The Broker's Guide to Cyber Liability Vs E&O Coverage

Cyber liability vs E&O coverage is the most misunderstood coverage question in independent agency risk management. Most agency owners assume their E&O policy covers cyber incidents, or that their cyber policy covers bad advice about cyber insurance. Neither assumption is correct - and both gaps create uncovered six-figure claims.

Coalition 2025 data identifies agency management software as the second most frequently targeted system in financial sector cyberattacks. IIABA 2025 reports that E&O claims against agencies have increased 18% over the past three years, with a growing subset involving cyber-related professional errors. These are not the same coverage - and agencies need both.

---

Key Takeaways

1. Coalition 2025 identifies agency management software as the second most targeted system in financial sector cyberattacks, making cyber coverage a direct agency operational need - not just a client product.
2. IIABA 2025 reports that E&O claims against agencies have increased 18% over three years, with 12% of new claims involving cyber-related professional errors such as recommending inadequate cyber limits.
3. E&O coverage triggers on a professional services error - the wrong advice given, the wrong coverage placed, or an endorsement missed; cyber coverage triggers on a data security event - a breach, ransomware, or business email compromise affecting agency systems.
4. First-party cyber coverage pays the agency's own breach response costs: forensic investigation, regulatory notification, credit monitoring, and business interruption. E&O pays third-party claims from clients alleging professional harm.
5. The average cyber claim for a small financial services firm in 2025 reached $485,000 according to Coalition 2025; the average E&O claim in the same segment reached $162,000 per IIABA 2025.
6. Most E&O policies contain a specific cyber exclusion for claims arising from data breaches, and most cyber policies contain a professional services exclusion for claims arising from professional errors - confirming that each policy covers a non-overlapping loss scenario.

---

The Core Distinction: What Each Policy Is Designed to Cover

E&O (errors and omissions) insurance, also called professional liability, protects the agency against claims arising from professional services mistakes. The trigger is a professional act or failure to act.

Cyber liability insurance protects the agency against claims and costs arising from data security events. The trigger is a security incident affecting data systems.

These are fundamentally different risk categories - even when the underlying facts of a claim involve both.

What Triggers an E&O Claim

An E&O claim against an insurance agency arises when a client suffers a loss that would have been covered had the agency recommended or placed the correct coverage. Common triggers include:

• Recommending commercial general liability limits that prove inadequate for the client's actual operations.
• Failing to recommend a cyber liability policy to a client who later suffers a breach.
• Recommending a cyber policy with sublimits that prove insufficient (e.g., a $250,000 ransomware sublimit on a policy for a client who faces a $1.2 million ransomware demand).
• Missing an endorsement that the client requested or that coverage adequacy required.
• Placing coverage with a non-admitted carrier without disclosing the non-admitted status and associated risks.

The key element: the harm arises from the broker's professional judgment or professional failure, not from a security event affecting the broker's own systems.

What Triggers a Cyber Claim

A cyber liability claim against the agency arises from a security event that compromises agency data or systems. Common triggers include:

• A ransomware attack that encrypts agency files and demands payment for decryption keys.
• A data breach in which client PII (SSNs, financial records, health data) is accessed or exfiltrated from the agency's AMS.
• A business email compromise (BEC) incident in which a fraudulent email directs funds to an attacker's account.
• A denial-of-service attack that renders the agency's systems inoperable for multiple days.
• A phishing attack that results in credential theft and unauthorized access to client accounts.

The key element: the harm arises from a security event affecting the agency's own systems - not from professional advice given to a client.

---

The Overlap Zone: When a Single Claim Involves Both

The most dangerous claims for agencies fall in the overlap zone between professional services errors and cybersecurity events. These claims can implicate both policies - and both carriers.

Scenario 1: The E&O-Only Cyber Claim

A retail agency recommends a $500,000 cyber liability limit to a mid-size healthcare client. The client suffers a ransomware attack and incurs $1.4 million in response costs and regulatory penalties. The client sues the agency for recommending inadequate limits.

