of a deductible — the amount you pay before the policy responds. Applied per event, not per year.
Why it matters at claim time. Retentions vary by insuring agreement on the same policy. Some coverages carry $0 retention (rapid response, court attendance, criminal reward); most carry a standard retention; and funds transfer fraud sometimes carries a different one entirely.
What to look for on your policy. Read the retention column, not just the limit column. They are different for different coverages.
Source: Coalition Active Cyber Policy, Item 5 of the Declarations.
Aggregate vs. Per-Event Limit
What it is. The aggregate is the most the policy will pay for everything, all year. The per-event limit is the most it will pay for any one event.
Why it matters at claim time. Multiple coverages purchased does not mean multiple limits. The aggregate is the maximum the insurer pays regardless of how many insuring agreements you bought. Eight coverages at $3M each is still a $3M policy.
What to look for on your policy. Items 4.A and 4.B of your declarations. And check whether Breach Response Costs sits outside the aggregate — that is the one common exception.
Source: Coalition Active Cyber Policy, Items 4.A, 4.B, 4.C of the Declarations.
Event (and the Single-Event Rule)
What it is. Any incident, privacy liability, media wrongful act, technology wrongful act, or funds transfer liability. Critically: all events sharing a common nexus of fact, circumstance, or cause are treated as a single event, occurring on the date the first one occurred.
Why it matters at claim time. This is the clause that decides whether you have one limit or several. A ransomware attack that unfolds over three weeks across four systems is one event, with one retention and one limit — and it is deemed to have occurred on day one, which may be before your policy incepted.
What to look for on your policy. The "common nexus" language in the definition of Event and Incident. It is short, it is easy to skip, and it is worth millions.
Source: Coalition Active Cyber Policy, Section III — Definitions (Event, Incident).
Regulatory Actions
What it is. Coverage for civil fines, penalties, and consumer redress funds imposed by a regulator following a security failure, data breach, or privacy violation — plus the cost of responding to the proceeding.
Why it matters at claim time. Regulators move after breaches. What the policy pays is the monetary penalty — it will generally not pay the cost of complying with an order to fix your security practices, or audit and reporting obligations. Those are yours.
What to look for on your policy. The exclusion inside the definition of Regulatory Loss: costs to establish or improve privacy or security practices are excluded. The fine is covered; the remediation is not.
Source: Coalition Active Cyber Policy, Insuring Agreement N; Definitions (Regulatory Loss, Regulatory Proceeding).
PCI Fines and Assessments
What it is. Fines and assessments owed under your merchant services agreement after a card-data breach — fraud recovery, card reissuance, cardholder notification, case management fees.
Why it matters at claim time. If you take cards, this is a contractual exposure that exists regardless of what any statute says. Note the carve-out: chargebacks, interchange fees, and discount fees are not covered.
What to look for on your policy. Whether PCI Fines and Assessments is a purchased insuring agreement. If you process card payments and this is blank, you have a gap.
Source: Coalition Active Cyber Policy, Insuring Agreement O; Definitions (PCI Fines and Assessments).
Funds Transfer Liability
What it is. When a fraudster, using your compromised systems, sends fake payment instructions to your customers or vendors, and they wire money to the criminal.
Why it matters at claim time. Distinct from Funds Transfer Fraud. FTF is your money leaving. Funds Transfer Liability is your customer's money leaving because of your breach — and now they are suing you. Two different insuring agreements, two different limits.
What to look for on your policy. That you have both. Many policies carry one and not the other.
Source: Coalition Active Cyber Policy, Insuring Agreement P; Definitions (Funds Transfer Liability, Funds Transfer Liability Loss).
Media Liability
What it is. Coverage for defamation, libel, slander, invasion of privacy, right-of-publicity claims, plagiarism, and infringement of copyright, trademark, domain name, or slogan — committed in the course of your media activities, including social media.
Why it matters at claim time. Your marketing team is a liability exposure. A stock photo used without license, a competitor named in a blog post, a slogan too close to someone else's. This overlaps with Coverage B on your general liability policy — know which one responds.
What to look for on your policy. Whether Media Liability is purchased, and whether it covers social media authorized by your organization.
Source: Coalition Active Cyber Policy, Insuring Agreement R; Definitions (Media Wrongful Act, Media Activities, Media Content).
Technology Errors and Omissions
What it is. Liability for negligent acts, errors, or omissions in the technology services you perform for others, or the failure of technology products you build or sell.
Why it matters at claim time. If you write software, host systems, or provide IT services for clients, this is your professional liability. It is often a separate policy rather than an insuring agreement on the cyber policy — which is fine, as long as it exists somewhere and the two do not leave a seam between them.
What to look for on your policy. Whether Tech E&O is on this policy or a standalone one. If the cyber policy shows N/A, confirm the separate policy exists before assuming it is a gap.
Source: Coalition Active Cyber Policy, Insuring Agreement Q; Definitions (Technology Services, Technology Products, Technology Wrongful Act).
Reputational Harm Loss
What it is. Lost profit caused by adverse publication about a cyber incident — typically measured over a defined reputational indemnity period, often 180 days.
Why it matters at claim time. The breach ends. The story does not. Customers leave because they read about it. This coverage tries to quantify that, and it is genuinely difficult to prove — which is why the next term exists.
What to look for on your policy. The reputational indemnity period, and the exclusions: it does not cover legal fees, third-party liability, or revenue that is merely delayed rather than lost.
