The Broker's Guide to Cyber Exclusion In E&O Policies

The cyber exclusion in E&O policies is the most misunderstood coverage gap in the agency E&O market today. Most agency principals assume their E&O policy covers all professional liability, including errors that involve client data or digital systems. It does not.

This guide explains how cyber exclusions entered standard E&O forms, what the exclusion language actually says, which claims it eliminates, and what agencies must do to close the gap before a cyber event becomes an uninsured catastrophe.

Key Takeaways

• Cyber-related claims against insurance agencies grew 300% between 2012 and 2016, triggering systematic exclusion additions across E&O carrier forms (Swiss Re 2023).
• Standard cyber exclusion language in agency E&O policies removes coverage for network security failures, data breaches, cyber extortion, and ransomware recovery costs.
• Agencies without standalone cyber liability coverage face average uninsured cyber losses of $180,000 per incident (Ponemon Institute 2024).
• The interaction between the cyber exclusion and client coverage lapses creates a dual exposure that leaves agencies with no E&O defense and no cyber indemnity in the same claim.
• At least six distinct cyber exclusion manuscript variations appear across the major agency E&O carriers, with materially different scope and carve-backs (Westport Insurance 2024).
• Fewer than 45% of independent insurance agencies carry a standalone cyber liability policy, despite the E&O cyber exclusion being standard since 2017 (Big I 2024).

---

How Cyber Exclusions Entered Standard E&O Policies

Before 2012, cyber-related claims against insurance agencies were rare enough that most E&O carriers did not address them explicitly in their policy forms. The insuring agreement covered professional services generally, and data-related claims were evaluated under that broad language.

That changed rapidly between 2012 and 2016.

Swiss Re's 2023 retrospective analysis of the agency E&O market documented a 300% increase in cyber-related claims against insurance agencies during that four-year window. The claims were driven by three primary causes: phishing attacks that exposed client data stored in agency management systems, wire fraud schemes that exploited agency email accounts to redirect premium payments, and ransomware attacks that locked agencies out of their systems and disrupted client service.

E&O carriers responded the way carriers always respond to emerging claim frequency: they added exclusions.

By 2014, several leading agency E&O carriers had added explicit cyber exclusions to their standard forms. By 2017, the exclusion was standard across the majority of the admitted agency E&O market. Agencies renewing in 2017 and later generally received a policy that explicitly excluded cyber-related claims, often without the change being highlighted in the renewal discussion.

NAIC's 2023 market conduct report found that fewer than 40% of agency principals recalled being specifically informed about cyber exclusion additions to their E&O policies at renewal.

---

What the Cyber Exclusion in an E&O Policy Actually Says

The exact language of the cyber exclusion varies by carrier, but the core operative language is consistent. Here is the standard structure:

Standard exclusion language (representative example):

"This policy does not apply to any claim arising out of, resulting from, or in any way related to: (i) any unauthorized access to or use of any computer system, network, or electronic data; (ii) the introduction of malicious code or malware into any computer system; (iii) any denial of service attack; (iv) any failure of electronic security; (v) any loss, corruption, or unauthorized disclosure of electronic data; or (vi) any ransom or extortion payment made in response to a cyber event."

Note the operative phrase "arising out of, resulting from, or in any way related to." This is the broadest possible causation trigger. It means the exclusion applies not just when a cyber event is the direct cause of the claim, but also when the cyber event is a contributing factor in any way.

For agencies, this has a specific and painful implication: a cyber event that causes a client's coverage to lapse, which then causes the client to suffer an uninsured loss, which then prompts the client to sue the agency, may be excluded entirely because the original trigger was a cyber event.

---

The Six Cyber Exclusion Manuscript Variations by Major E&O Carrier

Westport Insurance's 2024 analysis of agency E&O forms identified six distinct cyber exclusion manuscript variations across the major admitted agency E&O markets. The variations differ in three key respects: the definition of "cyber event," the scope of the causation trigger, and the carve-backs available.

The distinction between "arising out of or related to" and "solely caused by" is enormous in practice. Under the "solely caused" standard, a claim that is partly caused by a professional error and partly triggered by a cyber event may retain E&O coverage for the professional error component. Under the "arising out of or related to" standard, the entire claim is excluded if cyber is anywhere in the causal chain.

Agencies should request their E&O carrier's specific form language and identify which variation they carry.

---

Which Cyber-Related Claims Are Excluded Under a Standard Agency E&O Policy

Understanding the scope of the standard cyber exclusion requires mapping specific claim scenarios against the exclusion language.