This is an E&O claim. The trigger is the professional recommendation of an insufficient limit, not a security event at the agency. The agency's own cyber policy does not respond. The E&O policy must cover it - but only if cyber-related professional errors are not excluded from the E&O policy. IIABA 2025 reports that 34% of agency E&O policies contain some limitation on cyber-related professional liability coverage.

Scenario 2: The Cyber-Only Agency Claim

An agency's AMS is breached. Client SSNs, financial records, and health information are exfiltrated. The agency incurs $380,000 in forensic costs, regulatory notification expenses, credit monitoring, and regulatory penalties.

This is a first-party cyber claim. The trigger is the security event at the agency. The E&O policy does not respond - there is no professional services error at issue. The agency's cyber policy covers the response costs if the policy includes first-party coverage.

Scenario 3: The Dual-Coverage Scenario

A BEC attack causes the agency's staff to wire $75,000 in premium funds to a fraudulent account. The client whose premium was lost sues the agency for mishandling their funds (a professional services claim). The agency simultaneously incurs costs to investigate the BEC attack and notify affected parties.

This scenario implicates both policies: the professional liability claim against the agency (E&O territory) and the agency's own response costs (cyber territory). Both carriers must be notified promptly, and coverage coordination between the two policies becomes necessary.

---

Coverage Comparison: Cyber Liability vs E&O Across 8 Dimensions

---

What E&O Policies Cover for Insurance Agencies

E&O coverage for insurance agencies is designed to protect against the professional services risk. The standard coverage structure includes:

Defense costs: The E&O carrier retains and pays for legal counsel to defend the agency against a client's professional liability claim, even if the claim is ultimately without merit.

Indemnity: If the claim results in a judgment or settlement, the E&O policy pays the indemnity amount up to the policy limit.

Professional services defined broadly: Most agency E&O policies define "professional services" to include placing, renewing, or canceling insurance; advising clients on coverage; and certificate issuance. This means errors in any of these activities can trigger coverage.

Claims-made trigger: Agency E&O policies are written on a claims-made basis. A claim must be made during the policy period, and the professional act or omission must occur after the prior acts date. Gaps in E&O coverage - even for a single day - can eliminate coverage for acts that occurred during the gap period.

IIABA 2025 E&O claims data: The most common E&O claim categories against agencies are failure to obtain requested coverage (31% of claims), failure to recommend additional coverage (24%), and coverage placement errors (19%). Claims involving cyber-related professional errors now represent 12% of all new claims - up from 4% in 2021.

---

What Cyber Policies Cover for Insurance Agencies

A cyber liability policy for an insurance agency covers two categories of loss: first-party costs incurred directly by the agency, and third-party liability claims made against the agency.

First-party coverages typically include:

• Forensic investigation costs to determine the scope and cause of the breach.
• Regulatory notification costs: printing, mailing, and call-center costs for notifying affected individuals.
• Credit monitoring services for affected clients.
• Business interruption losses: revenue lost while agency systems are offline or compromised.
• Ransomware response and ransom payments (with carrier pre-approval requirements).
• Cyber extortion: payments demanded to prevent publication of stolen data.
• Restoration costs: IT expenses to restore systems to pre-breach condition.

Third-party coverages typically include:

• Defense costs and indemnity for client claims arising from the breach (e.g., client sues the agency for failing to protect their data).
• Regulatory defense costs and civil penalties arising from breach notification law violations.
• Media liability: claims arising from inadvertent disclosure of confidential information in agency publications or website content.

Common exclusions in cyber policies:

Most cyber policies exclude claims arising from professional services errors (directing those to E&O), bodily injury and property damage (directing those to CGL), and prior known events. Some policies exclude social engineering/BEC losses unless a specific endorsement is purchased.

---

Why Agencies Need Both Policies

The professional services exclusion in cyber policies and the cyber exclusion in E&O policies are not accidental. They are designed - by underwriters on both sides - to keep the two coverages separate.

An agency that carries only E&O coverage has no coverage for:

• First-party costs of responding to a data breach at the agency.
• Business interruption from a ransomware attack.
• Regulatory penalties from failure to notify clients promptly after a breach.