Source: Coalition Active Cyber Policy, Insuring Agreement G; Definitions (Reputational Harm Loss, Reputational Indemnity Period).
Proof of Loss Preparation
What it is. Coverage for a third-party forensic accounting firm to prepare and document your business interruption, extra expense, and reputational harm claim.
Why it matters at claim time. Business interruption claims are won and lost on documentation. You will be asked to prove what you would have earned. Most businesses cannot do that on their own, and the carrier will not do it for you. This coverage pays for the accountant who can.
What to look for on your policy. Whether it is a purchased coverage and what the sublimit is. It is usually modest — and it is usually the best money in the policy.
Source: Coalition Active Cyber Policy, Insuring Agreement H; Definitions (Proof of Loss Preparation Expenses).
Dependent Business
What it is. A vendor, other than an IT provider, that supplies necessary products or services to you under a written contract.
Why it matters at claim time. Two words do a lot of work here: written contract. A handshake vendor is not a dependent business, so their outage is not your covered loss. Also excluded by definition: public utilities, ISPs, DNS, certificate authorities, and securities exchanges — so a power cut or an internet outage is not contingent BI.
What to look for on your policy. Whether your critical vendors are actually under written contract. If your most important supplier is on a purchase-order relationship, contingent BI may not respond.
Source: Coalition Active Cyber Policy, Section III — Definitions (Dependent Business).
Digital Asset
What it is. Your electronic data and computer software residing on your computer systems.
Why it matters at claim time. Note what this excludes: the policy pays to restore digital assets, not to compensate you for their value. Your customer list is a digital asset. Its market value is not a covered loss.
What to look for on your policy. The exclusions inside Data Recovery: economic or market value of digital assets, including trade secrets, is not covered.
Source: Coalition Active Cyber Policy, Section III — Definitions (Digital Asset).
Data Breach
What it is. The unauthorized acquisition, access, theft, or disclosure of personally identifiable information or third-party corporate information — including as a result of a security failure.
Why it matters at claim time. Data breach is the trigger for notification obligations, which is where the money goes early in a claim. Note it covers third-party corporate information too, not just personal data — so a leak of a client's confidential business information counts.
What to look for on your policy. The definition of Personally Identifiable Information in your form: it is generally tied to what a law requires to be protected, which varies by state.
Source: Coalition Active Cyber Policy, Section III — Definitions (Data Breach, Personally Identifiable Information).
Voluntary Shutdown
What it is. Taking your own systems offline, after discovering a security or systems failure and with the carrier's prior consent, to limit a loss that would otherwise be covered.
Why it matters at claim time. Without this, containing an attack by pulling the plug could be read as a self-inflicted, uncovered business interruption. With it, doing the right thing is a covered decision. But note: prior consent. Call first.
What to look for on your policy. Whether Voluntary Shutdown appears as a covered trigger under both Direct and Contingent Business Interruption.
Source: Coalition Active Cyber Policy, Section III — Definitions (Voluntary Shutdown); Insuring Agreements E and F.
Cyber Operation / War Exclusion
What it is. Modern cyber policies define a cyber operation as the use of computer systems by, at the direction of, or under the control of a sovereign state to disrupt or destroy information in another state's systems — and often exclude it.
Why it matters at claim time. This is the most contested language in cyber insurance. Attribution is hard, and if the carrier can characterize an attack as state-sponsored, coverage can evaporate. The definitions of "impacted state" and "essential service" are what determine the boundary.
What to look for on your policy. Your war and cyber-operation exclusion, and whether there is any carve-back. This is the single most important exclusion to read in a modern cyber policy.
Source: Coalition Active Cyber Policy, Section III — Definitions (Cyber Operation, Impacted State, Essential Service).
Denial of Service Attack
What it is. A malicious attack that makes your systems unavailable to their intended users by flooding a host with an excessive volume of data.
Why it matters at claim time. A DoS attack takes nothing and breaks nothing. It just stops you from operating — which is why it is defined as a form of security failure and routes into business interruption coverage rather than data recovery.
What to look for on your policy. That denial of service is inside your definition of security failure. On most current forms it is.
Source: Coalition Active Cyber Policy, Section III — Definitions (Denial of Service Attack).
Extended Reporting Period (Tail)
What it is. An option to report claims after the policy expires, for acts that occurred during the policy period.
Why it matters at claim time. On a claims-made policy, cancelling or non-renewing without a tail can erase coverage for everything you did while insured. If you change carriers, sell the business, or wind down, this is the question.
What to look for on your policy. Whether an optional extended reporting period is available, how long, and what it costs. Ask before you need it.
Source: Coalition Active Cyber Policy, Declarations notice; Section III — Definitions (Policy Period).
We read the schedule, not the brochure.
Send us your cyber declarations page. We will tell you which insuring agreements you actually purchased, which show N/A, what your retentions really are, and where the seams are between your cyber, tech E&O, and crime coverage.
Request a Cyber Audit Call (469) 756-8776When a client received a spoofed email requesting a wire transfer, we had already verified social engineering endorsement coverage. They recovered the full amount in seven days.
Related coverage
Cyber Liability Insurance →
All glossaries →
General Liability Glossary →
Group Health Glossary →
.png?width=1815&height=495&name=4J%20commercial%20insurance%20broker%5B1%5D%20(1).png)