Cyber liability was once a coverage only large enterprises needed. In 2026, it’s a required coverage for any fiber contractor working on carrier or hyperscaler infrastructure. Zayo requires $5M in Cyber Risk Liability via its Avetta prequalification portal. Hyperscaler data center GCs (DPR, Turner, Skanska, Holder) increasingly require cyber for any sub touching data hall infrastructure. And the coverage matters practically — fiber contractors handle customer network access, install equipment that connects to sensitive systems, and can trigger a cyber claim through a misconfigured splice or an infected laptop connected to a customer’s LAN. Your GL does not cover any of this. This guide covers what cyber liability actually is, why fiber contractors specifically need it, what Zayo and hyperscaler GCs require, and the real cost of coverage in 2026.
Why Fiber Contractors Specifically Need Cyber Liability
Ten years ago, no one required a fiber sub to carry cyber. In 2026, it’s a required coverage on most carrier and hyperscaler subcontract work. Three reasons this shifted:
Fiber techs and splicers routinely access customer networks — either physically (patching in), logically (via laptops connected to a customer LAN for testing), or via credential-based access (technician login to network management systems). Each is a cyber attack vector.
Contractor laptops used for OTDR readings, splice documentation, and network configuration are frequently unmanaged and may run outdated software. A compromised sub laptop connected to a customer’s data center network is a real breach scenario — and one that carriers are increasingly refusing to underwrite risk against.
Carrier and hyperscaler risk management teams tightened contractor cyber requirements after multiple high-profile 2023-2025 breaches attributed to third-party vendor compromise. Cyber requirements are now standard on carrier and data center subcontract agreements.
Modern subcontracts increasingly include indemnity language shifting cyber breach liability to the sub. Cyber insurance is the coverage that actually responds when that indemnity is invoked. Without it, the sub’s personal balance sheet is directly exposed.
What Cyber Liability Insurance Actually Covers
A modern cyber liability policy contains two major coverage sides: first-party (your losses) and third-party (claims against you). Both matter for a fiber contractor.
- Forensic investigation — hiring cyber experts to determine what happened, what data was affected, and how the attack occurred
- Business interruption — lost revenue while systems are offline (your quote intake, invoicing, or dispatch tools are compromised)
- System restoration — cost to rebuild, restore, or replace compromised systems
- Data recovery — recovering encrypted or corrupted data
- Ransomware payments — where legal to pay (with insurer approval)
- Notification costs — notifying affected individuals (often required by state law)
- Credit monitoring — providing to affected parties
- Cyber extortion — response to extortion demands short of full ransomware
- Third-party liability — claims made against you by others harmed by your cyber event (customer, business partner, prime contractor)
- Regulatory fines & penalties — where insurable (varies by state and cause)
- Litigation defense — cost to defend claims arising from your cyber event
- Media liability — for content-related cyber claims (rare for fiber subs)
- Notification liability to affected businesses — carrier prime notification costs if a compromised sub is the source
The standard Commercial General Liability policy contains a cyber exclusion (typically CG 21 06 or a carrier-specific version) that excludes any claim arising from unauthorized access to a computer system, data breach, or data destruction. Cyber events fall entirely to cyber insurance.
First-Party vs Third-Party — Why Both Matter
Some cheap cyber policies only include first-party coverage. This is a problem when a prime contractor invokes the indemnity clause of your subcontract after a breach traced to your equipment.
| Coverage Side | What It Protects | Who Needs It |
|---|---|---|
| First-party | Your business from a cyber attack — your data, systems, business continuity | Every fiber contractor |
| Third-party | You from claims made by others — primes, customers, regulators | Every fiber contractor working under a carrier or hyperscaler subcontract |
The Zayo $5M requirement is aggregate — it means $5M limit combined across both first-party and third-party. Confirm your policy allocates limits reasonably between both sides. Some cyber policies default to lower third-party sublimits.
