Reviewed by Tom Moore, Agency Partner, CA Agency Insurance License 6003355
Last reviewed: 5/14/2026
Key takeaway: Silent cyber exposure is the term for cyber-related losses that fall into the gap between what traditional business insurance policies were written to cover and what actually happens when a cyberattack, data breach, or ransomware event hits your business. Most general liability and business owner's policies either exclude cyber losses explicitly or were written before cyber risk existed as a named coverage category — meaning a claim can get denied even when the policy language doesn't obviously rule it out. For Spokane small business owners, this gap is real, it's common, and it's fixable with a standalone cyber policy. This post explains where the gap lives, what it looks like in practice, and what to do about it.
Most Spokane small business owners who've thought about cyber risk at all have decided they're probably fine. They've got a general liability policy. Maybe a business owner's policy. The broker sent the renewal, it looked right, they signed it. Done.
The problem is that "cyber" was not a coverage category when most standard commercial policies were designed. It got layered in through exclusions, endorsements, and carrier interpretations — and the result is a patchwork that looks like coverage from the outside but has real holes in it. Silent cyber exposure is what those holes are called. And unlike most coverage gaps, this one doesn't announce itself until you're already in the middle of a claim.
Outline
What Is Silent Cyber Exposure?
Silent cyber exposure refers to cyber-related losses that exist within traditional insurance policies — not because the policy explicitly covers cyber, but because the policy language never explicitly excluded it either. The term "silent" comes from the fact that neither the insurer nor the policyholder was intentionally addressing cyber risk when the policy was written. It just sat there, unaddressed, until a loss happened and both sides had to figure out what the policy actually meant.
The insurance industry has been trying to close this gap for years. Major carriers and Lloyd's of London began requiring affirmative cyber exclusions or affirmative cyber coverage endorsements on commercial property and liability policies starting around 2019, specifically to eliminate the ambiguity. The intent was to force a clear answer: either the policy covers cyber, or it doesn't. But implementation has been inconsistent, and many small business policies — especially in independent agency markets — still carry language that leaves the question open.
For a Spokane business owner, what this means practically: your existing policy may not affirmatively cover a cyber loss, and it may not affirmatively exclude one either. When a claim is filed, that ambiguity gets resolved by the carrier's legal team. Rarely in your favor.
How Traditional Policies Handle Cyber Losses (Hint: They Often Don't)
General Liability and the Cyber Exclusion Problem
Standard commercial general liability (CGL) policies cover bodily injury and property damage caused by your business operations. They were written with physical causation in mind: someone slips, something breaks, a product fails. A cyberattack is none of those things.
Some CGL policies include a "data breach" or "electronic data" exclusion that explicitly removes coverage for cyber losses. Others are simply silent on the topic — written before ransomware was a word anyone used in a policy form. When a claim involves data destruction, a ransomware payment, or notification costs after a breach, the carrier's default position is that none of this constitutes "property damage" in the policy's meaning. Courts have gone both ways on this, but the trend in recent years has moved toward upholding exclusions and narrow interpretations of coverage. A CGL policy is not a cyber policy. Expecting it to cover a cyber event is a reasonable assumption that turns out to be wrong most of the time.
Business Owner's Policies: Better, But Still Not Enough
A business owner's policy (BOP) bundles general liability with commercial property coverage, and some BOPs include a limited cyber endorsement — usually covering first-party losses like notification costs and basic data recovery up to a sublimit. That sublimit is almost always too low to cover a real incident.
The NAIC has noted that small business cyber incidents routinely generate costs well above what a standard BOP endorsement sublimit provides. Notification costs alone — required under Washington State law when personal data is exposed — can run into tens of thousands of dollars depending on how many customers or employees are affected. A BOP with a $10,000 cyber sublimit is not protecting a business with 2,000 customer records. It's giving the appearance of protection while the real exposure sits uncovered.
What a Real Silent Cyber Loss Looks Like for a Spokane Business
Say you run a mid-sized Spokane service business — landscaping, home care, a small med spa, a boutique accounting firm. You process payments through a point-of-sale system. You keep client records in a cloud platform. Your staff uses email for scheduling and client communication.
One morning, ransomware locks every workstation in the building. You can't access client records, scheduling software, or financial data. The attackers want $18,000 to restore access. Your IT person says recovery without paying could take three to four weeks and cost more.
You file a claim with your BOP carrier. The adjuster reviews the policy. There's a $10,000 cyber sublimit. But the ransomware event triggered a data exposure — customer records were accessed before the lock — which means Washington's breach notification law now applies. You need to notify affected customers, potentially hire a breach coach, possibly engage a PR firm, and document everything for the state.
The BOP pays $10,000. Your actual out-of-pocket: significantly higher. The silent cyber gap just cost you real money.
This isn't a hypothetical. It's a pattern the Insurance Information Institute has documented repeatedly in small business claim data. The average small business cyber incident now costs more than $200,000 when you include downtime, recovery, notification, and reputational costs. Most small business owners don't have a float that size sitting around.
Washington State's Data Breach Notification Law Adds Real Stakes
Washington's data breach notification statute, RCW 19.255.010, requires businesses to notify affected Washington residents "in the most expedient time possible and without unreasonable delay" when a breach of personal information occurs. The law covers a broad range of data types: names combined with Social Security numbers, financial account numbers, health information, login credentials, and biometric data.
The Washington State Office of the Insurance Commissioner has noted that regulatory compliance costs — including notification, credit monitoring offers, and potential AG enforcement — can hit small businesses with expenses they have no coverage for if their policy doesn't explicitly address cyber. A traditional GL or BOP was not designed to respond to a state regulatory notification requirement. Standalone cyber coverage is.