Network Security Failures

A client discovers that your agency's management system was compromised and that a bad actor accessed the client's personally identifiable information, financial records, and policy details. The client suffers identity theft costs and sues your agency for failing to maintain adequate network security.

Standard E&O coverage: None. Network security failure is explicitly excluded.

Coverage needed: Standalone cyber liability policy with first-party and third-party coverage components.

Data Breaches Involving Client Information

Your agency's email system is compromised in a phishing attack. The attacker accesses client files containing Social Security numbers, driver's license numbers, and banking information. Your agency incurs costs for forensic investigation, breach notification, credit monitoring, and client lawsuits.

Standard E&O coverage: None. Data breach and unauthorized access are explicitly excluded.

Coverage needed: Standalone cyber liability policy with data breach response coverage, notification costs, and third-party liability.

Cyber Extortion and Ransomware Recovery

A ransomware attack encrypts your agency management system. The attacker demands $85,000 in cryptocurrency to restore access. Your agency loses 11 days of productivity while attempting to recover without paying. You ultimately pay the ransom. Several clients experience policy lapses during the outage because renewals were not processed.

Standard E&O coverage: None of the ransomware or extortion costs are covered. The client coverage lapse claims may also be excluded if the lapse arose out of the cyber event.

Coverage needed: Standalone cyber liability policy with cyber extortion coverage, ransom payment coverage, and business interruption coverage.

Denial of Service Attacks

A distributed denial of service (DDoS) attack takes your agency's client portal offline for 72 hours. Clients cannot access their policy documents or submit requests. A commercial client misses a critical policy change deadline and suffers an uninsured loss.

Standard E&O coverage: Potentially excluded, depending on whether the policy applies the "arising out of" or "solely caused by" standard. Under the broad standard, the claim is excluded because the ultimate cause of the missed deadline was the cyber event, not an independent professional error.

Coverage needed: Standalone cyber liability policy with business interruption and dependent systems failure coverage, plus review of E&O causation language for carve-backs.

---

How Agencies Must Buy Standalone Cyber Coverage to Close the Gap

The cyber exclusion in your E&O policy creates a coverage gap that can only be closed with a standalone cyber liability policy. There is no E&O endorsement that eliminates this gap in standard admitted markets.

A complete standalone cyber policy for an insurance agency should include:

First-party coverages:

• Data breach response costs (forensic investigation, notification, credit monitoring)
• Ransomware and cyber extortion payments
• Business interruption from a cyber event
• Data restoration and system recovery costs

Third-party coverages:

• Privacy liability for unauthorized disclosure of client data
• Network security liability for failing to prevent a cyber attack that affects third parties
• Regulatory defense for DOI, FTC, or state AG investigations arising from a breach
• Media liability for content-related claims arising from your agency's digital presence

Big I's 2024 agency market survey found that fewer than 45% of independent insurance agencies carry a standalone cyber policy. Among agencies with fewer than 10 employees, that number drops to 31%.

The cost of a standalone cyber policy for an insurance agency typically ranges from $2,500 to $12,000 annually depending on revenue, data volume, and security controls. Ponemon Institute's 2024 data shows that average uninsured cyber losses for small professional services firms run $180,000 per incident, making the premium straightforward to justify.

---

The Dangerous Interaction: Cyber Events That Cause Client Coverage Lapses

The most complex coverage scenario created by the cyber exclusion in E&O policies involves a cyber event that causes a client's coverage to lapse, which then causes the client to suffer an uninsured loss, which then prompts the client to sue the agency.

Here is why this scenario is so dangerous:

The chain of events:

1. A ransomware attack disables your agency management system for 10 business days.
2. During the outage, a commercial client's workers compensation policy renewal is not processed.
3. The client's WC policy lapses.
4. A workers compensation claim occurs during the lapse period.
5. The WC carrier denies the claim for no coverage in force.
6. The employee sues the client employer for the full cost of their injuries.
7. The client sues your agency for failing to process the renewal.

The coverage question: Does your E&O policy respond to the client's claim against your agency?

Under the broad cyber exclusion ("arising out of or related to"), the answer is likely no. The claim arises out of the ransomware attack, even though the immediate professional failure was the missed renewal.

Under the narrow cyber exclusion ("solely caused by"), the answer may be yes. The ransomware caused the system outage, but the agency also had a professional obligation to maintain manual backup processes for critical renewals. The claim may be only partly caused by the cyber event.