Zayo’s $5M Cyber Requirement — What Triggers It
Zayo’s cyber requirement flows from its Avetta Universal Insurance Questionnaire. If you answer “yes” to any of the following triggers, Zayo will require $5M Cyber Risk Liability:
- Access to customer networks or systems
- Dark fiber lighting or network commissioning work
- Handling customer configuration data
- Physical access to data hall infrastructure (interconnect, MMR, etc.)
- Splicing that connects live customer networks
Practically, most Zayo fiber subs will trigger at least one of these. Some sub scopes (basic OSP construction without network commissioning) may not, but the UIQ is answered by your business, not per project — so if any of your crews do this work, the requirement typically applies broadly.
Avetta’s Universal Insurance Questionnaire auto-flags cyber requirement based on your answers. You cannot bypass the requirement by leaving the UIQ generic — Zayo’s prequalification team reviews questionnaire completeness. Get $5M cyber lined up before you begin Zayo Avetta registration.
Other Prime Cyber Requirements
| Prime | Cyber Requirement | Trigger |
|---|---|---|
| Zayo | $5M | Avetta UIQ — customer network access, dark fiber lighting, commissioning |
| Crown Castle (now Zayo) | $5M | Same as Zayo post-acquisition |
| Hyperscaler data center GCs (DPR, Turner, Skanska, Holder) | $1M-$5M | Any sub touching data hall infrastructure |
| AT&T carrier subcontract | Varies by scope; $1M-$2M common | OSP alone typically not, network-side yes |
| Verizon carrier subcontract | Varies; increasingly $2M | Similar to AT&T |
| Enterprise fiber subcontract (banks, hospitals, universities) | $1M-$5M | Contract-specific; almost always required |
| BEAD-funded projects | Variable; grantee-specific | State-level rules |
Real Cost Ranges for Fiber Contractor Cyber Insurance
Cyber premium is driven primarily by revenue, employee count, and security controls (multi-factor authentication, backup practices, endpoint protection, email security). Typical 2026 ranges for fiber contractors:
| Limit | Solo / Small (under $500K revenue) | Mid ($500K-$3M) | Larger ($3M-$10M) |
|---|---|---|---|
| $1M | $1,200 – $2,500 | $2,000 – $4,500 | $3,500 – $8,000 |
| $2M | $2,000 – $4,500 | $3,500 – $7,500 | $6,000 – $12,000 |
| $5M (Zayo requirement) | $4,500 – $9,000 | $6,500 – $12,000 | $10,000 – $22,000 |
Premium reduction levers: Multi-factor authentication (MFA) on all accounts, endpoint detection & response (EDR) software, backup practices with off-site copies, email security filtering, and documented incident response plan. Underwriters ask about these in a security supplemental — strong answers meaningfully reduce premium.
Get $5M Cyber Liability for Zayo Compliance
Zayo-compliant $5M cyber with first-party and third-party coverage, tied to your GL and umbrella program. Same-day COI to clear Avetta prequalification.
Request a Cyber QuoteFrequently Asked Questions
Fiber contractors access customer networks, install equipment that connects to sensitive systems, and handle configuration data. Zayo requires $5M cyber via Avetta. Hyperscaler GCs increasingly require cyber for any sub touching data hall infrastructure. GL doesn’t cover cyber events.
No. GL policies contain a cyber exclusion (typically CG 21 06) that excludes any claim from unauthorized system access or data breach. Cyber events fall entirely to cyber insurance.
First-party pays YOUR losses from a cyber attack. Third-party pays claims made against YOU by others harmed by your cyber event. A complete policy includes both. Zayo’s $5M requirement is an aggregate across both.
Typically $4,500 to $22,000 per year depending on revenue and security controls. Strong controls (MFA, EDR, backups, email security) meaningfully reduce premium.
Zayo triggers cyber based on customer network access, dark fiber lighting, and network commissioning. If you only do OSP construction and never touch live networks, you may not trigger the requirement. But most fiber subs eventually do — and Avetta’s UIQ is answered per-business, not per-project. If any crew does network-side work, coverage typically applies.
Get Cyber Liability Coverage
$1M, $2M, or $5M cyber liability for fiber, cable, and low voltage contractors. First-party and third-party coverage.
Request My Coverage Quote