If you’ve ever sat across the table from your insurance agent and been told, “don’t worry, you’ve got cyber on your policy,” you’re not alone. It’s one of the most common things we hear from new clients who walk into our office, and it’s usually based on a small cyber endorsement that was added to their Business Owner’s Policy or Commercial Package years ago.
The truth is, that little endorsement and a real stand-alone cyber policy are two very different things. They might both have the word “cyber” on them, but when something actually goes wrong — a wire fraud, a ransomware lockout, a stolen laptop with client records on it — the gap between the two becomes painfully obvious.
We get it. Cyber insurance is one of those topics business owners would rather not think about. It’s technical, the language is confusing, and the threats feel abstract until they aren’t. So this post is meant to clear it up in plain English. What does a cyber endorsement actually do? What does a stand-alone policy do that an endorsement doesn’t? And how do you figure out which one fits your business? Let’s walk through it.
Understanding the Risk
One word in common. Two completely different products.
A cyber endorsement is a small add-on bolted to your existing business policy. A stand-alone cyber policy is a separate, dedicated contract built from the ground up to handle cyber risk. The endorsement is a checkbox. The stand-alone is a real policy.
When a real incident hits, the difference shows up immediately — in coverage limits, what’s actually included, and whether you have a team on the phone within an hour or you’re Googling cybersecurity firms at midnight.
What a Cyber Endorsement on a BOP or Commercial Package Really Is
A cyber endorsement is essentially a small add-on to your existing business policy. Think of it as a checkbox the carrier added to make their package more competitive. You probably didn’t pay much extra for it, and it didn’t require much underwriting. That’s your first clue about how much coverage you’re actually getting.
Most endorsements come with sublimits between $25,000 and $100,000. That sounds like a lot until you compare it to the actual cost of a cyber event. Forensic IT investigation alone can run $20,000 to $50,000 before you’ve even figured out what happened. Add in a privacy attorney, customer notification, credit monitoring, and lost income while your systems are down, and a $50,000 limit disappears in the first week.
Coverage triggers are also narrower than people expect. Many endorsements only respond to a traditional data breach involving personal information. Ransomware payments? Often excluded or sublimited again. Social engineering fraud — where someone tricks an employee into wiring money to a fake vendor account — usually isn’t covered at all under a basic cyber endorsement. Business interruption from a cyber event? Frequently missing or capped at a number that won’t move the needle.
The other thing endorsements don’t give you is a phone number to call at 2 a.m. when your screens are locked and your team is panicking. That’s a bigger deal than it sounds. We’ll get to that.
How a Stand-Alone Cyber Policy Is Different
A stand-alone cyber policy is a separate contract that exists for one purpose: to handle cyber risk. Because it’s not bolted onto a property or liability form, it can do things an endorsement can’t. The limits are higher, the coverage is broader, and the response is built around the assumption that something will eventually go wrong.
On a stand-alone policy, you’ll typically see coverage broken into two buckets. First-party coverage pays for your own losses — the forensic team, the data restoration, the ransom payment if it comes to that, the income you lose while you’re down, and the cost of notifying your customers. Third-party coverage handles the claims that come from outside — clients suing because their data was exposed, regulators issuing fines, or vendors demanding compensation because your breach affected them too.
What surprises most business owners is what comes with the policy beyond the dollar limits. Almost every stand-alone cyber carrier includes a 24/7 breach hotline. When you call, you get connected within minutes to a panel of experts who already know your policy and your business. That usually includes IT forensic investigators, a privacy attorney, a ransomware negotiator if needed, and a public relations specialist. These aren’t names you have to find on Google at midnight. They’re already on standby, and the carrier pays them directly.
Stand-alone policies also tend to keep up with the threat landscape. Carriers update their forms regularly to address new types of attacks — things like deepfake voice fraud, AI-generated phishing, and supply chain compromises that didn’t exist in the same form a few years ago. Endorsements rarely get that kind of attention.
The Differences That Actually Matter When You Have a Claim
It’s easy to compare two policies side by side and focus on premium. The real test is what happens during a claim. Here’s where the gap shows up.
Limits. An endorsement might give you $50,000. A stand-alone policy can give you $1 million, $5 million, or more, depending on your business. Cyber claims regularly cross six figures even for small businesses, so the difference is rarely academic.
Coverage scope. Endorsements often exclude or sublimit ransomware, social engineering, dependent business interruption (when one of your vendors gets hit and takes you down with them), and reputational harm. Stand-alone policies usually include all of these, often with their own line-item limits you can adjust.
Response speed. With an endorsement, you’re usually on your own to find help. You’re calling around, comparing quotes from forensic firms, hoping the attorney you find understands breach notification law in your state. With a stand-alone policy, the breach coach is on the phone within an hour and the team is mobilized the same day. Speed matters because every hour your systems are down, you’re losing money and your data is more exposed.