This is the layer of exposure that surprises most business owners. It's not just the attack itself. It's what the law requires you to do afterward — and what that costs.
What Standalone Cyber Insurance Actually Covers
A purpose-built cyber liability policy covers the things your GL and BOP leave out. At minimum, a well-structured policy for a Spokane small business should include:
- First-party coverage: Ransomware payments, data recovery costs, business interruption during the outage, forensic investigation to determine what happened
- Third-party coverage: Claims from customers or vendors whose data was compromised, regulatory defense costs, notification and credit monitoring expenses required by law
- Breach response services: Access to a breach coach, legal counsel, and PR support — services most small businesses have no idea how to source quickly when an incident hits
Some carriers also include social engineering coverage (wire fraud, phishing-triggered payments) and reputational harm coverage. The scope varies significantly by carrier and form. What matters is that the policy was written to respond to cyber events — not to maybe respond to them, depending on how an adjuster reads a general liability form.
How to Know If Your Current Policy Has a Silent Cyber Gap
Pull your existing GL or BOP policy and look for three things:
- A cyber exclusion: If it's there, you have zero cyber coverage under that policy. Period.
- A cyber endorsement: If there's one, check the sublimit. Compare it against what a realistic breach notification and recovery scenario would cost for your customer base size.
- No mention of cyber at all: This is the silent exposure scenario. The policy is ambiguous. The carrier will resolve that ambiguity when a claim is filed — not before.
If any of these describes your situation, you have a gap. The Washington State OIC recommends businesses work with a licensed independent agent to assess cyber risk as a distinct coverage need, separate from property and liability reviews.
Action Steps: Closing the Gap Before a Claim Forces You To
1. Request your current policy's cyber position in writing. Ask your broker or carrier: does this policy affirmatively cover a ransomware event and subsequent breach notification costs? If the answer is unclear, that's your answer.
2. Count your exposed records. How many customer records, employee records, and financial accounts does your business hold? That number drives your notification cost exposure more than almost anything else.
3. Get a standalone cyber quote. For most Spokane small businesses — under 50 employees, under $5M in revenue — a standalone cyber policy is less expensive than most owners assume. It's worth knowing the number.
4. Review Washington's breach notification requirements. RCW 19.255.010 is not optional. Understanding what you're legally required to do after an incident makes the cost of a cyber policy easier to justify.
5. Don't wait for renewal. Cyber policies can be added mid-term. The gap exists right now, not just at your next renewal date.
If you want to know exactly where your business stands on cyber exposure, we can review your current coverage and walk through what a standalone cyber policy would actually cover for your specific operation. One conversation, no pressure, no pitch. Get a quote here: ALL LINES INSURANCE
FAQ
What is silent cyber exposure in insurance?
Silent cyber exposure refers to cyber-related losses that exist within traditional insurance policies — not because cyber is explicitly covered, but because the policy never clearly excluded it either. The term describes the ambiguity in standard GL and property policies that were written before cyber risk was a defined coverage category. When a loss occurs, that ambiguity typically gets resolved against the policyholder.
Does general liability insurance cover cyberattacks?
Generally, no. Standard commercial general liability policies cover bodily injury and property damage caused by physical business operations. A cyberattack, ransomware event, or data breach doesn't typically meet those definitions. Some CGL policies include explicit cyber exclusions; others are simply silent on the topic. Either way, a CGL policy is not a reliable source of cyber coverage.
Does a business owner's policy (BOP) cover cyber losses?
Some BOPs include a limited cyber endorsement with a sublimit — typically $10,000 to $25,000. For small businesses holding customer financial records or health data, that sublimit is rarely enough to cover notification costs, legal fees, and recovery expenses after a real incident. A BOP cyber endorsement is better than nothing but should not be mistaken for standalone cyber coverage.
Does Washington State require businesses to notify customers after a data breach?
Yes. Under RCW 19.255.010, Washington businesses must notify affected residents "in the most expedient time possible" when a breach of personal information occurs. The law covers names combined with financial account numbers, Social Security numbers, health information, login credentials, and biometric data. Failing to notify in a timely way can expose a business to regulatory action from the Washington Attorney General's office.
How much does a standalone cyber policy cost for a Spokane small business?
For a small business under 50 employees with standard cyber risk exposure, standalone cyber coverage typically ranges from a few hundred to a couple thousand dollars annually depending on industry, revenue, number of records held, and security controls in place. It's one of the more affordable standalone policies relative to the exposure it covers.
What does standalone cyber insurance actually cover?
A standalone cyber policy covers first-party losses (ransomware payments, data recovery, business interruption, forensic investigation) and third-party losses (customer claims from a breach, regulatory defense, notification and credit monitoring costs). Many policies also include breach response services — access to legal counsel, a breach coach, and PR support — which small businesses typically can't source quickly on their own.
How do I know if my current policy has a silent cyber gap?
Look for three things in your current GL or BOP: an explicit cyber exclusion (no coverage), a cyber endorsement with a sublimit (limited coverage — check the amount), or no mention of cyber at all (ambiguous coverage that resolves against you at claim time). If any of these describes your policy, request a written clarification from your carrier and get a standalone cyber quote to compare.
Can I add cyber insurance without waiting for renewal?
Yes. Cyber policies can typically be added mid-term as a standalone policy. You don't need to wait for your GL or BOP renewal date. If your current policy has a gap, the exposure exists now — not at renewal.