An agency that carries only cyber coverage has no coverage for:

• Client claims arising from wrong coverage recommendations.
• Defense costs when a client sues for a missed endorsement.
• Claims arising from certificate issuance errors or coverage placement mistakes.

The risk of carrying only one policy is not theoretical. Coalition 2025 reports that 23% of agency cyber claims involve a secondary E&O claim by the same client - meaning the same incident triggers both a cyber response need and a professional liability defense need. An agency with only one policy absorbs the uncovered portion out of pocket.

---

How to Evaluate Your Agency's Coverage Structure

Before renewing either policy, run through these four questions:

Does your E&O policy contain a cyber exclusion? Read the exclusions section. If there is any language excluding claims arising from data breaches, cybersecurity failures, or loss of electronic data, verify whether that exclusion applies to professional services errors that happen to involve cyber - or only to first-party breach costs (which should be covered by cyber, not E&O anyway).

Does your cyber policy contain a professional services exclusion? Standard cyber policies exclude claims arising from professional services. Verify that the exclusion does not inadvertently capture a scenario where a security event at your agency causes a client to suffer a professional services-type harm.

Are your limits coordinated between the two policies? An E&O policy with a $1 million limit and a cyber policy with a $500,000 limit may leave the agency exposed in a scenario that triggers both policies simultaneously. Work with your E&O and cyber underwriters to coordinate limits before a loss occurs.

Has your agency had a professional error involving cyber advice in the past 24 months? If so, this may affect E&O renewability and may require prior knowledge disclosure on a new E&O application.

---

Frequently Asked Questions: Cyber Liability vs E&O Coverage

What is the fundamental difference between cyber liability vs E&O coverage for insurance agencies?

Cyber liability coverage responds to data security events affecting the agency's own systems - a breach, ransomware attack, or business email compromise. E&O coverage responds to professional services errors - wrong advice given, wrong coverage placed, or an endorsement missed. The trigger events are categorically different, and each policy is designed to cover losses the other explicitly excludes.

Does my agency's E&O policy cover a client's claim that I recommended inadequate cyber limits?

In most cases, yes - this is a classic E&O claim arising from a professional services recommendation. However, IIABA 2025 data shows that 34% of agency E&O policies contain some cyber-related limitation. Read your specific policy's exclusions section carefully, and ask your E&O underwriter whether claims arising from cyber coverage recommendations are covered without limitation.

If my agency's AMS is breached and a client sues me, does E&O or cyber cover the defense?

The client's lawsuit is a third-party liability claim arising from a security event at the agency - this falls under the third-party liability component of a cyber policy, not under E&O. Your E&O policy almost certainly contains a cyber exclusion that would bar coverage for this claim. Notify your cyber carrier immediately.

Can a single incident trigger both my E&O and cyber policies?

Yes. A business email compromise that results in misappropriated client premium funds may trigger both a third-party professional liability claim (client sues for mishandling funds - E&O territory) and first-party cyber response costs (forensic investigation, notification - cyber territory). Both carriers must be notified, and coverage coordination between the two policies is necessary.

How much cyber liability coverage should an insurance agency carry?

Coalition 2025 data shows the average cyber claim for a small financial services firm in 2025 was $485,000. Agencies with AMS systems containing more than 500 client records should carry a minimum of $1 million in cyber liability limits. Larger agencies with multi-state operations, group benefits accounts, or MGA relationships should discuss limits of $2 million to $5 million with their cyber underwriter.

What should an agency do if a carrier denies a cyber claim by asserting the professional services exclusion?

Retain outside counsel with cyber coverage litigation experience immediately. The professional services exclusion in a cyber policy is intended to exclude claims arising from professional advice - not claims arising from security events that happen to affect a client who also received professional services. Courts have found in favor of insureds where carriers applied the professional services exclusion too broadly to bar cyber coverage for security incident costs.

---

Identify coverage gaps in your agency's E&O and cyber program before a claim forces the issue: /features/policy-checker

---

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.