This interaction exposes agencies to a scenario in which:

• The cyber liability policy covers the ransomware attack costs (if the agency has one)
• The E&O policy excludes the client's coverage lapse claim (because of the cyber exclusion)
• The agency has no coverage for the most expensive part of the claim: the client's indemnity demand

The only solution is to buy a standalone cyber policy with broad liability coverage AND to negotiate the most favorable causation language possible in the agency's E&O cyber exclusion.

---

How to Advise Clients on the Same Issue

Insurance agencies face the cyber exclusion in their own E&O policies. Their commercial clients face the same exclusion in their own professional liability policies.

When advising commercial clients who carry E&O, malpractice, or professional liability coverage, brokers should address the cyber exclusion directly:

Step 1: Request the cyber exclusion language from the client's professional liability policy.

Step 2: Review the causation trigger standard ("arising out of" vs. "solely caused by").

Step 3: Identify whether the client has a standalone cyber policy that addresses the gap.

Step 4: Map the client's specific cyber risk profile against the exclusion scope (data volume, client type, system architecture).

Step 5: Document this analysis in the client file with a written recommendation to purchase standalone cyber coverage if no policy is in force.

This documentation matters. If a cyber event causes the client's professional liability policy to exclude a claim, and the broker had not advised the client of the cyber exclusion, the broker may face an E&O claim for failure to advise. That claim will land on the broker's own E&O policy, and the analysis above applies equally.

IIABA's 2024 risk management bulletin specifically advises member agencies to document all cyber exclusion conversations with clients in writing, given the frequency of claims arising from this exact scenario.

---

Checklist: Closing the Cyber Exclusion Gap in Your Agency

Use this checklist to address the cyber exclusion in your own agency's E&O policy and in your client advising process:

For your agency's own E&O coverage:

• Pull the full E&O policy and locate the cyber exclusion language
• Identify the causation trigger standard ("arising out of" vs. "solely caused by")
• Check whether any carve-backs exist for claims with a mixed professional and cyber cause
• Review whether your E&O policy includes a cyber sub-limit (as some newer forms do in lieu of a full exclusion)
• Verify whether a standalone cyber policy is in force
• Confirm the standalone cyber policy includes both first-party and third-party coverage
• Confirm the standalone cyber policy covers business interruption caused by a cyber event
• Review the interaction between the cyber policy's retroactive date and the E&O policy's retroactive date

For client advisory documentation:

• Review each commercial client's professional liability policy for cyber exclusion language
• Document the exclusion review in the client file
• Issue a written recommendation for standalone cyber coverage if not in force
• Retain documentation for the full E&O extended reporting period

---

Frequently Asked Questions

What is the cyber exclusion in E&O policies and when was it added? The cyber exclusion in E&O policies removes coverage for claims arising from network security failures, data breaches, cyber extortion, and related cyber events. Most E&O carriers added the exclusion between 2014 and 2017 in response to a 300% increase in cyber-related claims against agencies during that period (Swiss Re 2023).

Can an agency negotiate the cyber exclusion out of its E&O policy? In the standard admitted market, no. The cyber exclusion is non-negotiable in most agency E&O forms. What is negotiable is the causation trigger language. The "solely caused by" standard is significantly more agency-friendly than the "arising out of or related to" standard, and some carriers will negotiate the causation language at renewal.

Does a standalone cyber policy cover E&O claims that involve a cyber component? Standalone cyber policies cover first-party cyber losses (breach response, ransomware costs, business interruption) and third-party cyber liability (privacy liability, network security liability). They do not cover professional liability claims that happen to involve a cyber element. The two policies work together but do not replace each other.

If a client's coverage lapses because of a ransomware attack on my agency, does my E&O policy respond? Under a broad cyber exclusion ("arising out of or related to"), the E&O policy will likely deny the claim on the basis that it arises from the cyber event. Under a narrow cyber exclusion ("solely caused by"), a defense argument exists that the professional failure was an independent contributing cause. This is the most contested scenario in agency E&O today.

What coverage should a standalone cyber policy include to properly close the E&O cyber gap? A complete standalone cyber policy should include: data breach response costs, ransomware and extortion payments, business interruption from a cyber event, privacy liability for client data exposure, network security liability, and regulatory defense costs. Missing any of these components leaves residual gaps that the E&O policy will not fill.

How do I advise a client whose professional liability policy has a cyber exclusion? Document the exclusion in writing in the client's file. Issue a written recommendation for standalone cyber coverage if not in force. If the client declines, document the declination and have the client sign an acknowledgment that they were informed of the gap. IIABA's 2024 risk management bulletin recommends this documentation protocol for all commercial clients with professional liability policies.

---

Catch E&O coverage gaps before they become claims →

---

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.