Contracts. This one catches a lot of business owners off guard. More and more clients, vendors, and lenders are requiring proof of stand-alone cyber insurance with specific limits before they’ll sign a contract. A line item on your BOP often won’t satisfy the requirement, and we’ve seen deals fall apart over it.
Underwriting. Stand-alone carriers ask more questions on the application — about your backups, multi-factor authentication, employee training, and incident response plan. That feels like a hassle, but it’s actually useful. The application itself often becomes a checklist that tightens up your security and lowers your premium at the same time.
Building Ordinance and Code Upgrade CoveragSo Which One Do You Actually Need?
Honest answer: it depends on your business, but most of the businesses we work with end up needing more than the endorsement provides. If you handle customer financial data, health information, social security numbers, or any kind of personally identifiable information, a stand-alone policy is almost always the right call. The same is true if you rely heavily on technology to operate — if your team can’t function without email, your point-of-sale system, or your scheduling software, then a few days of downtime will hurt a lot more than the premium difference.
The endorsement isn’t useless. For very small operations with minimal digital exposure — think a one-person trade business that doesn’t store customer data and uses the computer mostly for invoices — an endorsement might be a reasonable starting point. But that’s a narrow set of businesses, and even some of those should think harder about it. Cybercriminals don’t skip small businesses. They specifically target them, because the defenses are usually weaker and the urgency to pay a ransom is higher.
The other thing worth saying is that this is a moving target. The right answer five years ago is not the right answer today. We’ve had clients renew their BOPs without thinking about cyber for years, and then suddenly find out they’re uninsured for the threat that’s most likely to put them out of business. A quick conversation with your agent every renewal is enough to keep this from happening.
Real-World Scenario
A Story of Two Firms — Same Attack, Very Different Outcomes
Let me tell you about two professional services firms we’re familiar with. Both around the same size, both serving clients with sensitive financial data, both operating in the Houston area. We’ll call them Firm A and Firm B.
Firm A had a $50,000 cyber endorsement on their BOP. They’d had it for years and never thought twice about it. The premium was small, the limit looked fine on paper, and nobody had ever pushed them to consider anything more. Firm B — same kind of business, same risk profile — carried a $1 million stand-alone cyber policy with full breach response services included. About six months apart, both firms got hit with ransomware. Same kind of attack. Different ending.
Firm A came in on a Monday morning and found everything locked. Files encrypted. Email down. The client portal returning errors. The owner called the carrier and learned within an hour that the endorsement didn’t cover ransom payments, capped forensic costs at $10,000, and didn’t include any breach response services. So the owner started Googling. By Tuesday afternoon they had a forensic firm on retainer, but it took three more days to find an attorney familiar with Texas breach notification requirements. Meanwhile, the firm couldn’t serve clients. Deadlines were missed. A few longtime clients moved their business elsewhere because they couldn’t get answers. By the time the dust settled, the firm had spent close to $380,000 on forensic work, legal fees, business interruption losses, customer notification, and credit monitoring. The endorsement covered about $48,000 of it. The rest came out of cash reserves and a line of credit. It took the firm more than a year to recover financially, and the owner told us they almost didn’t make it.
Firm B had a different morning. Their IT lead noticed unusual activity early, and within an hour the owner was on the phone with the breach hotline. By lunchtime, a forensic team had remote access and was containing the spread. A privacy attorney was on a call with leadership by mid-afternoon. A ransomware negotiator was already in conversation with the attackers. The forensic team had clean backups identified by the next morning, and most systems were restored within 72 hours. The carrier covered the negotiation, the forensic costs, the legal work, the lost income, and the customer notifications. Total out-of-pocket cost to the firm: their deductible. They didn’t lose a single client. A few even praised them for how transparently they handled the communication.
Same threat. Two policies. Two completely different outcomes. The premium difference between the two policies was real, but it was small compared to what Firm A ended up spending out of pocket. This pattern repeats itself constantly in our industry.
The Short Version
- Cyber endorsements are a starting point, not a strategy. Low sublimits, narrow triggers, and limited support.
- Stand-alone cyber policies offer higher limits, broader coverage, and a 24/7 breach response team that handles the chaos for you.
- Most of the cost of a cyber claim isn’t the ransom. It’s the forensic work, legal fees, lost income, and reputation repair that follow.
- Vendors, lenders, and clients increasingly require proof of a real stand-alone cyber policy before they’ll do business with you.
- If your business depends on technology or handles sensitive data, you almost certainly need more than an endorsement.
The Question Worth Sitting With
If your systems went down tomorrow — email locked, files encrypted, clients calling — what would actually happen? Would your current policy hand you a phone number and a team, or would you be on your own with a small reimbursement check coming weeks later? That’s the real question. The cyber endorsement on your BOP might be enough. It might not. The only way to know for sure is to look at it carefully, with someone who deals with these claims regularly, before you ever need it.
Is Your Business Properly Protected?
Worthen Insurance Group works with business owners across Texas to build Commercial programs that match the realities of their portfolios.
Call Us
Learn More