*8 min read · Last updated May 26, 2026*
In this article
– The sublimit hidden in your BOP cyber endorsement – What the BOP cyber endorsement actually pays for – How a small breach burns through $50,000 – When the BOP endorsement is enough, and when it is not – FAQ
Marcus and Anita Liu run a 14-employee accounting firm in Sacramento. Their BOP, written by a top-tier carrier, includes a cyber endorsement with a $50,000 aggregate sublimit. In March a junior bookkeeper opened a phishing attachment, the ransomware encrypted the workstation and reached two file shares, and the incident response engagement started within four hours. The forensic firm billed $48,200 to scope, contain, and document the breach. The $50,000 sublimit covered the forensics invoice in full and reset to zero. The Lius then paid out of pocket for client notification mailings, twelve months of credit monitoring for 1,212 affected clients, a California Attorney General regulatory filing, and three days of revenue lost to downtime. The remaining bill came to $237,000.
The sublimit hidden in your BOP cyber endorsement
A Business Owners Policy bundles general liability, business personal property, business income, and a small handful of optional endorsements into a single package designed for businesses under roughly $5 million in revenue. Cyber liability is one of the endorsements many carriers now include or offer cheaply. On the surface, this looks like cyber coverage at no real cost.
Read the declarations page. The cyber endorsement carries its own sublimit that sits below the BOP’s overall liability limits. Travelers, Hartford, Chubb, Liberty Mutual, and Hiscox all commonly offer BOP cyber endorsements with aggregate sublimits between $25,000 and $50,000. Some higher-tier BOPs reach $100,000 or $250,000, but only when the policyholder asked for and paid for the increase. The default is the low number, and the default is what most small businesses carry.
The aggregate piece matters more than the headline number. A $50,000 aggregate means $50,000 total across every cyber-triggered loss during the policy period. Forensics, notification, credit monitoring, business interruption, regulatory defense, and any ransom share the same pool. The first invoice that hits the policy reduces the available limit for everything that comes after.
What the BOP cyber endorsement actually pays for
The exact wording differs by carrier, but most BOP cyber endorsements promise reimbursement within the sublimit for a defined list of first-party expenses. The list usually includes incident response and forensic investigation, mandatory breach notification to affected individuals, credit monitoring for the period required by state law (typically twelve months in the U.S.), public relations and crisis communications, and limited business interruption income loss while systems are offline.
What the endorsement often excludes, or limits sharply, is just as important. Ransom payments are typically excluded outright on the basic BOP cyber endorsement, or capped at a small inner sublimit such as $10,000. Regulatory fines and penalties are often outside coverage. Social engineering fraud, where a finance employee is tricked into wiring funds to a fraudster, is a separate coverage that most BOP endorsements do not include by default. PCI assessments imposed by card brands after a payment-card breach sit outside the standard form. Defense costs for class action lawsuits filed by affected individuals often erode the sublimit further.
DIN has covered the related coverage clauses in detail, including how cyber liability insurance protects small businesses, the standalone product that exists alongside BOP endorsements, and the gap where social engineering fraud sits outside the standard cyber form.
How a small breach burns through $50,000
The Liu firm scenario is not unusual. Walk through the math for a small business with 1,000 affected records and a typical incident.
Forensics and incident response from a qualified firm: $40,000 to $80,000 for a scoped engagement on a single-site network with two compromised hosts. This is before any data restoration or system rebuild work. Verizon’s Data Breach Investigations Report and IBM’s Cost of a Data Breach Report both routinely place small-business forensic engagements in this range.
Mandatory notification: $5 to $25 per record once printing, postage, and call-center support are bundled. For 1,000 records, that is $5,000 to $25,000.
Credit monitoring: $120 to $240 per affected person per year, often required by state attorneys general settlements even where not strictly mandated by statute. For 1,000 records over twelve months, that is $120,000 to $240,000.
Regulatory filing and legal defense: $5,000 to $25,000 for a single-state filing, more if HIPAA, the FTC, or multiple state AGs are involved. The ransomware payment authorization mechanics compound this when the carrier is also reviewing whether a ransom payment is reimbursable.
Business interruption: a small professional services firm offline for three days at $8,000 per day in lost billable revenue is another $24,000 of exposure.
Total small-business breach cost in this scenario: $194,000 to $394,000. A $50,000 sublimit covers somewhere between 12 and 26 percent of it.
When the BOP endorsement is enough, and when it is not
The BOP cyber endorsement is genuinely useful for a small business that holds almost no sensitive data, runs no payment card processing of its own, has fewer than 100 customer records, and uses third-party software-as-a-service for every business-critical workflow. In that profile, a $25,000 to $50,000 sublimit can plausibly cover an isolated incident.
For a firm that holds client tax returns, medical records, payment information, retainer agreements with personal data, or any other category that triggers state breach notification statutes, the BOP endorsement is not enough. A standalone cyber liability policy is typically the next step. Coalition, At-Bay, Cowbell, Hiscox, and Travelers all sell standalone cyber policies designed for businesses under $25 million in revenue. Common pricing runs $1,200 to $3,000 per year for $1 million in coverage with separate limits for forensics, notification, business interruption, ransomware, and regulatory defense, plus first-dollar coverage on each major loss category rather than a single shared aggregate. The business owners policy itself and the broader landscape of business insurance products sit alongside this decision.
The four numbers to ask the broker for before renewal: the cyber aggregate sublimit on the current BOP, the inner sublimit on ransomware specifically, the inner sublimit on regulatory defense, and the social engineering coverage status. If any of those four answers comes back as zero, a small inner sublimit, or “not included,” a standalone cyber policy is the right next conversation.
Get small business commercial coverage quoted alongside a separate cyber policy with first-dollar limits, not a single shared sublimit hidden inside a BOP endorsement.
Compare commercial cyber optionsA bundled cyber endorsement on a BOP is not the same product as a cyber liability policy. The coverage looks similar on the declarations page. The math at the point of claim does not.
Frequently asked questions
What is a typical BOP cyber sublimit? $25,000 to $50,000 aggregate is the most common range on standard BOPs from Travelers, Hartford, Hiscox, and Liberty Mutual. Higher-tier BOPs can reach $100,000 to $250,000, but only when the policyholder specifically asked for the increase at binding.
Does the BOP cyber endorsement cover ransomware payments? Usually not, or only inside a small inner sublimit such as $10,000. Carriers also typically require pre-authorization before any ransom payment, and an unauthorized payment can void the cyber coverage entirely.
How much does breach notification actually cost per record? $5 to $25 per record once printing, postage, and call-center support are included. Credit monitoring runs another $120 to $240 per affected person per year. State attorneys general settlements often require twelve months of monitoring even where statute does not.
Is a standalone cyber liability policy expensive for a small business? Annual premiums commonly run $1,200 to $3,000 for $1 million in coverage at a business under $5 million in revenue. The standalone policy carries separate limits for forensics, notification, ransomware, regulatory defense, and business interruption, rather than a single shared sublimit.
Can I just raise the cyber sublimit on my existing BOP? Sometimes, depending on carrier appetite. The raised sublimit usually still sits inside a single shared aggregate, and the policy form often still excludes the categories a standalone cyber policy treats as core coverage. Ask the broker for a side-by-side comparison before assuming a sublimit increase fixes the gap.
